-
-
Notifications
You must be signed in to change notification settings - Fork 6.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
mbedTLS backend should use CURLOPT_SSL_VERIFYHOST to control CN checking #3376
Comments
Previously, VERIFYPEER would enable/disable all checks. Fixes #3376
@rosenqui can you check if my fix works for you? |
I should have time to try it out later today. Thanks for the quick fix! |
Fix looks good - I commented in #3382 |
This looks to be the simplest solution - same code as before with a check of
Turn off the |
Thanks, like #3390 ? |
operating system
All platforms for
mbedTLS
curl/libcurl version
All versions
The certificate validation code for the
mbedTLS
backend should look at theCURLOPT_SSL_VERIFYHOST
option viaSSL_CONN_CONFIG(verifyhost)
to control if CN checking is done as part of server certification validation.As it stands now, it's impossible to validate the certificate but omit the hostname checks when using the
mbedTLS
backend. This is possible with other backends like OpenSSL.https://github.com/curl/curl/blob/master/lib/vtls/mbedtls.c#L586
The text was updated successfully, but these errors were encountered: