projects / platform / upstream / curl.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 18c0e9b) | patch
SSL: Several SSL-backend related fixes
authorOscar Koeroo <okoeroo@gmail.com>
Sat, 3 Nov 2012 01:06:51 +0000 (02:06 +0100)
committerDaniel Stenberg <daniel@haxx.se>
Thu, 8 Nov 2012 21:23:12 +0000 (22:23 +0100)
commit1394cad30fcac7eb21adb9158dfcfab10e9f53d4
treea4c89ce32f9f5fb1da8c69e1b44ba6005d6b2a96tree | snapshot
parent18c0e9bd71009792982dc6cf518427c13c8674a0commit | diff
SSL: Several SSL-backend related fixes

axTLS:

This will make the axTLS backend perform the RFC2818 checks, honoring
the VERIFYHOST setting similar to the OpenSSL backend.

Generic for OpenSSL and axTLS:

Move the hostcheck and cert_hostcheck functions from the lib/ssluse.c
files to make them genericly available for both the OpenSSL, axTLS and
other SSL backends. They are now in the new lib/hostcheck.c file.

CyaSSL:

CyaSSL now also has the RFC2818 checks enabled by default. There is a
limitation that the verifyhost can not be enabled exclusively on the
Subject CN field comparison. This SSL backend will thus behave like the
NSS and the GnuTLS (meaning: RFC2818 ok, or bust). In other words:
setting verifyhost to 0 or 1 will disable the Subject Alt Names checks
too.

Schannel:

Updated the schannel information messages: Split the IP address usage
message from the verifyhost setting and changed the message about
disabling SNI (Server Name Indication, used in HTTP virtual hosting)
into a message stating that the Subject Alternative Names checks are
being disabled when verifyhost is set to 0 or 1. As a side effect of
switching off the RFC2818 related servername checks with
SCH_CRED_NO_SERVERNAME_CHECK
(http://msdn.microsoft.com/en-us/library/aa923430.aspx) the SNI feature
is being disabled. This effect is not documented in MSDN, but Wireshark
output clearly shows the effect (details on the libcurl maillist).

PolarSSL:

Fix the prototype change in PolarSSL of ssl_set_session() and the move
of the peer_cert from the ssl_context to the ssl_session. Found this
change in the PolarSSL SVN between r1316 and r1317 where the
POLARSSL_VERSION_NUMBER was at 0x01010100. But to accommodate the Ubuntu
PolarSSL version 1.1.4 the check is to discriminate between lower then
PolarSSL version 1.2.0 and 1.2.0 and higher. Note: The PolarSSL SVN
trunk jumped from version 1.1.1 to 1.2.0.

Generic:

All the SSL backends are fixed and checked to work with the
ssl.verifyhost as a boolean, which is an internal API change.
lib/Makefile.inc diff | blob | history
lib/axtls.c diff | blob | history
lib/curl_darwinssl.c diff | blob | history
lib/curl_schannel.c diff | blob | history
lib/cyassl.c diff | blob | history
lib/hostcheck.c [new file with mode: 0644] blob
lib/hostcheck.h [new file with mode: 0644] blob
lib/polarssl.c diff | blob | history
lib/ssluse.c diff | blob | history
Domain: Network & Connectivity / Data Network;