Commit da82f59b authored by Daniel Stenberg's avatar Daniel Stenberg
Browse files

CURLOPT_SSL_VERIFYHOST: stop supporting the 1 value 

After a research team wrote a document[1] that found several live source
codes out there in the wild that misused the CURLOPT_SSL_VERIFYHOST
option thinking it was a boolean, this change now bans 1 as a value and
will make libcurl return error for it.

1 was never a sensible value to use in production but was introduced
back in the days to help debugging. It was always documented clearly
this way.

1 was never supported by all SSL backends in libcurl, so this cleanup
makes the treatment of it unified.

The report's list of mistakes for this option were all PHP code and
while there's a binding layer between libcurl and PHP, the PHP team has
decided that they have an as thin layer as possible on top of libcurl so
they will not alter or specifically filter a 'TRUE' value for this
particular option. I sympathize with that position.

[1] = http://daniel.haxx.se/blog/2012/10/25/libcurl-claimed-to-be-dangerous/
parent ab1f8020

docs/libcurl/curl_easy_setopt.3

+3 −2
Original line number Diff line number Diff line
@@ -2323,8 +2323,9 @@ Curl considers the server the intended one when the Common Name field or a 
Subject Alternate Name field in the certificate matches the host name in the

URL to which you told Curl to connect.



When the value is 1, the certificate must contain a Common Name field, but it

doesn't matter what name it says.  (This is not ordinarily a useful setting).

When the value is 1, libcurl will return a failure. It was previously (in

7.28.0 and earlier) a debug option of some sorts, but it is no longer

supported due to frequently leading to programmer mistakes.



When the value is 0, the connection succeeds regardless of the names in the

certificate.

lib/curl_darwinssl.c

+1 −2
Original line number Diff line number Diff line
@@ -632,7 +632,6 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn, 
  struct SessionHandle *data = conn->data;

  curl_socket_t sockfd = conn->sock[sockindex];

  struct ssl_connect_data *connssl = &conn->ssl[sockindex];

  bool sni = true;

#ifdef ENABLE_IPV6

  struct in6_addr addr;

#else
@@ -809,7 +808,7 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn, 
#ifdef ENABLE_IPV6

     (0 == Curl_inet_pton(AF_INET6, conn->host.name, &addr)) &&

#endif

     sni) {

     data->set.ssl.verifyhost) {

    err = SSLSetPeerDomainName(connssl->ssl_ctx, conn->host.name,

                               strlen(conn->host.name));

    if(err != noErr) {

lib/curl_schannel.c

+2 −5
Original line number Diff line number Diff line
@@ -160,7 +160,7 @@ schannel_connect_step1(struct connectdata *conn, int sockindex) 
#ifdef ENABLE_IPV6

       Curl_inet_pton(AF_INET6, conn->host.name, &addr6) ||

#endif

       data->set.ssl.verifyhost < 2) {

       !data->set.ssl.verifyhost) {

      schannel_cred.dwFlags |= SCH_CRED_NO_SERVERNAME_CHECK;

      infof(data, "schannel: using IP address, disable SNI servername "

            "check\n");
@@ -1238,10 +1238,7 @@ static CURLcode verify_certificate(struct connectdata *conn, int sockindex) 
  }



  if(result == CURLE_OK) {

    if(data->set.ssl.verifyhost == 1) {

      infof(data, "warning: ignoring unsupported value (1) ssl.verifyhost\n");

    }

    else if(data->set.ssl.verifyhost == 2) {

    if(data->set.ssl.verifyhost) {

      TCHAR cert_hostname_buff[128];

      xcharp_u hostname;

      xcharp_u cert_hostname;

lib/gtls.c

+1 −1
Original line number Diff line number Diff line
@@ -681,7 +681,7 @@ gtls_connect_step3(struct connectdata *conn, 
  rc = gnutls_x509_crt_check_hostname(x509_cert, conn->host.name);



  if(!rc) {

    if(data->set.ssl.verifyhost > 1) {

    if(data->set.ssl.verifyhost) {

      failf(data, "SSL: certificate subject name (%s) does not match "

            "target host name '%s'", certbuf, conn->host.dispname);

      gnutls_x509_crt_deinit(x509_cert);

lib/nss.c

+0 −2
Original line number Diff line number Diff line
@@ -1316,8 +1316,6 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) 


  if(!data->set.ssl.verifypeer && data->set.ssl.verifyhost)

    infof(data, "warning: ignoring value of ssl.verifyhost\n");

  else if(data->set.ssl.verifyhost == 1)

    infof(data, "warning: ignoring unsupported value (1) of ssl.verifyhost\n");



  /* bypass the default SSL_AuthCertificate() hook in case we do not want to

   * verify peer */