Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use proper CURLOPT values for VERIFYHOST and VERIFYPEER #1695

Merged
merged 1 commit into from
Apr 10, 2020
Merged

Use proper CURLOPT values for VERIFYHOST and VERIFYPEER #1695

merged 1 commit into from
Apr 10, 2020

Conversation

DennisHeimbigner
Copy link
Collaborator

@DennisHeimbigner DennisHeimbigner commented Apr 10, 2020
edited by WardF
Loading

Two issues:

  1. As of libcurl 7.66, the semantics of CURLOPT_SSL_VERIFYHOST
    changed so that the non-zero values affects certificate processing.
  2. The current library was forcing the values of VERIFYPEER
    and VERIFYHOST to zero instead of leaving them to the default values.

Solution was first to leave the defaults in place for VERIFYPEER and VERIFYHOST
as long as they are not set in .ocrc/.dodsrc file.
Second, the value of HTTP.SSL.VERIFYPEER or HTTP.SSL.VERIFYHOST
as set in .ocrc/.dodrc is used to set the corresponding CURLOPT flags.
So for example, adding

HTTP.SSL.VERIFYHOST=2
will set the value of CURLOPT_SSL_VERIFYHOST to 2, the default.
Using
HTTP.SSL.VERIFYHOST=0
will set the value of CURLOPT_SSL_VERIFYHOST to 0, which disables it.
Similarly for VERIFYPEER.

Finally the semantics of HTTP.SSL.VALIDATE is now equivalent to

HTTP.SSL.VERIFYPEER=1
HTTP.SSL.VERIFYHOST=2

@DennisHeimbigner
Use proper CURLOPT values for VERIFYHOST and VERIFYPEER
313121a 
re: Unidata#1684
re: e-support VZL-904142

Two issues:
1. As of libcurl 7.66, the semantics of CURLOPT_SSL_VERIFYHOST
   changed so that the non-zero values affects certificate processing.
2. The current library was forcing the values of VERIFYPEER
   and VERIFYHOST to zero instead of leaving them to the default values.

Solution was first to leave the defaults in place for VERIFYPEER and VERIFYHOST
as long as they are not set in .ocrc/.dodsrc file.
Second, the value of HTTP.SSL.VERIFYPEER or HTTP.SSL.VERIFYHOST
as set in .ocrc/.dodrc is used to set the corresponding CURLOPT flags.
So for example, adding
> HTTP.SSL.VERIFYHOST=2
will set the value of CURLOPT_SSL_VERIFYHOST to 2, the default.
Using
> HTTP.SSL.VERIFYHOST=0
will set the value of CURLOPT_SSL_VERIFYHOST to 0, which disables it.
Similarly for VERIFYPEER.

Finally the semantics of HTTP.SSL.VALIDATE is now equivalent to
> HTTP.SSL.VERIFYPEER=1
> HTTP.SSL.VERIFYHOST=2
@DennisHeimbigner DennisHeimbigner requested a review from WardF as a code owner April 10, 2020 19:43
@WardF WardF self-assigned this Apr 10, 2020
@WardF WardF added this to the 4.8.0 milestone Apr 10, 2020
@WardF WardF merged commit 867f8b5 into Unidata:master Apr 10, 2020
@DennisHeimbigner DennisHeimbigner deleted the verifyhost.dmh branch May 12, 2020 20:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@WardF WardF WardF approved these changes

Assignees

@WardF WardF

Labels
area/DAP2 area/DAP4
Projects
None yet
Milestone
4.8.0
Development

Successfully merging this pull request may close these issues.

New semantics in CURL_SSL_VERIFYHOST
2 participants
@DennisHeimbigner @WardF