Skip to content

Commit

Permalink
unverified HTTPS: don't set CURLOPT_SSL_VERIFYHOST=0
Browse files Browse the repository at this point in the history
In https://curl.se/libcurl/c/CURLOPT_SSL_VERIFYHOST.html under
"Limitations", it is documented that when `CURLOPT_SSL_VERIFYHOST` is
set to zero this also turns off SNI (Server Name Indication):

> Secure Transport: If verify value is 0, then SNI is also disabled. SNI
> is a TLS extension that sends the hostname to the server. The server
> may use that information to do such things as sending back a specific
> certificate for the hostname, or forwarding the request to a specific
> origin server. Some hostnames may be inaccessible if SNI is not sent.

Since SNI is required to make requests to some HTTPS servers, disabling
SNI can break things. This change leaves host verification on and only
turns peer verification off (i.e. CA chain checking). I have yet to find
an example where turning host verification off is necessary.

Closes #113.
  • Loading branch information
StefanKarpinski committed Apr 20, 2021
1 parent 7b774c1 commit f0e0c67
Show file tree
Hide file tree
Showing 2 changed files with 22 additions and 1 deletion.
1 change: 0 additions & 1 deletion src/Curl/Easy.jl
Original file line number Diff line number Diff line change
Expand Up @@ -76,7 +76,6 @@ set_url(easy::Easy, url::AbstractString) = set_url(easy, String(url))

function set_ssl_verify(easy::Easy, verify::Bool)
setopt(easy, CURLOPT_SSL_VERIFYPEER, verify)
setopt(easy, CURLOPT_SSL_VERIFYHOST, verify*2)
end

function set_ssh_verify(easy::Easy, verify::Bool)
Expand Down
22 changes: 22 additions & 0 deletions test/runtests.jl
Original file line number Diff line number Diff line change
Expand Up @@ -453,6 +453,28 @@ include("setup.jl")
delete!(ENV, "JULIA_SSL_NO_VERIFY_HOSTS")
end

@testset "unverified request with SNI required" begin
url = "https://juliahub.com" # anything served by CloudFront
# secure verified host request
resp = request(url, throw=false, downloader=Downloader())
@test resp isa Response
@test resp.status == 200
# insecure unverified host request
ENV["JULIA_SSL_NO_VERIFY_HOSTS"] = "**"
resp = request(url, throw=false, downloader=Downloader())
@test resp isa Response
@test resp.status == 200
# also set CURLOPT_SSL_VERIFYHOST to zero
# expected to fail since CloudFront requires SNI
# and setting this to zero disables SNI
downloader = Downloads.Downloader()
downloader.easy_hook = (easy, info) ->
Curl.setopt(easy, Curl.CURLOPT_SSL_VERIFYHOST, 0)
resp = request(url, throw=false, downloader=downloader)
@test resp isa RequestError
@test resp.code == Curl.CURLE_SSL_CONNECT_ERROR
end

if save_env !== nothing
ENV["JULIA_SSL_NO_VERIFY_HOSTS"] = save_env
else
Expand Down

0 comments on commit f0e0c67

Please sign in to comment.