Curl: Disabling SSL Host verification causes connection failure
I did this
[...]
curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0L);
curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 0L);
curl_easy_setopt(curl, CURLOPT_CAINFO, "");
curl_easy_setopt(curl, CURLOPT_VERBOSE, 1L);
[...]
(Note: this is very much BY DESIGN - I am well aware that this is insecure)
However curl fails to connect to the server and the following is printed to stderr:
* Trying 2606:4700:20::ac43:49f3:443...
* Connected to tlsinspector.com (2606:4700:20::ac43:49f3) port 443 (#0)
* ALPN, offering http/1.1
* WARNING: disabling hostname validation also disables SNI.
* SSL peer handshake failed, the server most likely requires a client certificate to connect
* Closing connection 0
The server I am connecting to does not require a client certificate (https://tlsinspector.com)
Removing: curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 0L); and the problem goes away, however, again, I want to disable host verification - specifically SNI.
I expected the following
For curl to connect to the server, and ignore any and all potential SSL verification errors
curl/libcurl version
tiny-curl 7.72.2
operating system
iOS 14, configured with:
export CFLAGS='-arch arm64 -pipe -Os -gdwarf-2 -isysroot /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS14.3.sdk -I/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS14.3.sdk/usr/include -miphoneos-version-min=9.3 -fembed-bitcode'
export LDFLAGS='-arch arm64 -isysroot /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS14.3.sdk'
./configure --host=arm-apple-darwin --disable-shared --enable-static --with-darwinssl
ecnepsnai
All 4 comments
- WARNING: disabling hostname validation also disables SNI.
Many servers host multiple websites (and therefore serve multiple certificates) and can only figure out which certificate to serve if SNI is enabled. In this case tlsinspector.com sends a failed handshake alert when SNI is omitted. The Secure Transport (DarwinSSL) backend disables SNI when hostname checking is disabled, see #998. To work around this you would have to build curl with a different SSL backend. For example, Apple includes BoringSSL now I think.
/cc @Lukasa @nickzman
jay
on 19 Dec 2020
@jay thank you!
Out of curiosity, is there a place where platform-specific differences such as this one are documented? I'm wondering what else DarwinSSL changes that I'm not aware of.
ecnepsnai
on 19 Dec 2020
Unfortunately we don't have that collected wisdom in an easy accessible single place...
bagder
on 19 Dec 2020
I could put it in KNOWN_BUGS I guess
jay
on 19 Dec 2020
Related issues
SoniEx2
路
4Comments
MarcelRaad
路
5Comments
gaul
路
6Comments
iammrtau
路
4Comments
napasa
路
5Comments
Most helpful comment
Many servers host multiple websites (and therefore serve multiple certificates) and can only figure out which certificate to serve if SNI is enabled. In this case tlsinspector.com sends a failed handshake alert when SNI is omitted. The Secure Transport (DarwinSSL) backend disables SNI when hostname checking is disabled, see #998. To work around this you would have to build curl with a different SSL backend. For example, Apple includes BoringSSL now I think.
/cc @Lukasa @nickzman