summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
authorJDepooter <joel.depooter@safe.com>2017-02-02 13:40:16 -0800
committerJay Satiro <raysatiro@yahoo.com>2017-03-02 02:42:15 -0500
commit0966ab5bd4ad547c74e1032899c87f7214bc5b73 (patch)
tree1c6baad52f45fd684d8aa43c0f148a99a10e13c0 /docs
parenta162d8b21b0becd1feabcc4a9d67f5ef03966d6a (diff)
downloadcurl-0966ab5bd4ad547c74e1032899c87f7214bc5b73.tar.gz
darwinssl: Warn that disabling host verify also disables SNI
In DarwinSSL the SSLSetPeerDomainName function is used to enable both sending SNI and verifying the host. When host verification is disabled the function cannot be called, therefore SNI is disabled as well. Closes https://github.com/curl/curl/pull/1240
Diffstat (limited to 'docs')
-rw-r--r--docs/libcurl/opts/CURLOPT_SSL_VERIFYHOST.313
1 files changed, 10 insertions, 3 deletions
diff --git a/docs/libcurl/opts/CURLOPT_SSL_VERIFYHOST.3 b/docs/libcurl/opts/CURLOPT_SSL_VERIFYHOST.3
index 159147327..acadd0774 100644
--- a/docs/libcurl/opts/CURLOPT_SSL_VERIFYHOST.3
+++ b/docs/libcurl/opts/CURLOPT_SSL_VERIFYHOST.3
@@ -58,9 +58,16 @@ The default value for this option is 2.
This option controls checking the server's certificate's claimed identity.
The server could be lying. To control lying, see
-\fICURLOPT_SSL_VERIFYPEER(3)\fP. If libcurl is built against NSS and
-\fICURLOPT_SSL_VERIFYPEER(3)\fP is zero, \fICURLOPT_SSL_VERIFYHOST(3)\fP is
-also set to zero and cannot be overridden.
+\fICURLOPT_SSL_VERIFYPEER(3)\fP.
+.SH LIMITATIONS
+DarwinSSL: If \fIverify\fP value is 0, then SNI is also disabled. SNI is a TLS
+extension that sends the hostname to the server. The server may use that
+information to do such things as sending back a specific certificate for the
+hostname, or forwarding the request to a specific origin server. Some hostnames
+may be inaccessible if SNI is not sent.
+
+NSS: If \fICURLOPT_SSL_VERIFYPEER(3)\fP is zero,
+\fICURLOPT_SSL_VERIFYHOST(3)\fP is also set to zero and cannot be overridden.
.SH DEFAULT
2
.SH PROTOCOLS