schannel: allow verifyhost independently of verifypeerbagder/schannel-verifyhost

Prior to this change if the user disabled the verify peer check then no host check was done. Empirical testing shows SCH_CRED_MANUAL_CRED_VALIDATION, which we use when peer verification is disabled, also disables hostname verification. In Windows < 8 our manual host verification check (ie the check used when CA info is specified, or peer verification is disabled, or WinCE is the OS) for schannel continues to only check the first subject alternate name, and not all the names, since there is no easy way supported by the API. It looks possible to do just more work, and should be addressed separately. Assisted-by: Daniel Stenberg Reported-by: Martin Galvan Fixes #3284 Closes #3285 Closes #xxxx
author: Jay Satiro <raysatiro@yahoo.com> 2018-11-19 02:27:35 -0500
committer: Jay Satiro <raysatiro@yahoo.com> 2018-11-24 19:13:03 -0500
commit: 8494374279ad6260a6742762874009502444c1a8 (patch)
tree: e44afc27026a69a95204cde71d50fef30cab8f3c /lib/vtls/schannel.h
parent: b88bf6e650a866330e5e6204e655bc4015c96a72 (diff)
download: curl-bagder/schannel-verifyhost.tar.gz
1 files changed, 1 insertions, 0 deletions
diff --git a/lib/vtls/schannel.h b/lib/vtls/schannel.h
index ee8d7d47a..dfa67db25 100644
--- a/lib/vtls/schannel.h
+++ b/lib/vtls/schannel.h
@@ -53,6 +53,7 @@
 
 extern const struct Curl_ssl Curl_ssl_schannel;
 
+CURLcode Curl_verify_host(struct connectdata *conn, int sockindex);
 CURLcode Curl_verify_certificate(struct connectdata *conn, int sockindex);
 
 /* structs to expose only in schannel.c and schannel_verify.c */
author	Jay Satiro <raysatiro@yahoo.com>	2018-11-19 02:27:35 -0500
committer	Jay Satiro <raysatiro@yahoo.com>	2018-11-24 19:13:03 -0500
commit	8494374279ad6260a6742762874009502444c1a8 (patch)
tree	e44afc27026a69a95204cde71d50fef30cab8f3c /lib/vtls/schannel.h
parent	b88bf6e650a866330e5e6204e655bc4015c96a72 (diff)
download	curl-bagder/schannel-verifyhost.tar.gz