Re: GIT_SSL_NO_VERIFY=1 over http doesn't ignore a different ip address for the signed certificate

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, 21 Feb 2008, Anatoly Yakovenko wrote:

$ GIT_SSL_NO_VERIFY=1 GIT_CURL_VERBOSE=1 git clone
https://aeyakovenko@xxxxxxxxx/git

i get this as an error:

error: SSL: certificate subject name 'localhost' does not match target
host name '127.0.0.1' (curl_result = 51, http_code = 0, sha1 =
4590de71622f1a90f906413fd7f63d5553cd5f93)

That's the very problem Mike Hommey's recent patch addresses. Verifying a peer's certificate is done with two different libcurl options:

* VERIFYPEER verifies the server's certificate against a local CA cert bundle

* VERIFYHOST verifies that the name in the server certificate matches the host
  you're talking to

For this particular case, you can in fact also make it work by making sure the server's certificate has the IP address as a "subjectAltName".
-
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Linux Kernel Development]     [Gcc Help]     [IETF Annouce]     [DCCP]     [Netdev]     [Networking]     [Security]     [V4L]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux SCSI]     [Fedora Users]

  Powered by Linux