How to disable SNI for https requests

Ray Satiro via curl-users

2017-12-18 05:30:22 UTC

Post by Ram Subramanian via curl-users
I'm trying to make an https request to an IP address and it fails
because the common name of the certificate doesn't match the hostname.
After some googling I found that the --resolve option lets me specify
the hostname for that IP and pass this check.
My problem now - the host I make the request to then redirects me to
another host, by IP... and you guessed it, the SNI check now fails for
the second host.
I've tried to provide an additional --resolve option for the second
host, but that doesn't work, and expectedly so.
Seems to me the only way to handle this would be to disable SNI - is
there any way to do this with curl?

What do you mean by SNI check fails?

Sometimes to access a server you have to send the hostname via SNI since
if that server is hosting multiple virtual servers it needs to know
which certificate to give you, and/or what origin server to possibly
connect to (the latter may also be done through the host header).

SNI is not sent for IP addresses, so if curl is following redirects
(-L,--location [1]) and it's given an IP address then no SNI is sent. Is
it possible what you are really looking to do is send the SNI with a
hostname of your choice? curl doesn't have a way to do that unless you
handle the redirects manually by using --write-out "%{redirect_url}" to
get the URL manually, instead of --location to retrieve it
automatically. Then you would rewrite the URL to use the hostname you want.

If I misunderstand this please give more information including your curl -V.

[1]: https://curl.haxx.se/docs/manpage.html#-L
[2]: https://curl.haxx.se/docs/manpage.html#-w

-----------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-users
E