unverified HTTPS: don't set CURLOPT_SSL_VERIFYHOST=0

[StefanKarpinski]

In https://curl.se/libcurl/c/CURLOPT_SSL_VERIFYHOST.html under "Limitations", it is documented that when CURLOPT_SSL_VERIFYHOST is set to zero this also turns off SNI (Server Name Indication):

Secure Transport: If verify value is 0, then SNI is also disabled. SNI is a TLS extension that sends the hostname to the server. The server may use that information to do such things as sending back a specific certificate for the hostname, or forwarding the request to a specific origin server. Some hostnames may be inaccessible if SNI is not sent.

Since SNI is required to make requests to some HTTPS servers, disabling SNI can break things. This change leaves host verification on and only turns peer verification off (i.e. CA chain checking). I have yet to find an example where turning host verification off is necessary.

[codecov-commenter]

Codecov Report

Merging #114 (86e52d7) into master (db1d8d5) will decrease coverage by 0.02%.
The diff coverage is n/a.

@@            Coverage Diff             @@
##           master     #114      +/-   ##
==========================================
- Coverage   93.00%   92.97%   -0.03%     
==========================================
  Files           5        5              
  Lines         486      484       -2     
==========================================
- Hits          452      450       -2     
  Misses         34       34              

Impacted Files	Coverage Δ
src/Curl/Easy.jl	94.09% <ø> (-0.06%)	⬇️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update db1d8d5...86e52d7. Read the comment docs.

[StefanKarpinski]

It seems that I can only trigger the lack-of-SNI failure (which this PR fixes) on macOS + Julia ≥ 1.6, which seems a little strange — I would expect this to be a problem everywhere or nowhere. @vdayanand, did you only encounter this issue on macOS or were you also able to trigger it on Linux/Windows?

[vdayanand]

I can't reproduce this on linux. Looks like the difference here is the TLS library that is being used. Maybe we should try using LibreSSL like system curl?

Downloads.Curl version (Linux): libcurl/7.73.0 mbedTLS/2.24.0 zlib/1.2.11 libssh2/1.9.0 nghttp2/1.41.0
Downloads.Curl version (MacOS): libcurl/7.73.0 SecureTransport zlib/1.2.11 libssh2/1.9.0 nghttp2/1.41.0
System.Curl (MacOS): libcurl/7.64.1 (SecureTransport) LibreSSL/2.8.3 zlib/1.2.11 nghttp2/1.39.2

[StefanKarpinski]

It seems ok to apply this patch and stop setting VERIFYHOST to zero. I can't find any actual example cases where this causes an insecure connection to be rejected. I think the server needs to be presenting a certificate for the wrong host entirely for this option to be required, but even with this patch, you can still connect to https://wrong.host.badssl.com which is, as I understand it supposed to be presenting a certificate for the wrong host. But maybe it's not wrong enough: it seems to be presenting a certificate for *.badssl.com which is maybe supposed to be rejected because the wildcard shouldn't apply to two levels of subdomain? I can't find an example of an HTTPS server that presents a certificate for the entirely wrong domain to see if that works.

[mkitti]

In testing a conda-forge build of Julia 1.6.2 / Downloads.jl 1.4.1, it seems that libcurl 7.78.0 built with openssl 1.1.1k rather than mbedTLS throws an error when CURLOPT_SSL_VERIFYHOST is not set to 0. The error raised is

SSL: no alternative certificate subject name matches target host name 'wrong.host.badssl.com'

Further details can be found here:
conda-forge/julia-feedstock#119 (comment)

[StefanKarpinski]

Well, that makes sense as I would expect that test to fail with this option unset and was a little puzzled why it didn't fail. It seems like this is a build error when using MbedTLS and the OpenSSL behavior is correct.