unverified HTTPS: don't set CURLOPT_SSL_VERIFYHOST=0

In https://curl.se/libcurl/c/CURLOPT_SSL_VERIFYHOST.html under
"Limitations", it is documented that when `CURLOPT_SSL_VERIFYHOST` is
set to zero this also turns off SNI (Server Name Indication):

> Secure Transport: If verify value is 0, then SNI is also disabled. SNI
> is a TLS extension that sends the hostname to the server. The server
> may use that information to do such things as sending back a specific
> certificate for the hostname, or forwarding the request to a specific
> origin server. Some hostnames may be inaccessible if SNI is not sent.

Since SNI is required to make requests to some HTTPS servers, disabling
SNI can break things. This change leaves host verification on and only
turns peer verification off (i.e. CA chain checking). I have yet to find
an example where turning host verification off is necessary.

Closes #113.

(cherry picked from commit 86e52d7)

Author: StefanKarpinski

src/Curl/Easy.jl

@@ -73,7 +73,6 @@ set_url(easy::Easy, url::AbstractString) = set_url(easy, String(url))
 
 function set_ssl_verify(easy::Easy, verify::Bool)
     setopt(easy, CURLOPT_SSL_VERIFYPEER, verify)
-    setopt(easy, CURLOPT_SSL_VERIFYHOST, verify*2)
 end
 
 function set_ssh_verify(easy::Easy, verify::Bool)

test/runtests.jl

@@ -410,6 +410,19 @@ include("setup.jl")
         delete!(ENV, "JULIA_SSL_NO_VERIFY_HOSTS")
     end
 
+    @testset "SNI required" begin
+        url = "https://juliahub.com" # anything served by CloudFront
+        # secure verified host request
+        resp = request(url, throw=false, downloader=Downloader())
+        @test resp isa Response
+        @test resp.status == 200
+        # insecure unverified host request
+        ENV["JULIA_SSL_NO_VERIFY_HOSTS"] = "**"
+        resp = request(url, throw=false, downloader=Downloader())
+        @test resp isa Response
+        @test resp.status == 200
+    end
+
     if save_env !== nothing
         ENV["JULIA_SSL_NO_VERIFY_HOSTS"] = save_env
     else