On Wed, 24 Oct 2001, Faisal Zakaria Siddiqi wrote:

(I've taken the liberty of CC'ing my reply to the curl mailing list, please
post any follow-ups to the list as well.)

> I have a quick question. How does Curl handle certificates it gets form
> the https servers. The man page / feature list, gives the indication that
> it can handle server certificate verification( probably with extra
> command line option for the CA certs). but if I have self signed
> certificates and invoke curl without any extra options does it do any
> verification?

curl requires a specified file with CA certs to be able to properly verify a
server certificate.

I'm no SSL wizard, but shouldn't it be possible to have one (CA cert) for
self-signed certificates as well?

curl always do basic name checking, in the sense that the server's
certificate includes its common name. But when not using the --cacert option,
a failed verification is only displayed in the -v output, it does not prevent
further processing or anything.

For more details, check out lib/ssluse.c, it has them all!

-- 
    Daniel Stenberg -- curl groks URLs -- http://curl.haxx.se/