On Tue, 26 Apr 2005, Bryan Henderson wrote:

> I'm trying to figure out how the subject options relate to each other. I
> found the following on the mailing is from 2003:
>
> VERIFYPEER is set to enable or disable peer certificate verify. If
> set to TRUE, you should also provide a cert path or dir using CAINFO
> or CAPATH.
>
> VERIFYHOST defines what kind of verify on the name in the peer
> certificate you want. The name in the cert is supposedly the same as
> the host name you're communicating to.
>
> Both these are documented in the curl_easy_setopt man page.
>
> And I read that man page before searching the list.
>
> I guess I don't understand SSL well enough to see what these do. First of
> all, I don't know any other meaning of verifying a peer certificate other
> than to verify that the certificate names the peer to which you intend to be
> talking. Is there some other kind of verification?

There is two verifications done:

VERIFYPEER means that the server's certificate is verified against the local
CA cert bundle, to make sure that the certificate is signed by a trusted
authority.

VERIFYHOST menas that name in the remote server's certificate (the commonName
field or a subjectAltName field) is compared against the host name curl
connects to, and make sure that they are the same.

> VERIFYHOST=1 seems to be somewhat of a stretch of the term "verify". Is that
> right? How would VERIFYHOST=1 be useful?

I agree that it is a questionable value to use.

> If someone can make me understand this, I'll write some words for the man
> page that make it clear to people like me.

I'll appreciate that. Did this make anything better?

-- 
  Commercial curl and libcurl Technical Support: http://haxx.se/curl.html