(This is the list for discussions of curl. We ought to move this conversation to the curl-library mailing list; I'm responding to this list just in case you haven't subscribed to it. But follow-ups should go there.)

On Jul 24, 2013, at 7:51 AM, venkatesh perumalla <perumalla.venki_at_gmail.com> wrote:

> Hi,
>
> Whether curl does the ssl-pinning which can avoid "man in the middle attack".
> Does it do the strict validation. As explained in below link.
> https://www.owasp.org/index.php/Pinning_Cheat_Sheet#OpenSSL

You can do this yourself, if you're using the OpenSSL back-end, by using the CURLOPT_SSL_CTX option and overriding the certificate verification callback. There isn't yet an option to let the library do this. If you'd like one, then consider writing a patch that does it for as many back-ends as possible.

> In servercert function does it do all the validations.
> by setting CURLOPT_SSL_VERIFYHOST and CURLOPT_SSL_VERIFYPEER.

Yes, and they are turned on by default. I don't recommend you change those settings unless you really know what you're doing.

Nick Zitzmann
<http://www.chronosnet.com/>

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-users
FAQ: http://curl.haxx.se/docs/faq.html
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2013-07-24