On Sun, 18 Aug 2002, Tom Zerucha wrote:

> > What kind of warning are you refering to that curl should display? When
> > we're running SSL without verifying the remote's certificate, how can we
> > warn and for what?
>
> The callback should not simply return 'ok', in fact it should return the
> opposite unless it properly validates the certificate chain or is
> explicitly overridden (or, more properly, has a correct certificate
> installed in the openssl certs directory).

That's because you don't use curl with the --cacert or --capath options.
Without those, it really can't verify that peer's cert. And it doesn't
attempt to do so either. *With* those arguments, you are right that it
shouldn't allow any operation unless the remote cert turns out to be correct.

> Solution: Rewrite the certificate verify callback to actually check the
> certificate chain properly. Don't connect without an override.

So, this is what happens when you use the above mentioned options. In
libcurl, those options are named CURLOPT_CAINFO and CURLOPT_CAPATH.

-- 
 Daniel Stenberg -- curl related mails on curl related mailing lists please
-------------------------------------------------------
This sf.net email is sponsored by: OSDN - Tired of that same old
cell phone?  Get a new here for FREE!
https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390