On Wed, 21 Aug 2002, Nick Gimbrone wrote:

> These folks are just as much at risk as a "curl user". I think it is
> important to remember that not all users of packages such as these are
> programmers (or even very technically savy). As such, the proper approach
> seems to be more one as outlined in earlier notes (Cris's?) I read here,
> specificly to produce errors and fail the request when the ssl certs
> validity can not be established.

That's why I wrote that part about keeping our users in mind. I just don't
want the tool curl to change behavior in such a drastic way.

I could however imagine a new option to libcurl in a style like
CURLOPT_SSL_UNSAFE that needs to be set TRUE to allow connects to HTTPS sites
without using CA certificates.

The tool curl would then set CURLOPT_SSL_UNSAFE to TRUE by default (and show
the warning text as discussed), and those who author bindings for libcurl
would have to do the same to allow this kind of stunt.

Any libcurl binding people around with opinions on this approach?

-- 
 Daniel Stenberg -- curl related mails on curl related mailing lists please
-------------------------------------------------------
This sf.net email is sponsored by: OSDN - Tired of that same old
cell phone?  Get a new here for FREE!
https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390