cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: Changing to HTTPS

From: Richard Atterer <richard_at_2005.atterer.net>
Date: Wed, 11 May 2005 17:07:19 +0200

On Wed, May 11, 2005 at 05:46:42PM +0300, ext-venkatesh.hosur_at_nokia.com wrote:
> ii. In the client code the CURL option, CURLOPT_SSL_VERIFYPEER will be set to ZERO.
>
> Its assumed that the Server which is being connected is
> trustworthy. Only thing thats needed is the secure communication.
> So, by just doing the above two changes in teh code can we get a
> secure communicaiton ?

No, the communication will not be secure, a man-in-the-middle attack is
possible. Set CURLOPT_SSL_VERIFYPEER!=0 and CURLOPT_CAINFO. Don't just
pretend to be secure, BE secure!

  Richard

-- 
  __   _
  |_) /|  Richard Atterer     |  GnuPG key:
  | \/|  http://atterer.net  |  0x888354F7
   '` 
Received on 2005-05-11