cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: Does curl REALLY ignore CURLOPT_SSL_VERIFYPEER / CURLOPT_SSL_VERIFYHOST?

From: Johnny Luong <johnny_at_trustcommerce.com>
Date: Tue, 27 Nov 2007 10:22:00 -0800

you can find a more definitive answer in rfc 4346 section 7.4.2.
basically in most cases, your going to see a server certificate unless
the key exchange is anonymous (and i don't know of anybody that does the
 setup the anonymous way)

-johnny

paranoid paranoia wrote:
> The following snippet in Curl_ossl_connect_step3 causes
> aborted connection attempts even when curl is rather clearly
> instructed to not bother checking the peer's certificate:
>
> ssluse.c: (lines 1638-1641 in 7.6.14, 1624-1628 in today's snapshot)
> //-----------------------------------------------------
> connssl->server_cert = SSL_get_peer_certificate(connssl->handle);
> if(!connssl->server_cert) {
> failf(data, "SSL: couldn't get peer certificate!");
> return CURLE_SSL_PEER_CERTIFICATE;
> }
> //-----------------------------------------------------
>
> This code is executed _no_matter_what_ even when
> CURLOPT_SSL_VERIFYPEER, CURLOPT_SSL_VERIFYHOST,
> and CURLOPT_CAINFO are *all* set to 0.
>
> WHY?!??
>
>

Received on 2007-11-27