On Fri, Nov 30, 2007 at 01:25:25AM +0100, paranoid paranoia wrote:
> This doesn't change the fact that most people who
> set their cipher list to include only anonymous and/or
> pre-shared key combinations will be mighty surprised
> that curl insists on retrieving the peer's certificate,
> since these variants don't require/use any... but, that's
> their problem. If the "feature" is well-documented,
> there's hardly anything to complain about.

On the other hand, those people who accidentally set their cipher list to
include anonymous ciphers (or who have them set for them through some
nefarious means) will be might surprised to see that they've fallen victim
to a MITM attack because the server certificate that they've insisted be
verified by curl was not.

>>> Dan

-- 
http://www.MoveAnnouncer.com              The web change of address service
          Let webmasters know that your web site has moved