cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: CURLOPT_SSL_VERIFYHOST won't fail unless CURLOPT_SSL_VERIFYPEER is enabled

From: Arnaud Ebalard <arno_at_natisbad.org>
Date: Tue, 08 Jul 2008 20:39:28 +0200

Hi,

Jef Gearhart <jef_at_tpssys.com> writes:

> Maybe this was intentional? If I try to use CURLOPT_SSL_VERIFYHOST
> (set to 2), but disable CURLOPT_SSL_VERIFYPEER, the connection
> succeeds, even though the Common name doesn't match the host name I
> connected to.
>
> I can see clearly in the code why this is so, but before I elaborate
> on that.. Is this intentional?

I think it is not (even if setting the former while unsetting the latter
seems pointless from a security standpoint).

During tests involving libcurl-gnutls, I had the expected behavior
(IIRC). Are you using the libssl-based version?

Cheers,

application/pgp-signature attachment: stored

Received on 2008-07-08

This message: [ Message body ]
Next message: Yang Tse: "Re: CURLOPT_SCOPE"
Previous message: Jef Gearhart: "CURLOPT_SSL_VERIFYHOST won't fail unless CURLOPT_SSL_VERIFYPEER is enabled"
In reply to: Jef Gearhart: "CURLOPT_SSL_VERIFYHOST won't fail unless CURLOPT_SSL_VERIFYPEER is enabled"
Next in thread: Jef Gearhart: "Re: CURLOPT_SSL_VERIFYHOST won't fail unless CURLOPT_SSL_VERIFYPEER is enabled"
Reply: Jef Gearhart: "Re: CURLOPT_SSL_VERIFYHOST won't fail unless CURLOPT_SSL_VERIFYPEER is enabled"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]