cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: CURLOPT_SSL_VERIFYHOST won't fail unless CURLOPT_SSL_VERIFYPEER is enabled

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Wed, 9 Jul 2008 09:20:03 +0200 (CEST)

On Tue, 8 Jul 2008, Jef Gearhart wrote:

> Maybe this was intentional? If I try to use CURLOPT_SSL_VERIFYHOST (set to
> 2), but disable CURLOPT_SSL_VERIFYPEER, the connection succeeds, even though
> the Common name doesn't match the host name I connected to.
>
> I can see clearly in the code why this is so, but before I elaborate on
> that.. Is this intentional?

No, I don't think it is intentional.

Of course Arnaud's point is still valid: it is still entirely insecure.
Without verifying the certificate, the name part check really adds nothing.

-- 
  / daniel.haxx.se
Received on 2008-07-09