cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: CURLOPT_SSL_VERIFYHOST won't fail unless CURLOPT_SSL_VERIFYPEER is enabled

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Wed, 9 Jul 2008 09:20:03 +0200 (CEST)

On Tue, 8 Jul 2008, Jef Gearhart wrote:

> Maybe this was intentional? If I try to use CURLOPT_SSL_VERIFYHOST (set to
> 2), but disable CURLOPT_SSL_VERIFYPEER, the connection succeeds, even though
> the Common name doesn't match the host name I connected to.
>
> I can see clearly in the code why this is so, but before I elaborate on
> that.. Is this intentional?

No, I don't think it is intentional.

Of course Arnaud's point is still valid: it is still entirely insecure.
Without verifying the certificate, the name part check really adds nothing.

-- 
  / daniel.haxx.se

Received on 2008-07-09

This message: [ Message body ]
Next message: Mathew Hounsell: "curl dns cache and dns changes on linux"
Previous message: Daniel Stenberg: "Re: CURLOPT_SCOPE"
In reply to: Jef Gearhart: "CURLOPT_SSL_VERIFYHOST won't fail unless CURLOPT_SSL_VERIFYPEER is enabled"
Next in thread: Arnaud Ebalard: "Re: CURLOPT_SSL_VERIFYHOST won't fail unless CURLOPT_SSL_VERIFYPEER is enabled"
Reply: Arnaud Ebalard: "Re: CURLOPT_SSL_VERIFYHOST won't fail unless CURLOPT_SSL_VERIFYPEER is enabled"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]