Hi,

Daniel Stenberg <daniel_at_haxx.se> writes:

> On Tue, 8 Jul 2008, Jef Gearhart wrote:
>
>> Maybe this was intentional? If I try to use CURLOPT_SSL_VERIFYHOST
>> (set to 2), but disable CURLOPT_SSL_VERIFYPEER, the connection
>> succeeds, even though the Common name doesn't match the host name I
>> connected to.
>>
>> I can see clearly in the code why this is so, but before I elaborate
>> on that.. Is this intentional?
>
> No, I don't think it is intentional.
>
> Of course Arnaud's point is still valid: it is still entirely
> insecure. Without verifying the certificate, the name part check
> really adds nothing.

Debian APT https method uses that exact set of options by default at the
moment ;-( Note that the behavior should be the expected (silly) one
because they use the -gnutls version of libcurl.

I filled a bug report on that topic (among others), and will push things
forward when the next -stable release of curl with previously posted
TLS-related patches is available under Debian unstable (i.e. in august).

Cheers,

a+