cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: can't verify SSL cert

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Fri, 20 Feb 2009 22:44:09 +0100 (CET)

On Fri, 20 Feb 2009, Jay Edgar wrote:

> I'm unable to verify the SSL Certificate in a communication with PayTrace,
> although I can complete the communication without it.
>
> Question #1: Comodo has suggested that even if I can't verify the
> certificate, the connection is still secure. Is this accurate?

It surprises me that a CA would claim something like that.

The question is thus what "secure" means. When you can't verify the server's
certificate, you cannot know that you're actually talking to the right server
but it might isntead be an impostor that pretends to be the server you want to
contact. Then you get an encryped and "secure" connection, but to the wrong
server - without knowing it.

> Question #2: Even if it _is_ secure, I'd be much more comfortable being able
> to turn VERIFYPEER on. Am I being overly cautious?

No you're not. SSL security is basically depending on this if you ask me.

> Question #3: Is there anything in the code above that indicates a problem?

It's PHP so I'm not completely sure, but it looked fine.

You used CAPATH so I figure you did configure that dir properly after you put
the new cert there? I think you need to update some index somehow.

-- 
  / daniel.haxx.se
Received on 2009-02-20