cURL / Mailing Lists / curl-library / Single Mail

curl-library

whether curl solves "man in the middle attack"

From: venkatesh perumalla <perumalla.venki_at_gmail.com>
Date: Thu, 25 Jul 2013 11:18:00 +0530

Hi,

Whether curl does the ssl-pinning which can avoid "man in the middle
attack".
Does it do the strict validation. As explained in below link.
https://www.owasp.org/index.php/Pinning_Cheat_Sheet#OpenSSL

Because below comments of the function "servercert", it looks like it
handles the "man in the middle attack".
by setting CURLOPT_SSL_VERIFYHOST and CURLOPT_SSL_VERIFYPEER.
/*
* Get the server cert, verify it and show it etc, only call failf() if the
* 'strict' argument is TRUE as otherwise all this is for informational
* purposes only!
*
* We check certificates to authenticate the server; otherwise we risk
* man-in-the-middle attack.
*/

Should applications have to do anything extra for avoiding "man in the
middle attack"?

Thanks in advance.

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2013-07-25

This message: [ Message body ]
Next message: venkatesh perumalla: "Re: ssl-pinning in libcurl"
Previous message: Dan Fandrich: "Re: Making sense of CURLINFO_*_TIME values"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]