curl-library
Re: Is it safe to toggle SSL_VERIFYPEER between easy handles towards the same endpoint
Date: Fri, 26 Aug 2016 18:46:26 +0200
On Fri, Aug 26, 2016 at 4:41 PM, JOHAN LANTZ <johan.lantz_at_telefonica.com> wrote:
> Hi
>
> I have some requests where speed is more important than security and I have
> also seen at rare occasions in iOS that a connection can fail with error 60.
>
> Due to this I wonder if it is safe to have VERIFYPEER on in some requests
> and off in others even if the remote endpoint is the same. I am asking
> mainly in case handles and connections are reused.
It is absolutely not safe. If HTTP keepalive is used, and curl attempts to
reuse a connection, the connection is silently reopened if it has been
closed after the last use or gets reset when attempting to reuse it. This
can happen for example if the KeepAliveTimeout of the server has
expired or the client's IP has changed (e.g. switching between WiFi and
LTE).
> The second question would be if the peer is verified for each transaction or
> only once, in that case this might make less sense.
The TLS connection is (usually) reused without additional certificate
exchanges,
at least for common server configurations.
rainer
-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2016-08-26