On Thu, 13 Aug 2009, Kamil Dudka wrote:

>> 'ssl.verifyhost' is the variable that controls the host name verification
>> against the names used within the certificate.
>>
>> 'ssl.verifypeer' is the variable that controls if the certificate is
>> legit from a CA standpoint.
>
> The intention was to make the behavior equal to the OpenSSL variant. I've
> conducted some testing and AFAICT it behaves equally. OpenSSL triggers the
> same error only if both verifyhost and verifypeer are non-zero.

That sounds like a bug to me in the OpenSSL-specific side! It should be enough
to only have verifyhost set to verify the host name in the cert. I'm not sure
it's very important though, since as long as you don't verify the CA part it
can be easily made up by the server anyway.

> A negligable difference is that it doesn't distinguish between verifyhost==1
> and verifyhost==2 which I actually don't know how to implement with NSS.

Right, and I believe that "only warn" option (verifyhost==1) is really never
used and is a next to useless feature.

> So I still can't see anything wrong. Could you please give me any example
> when this fails. Thanks in advance!

Create a self-signed certificate but set a correct server name in the cert.
Then curl should be able to verify the name only with verifyhost==2 and
verifypeer==0.

-- 
  / daniel.haxx.se