cURL / Mailing Lists / curl-library / Single Mail

curl-library

SSL_VERIFYPEER=FALSE workaround also needs VERIFYHOST=1?

From: Soren Spies <sspies_at_apple.com>
Date: Sun, 1 Dec 2002 18:23:42 -0800

On Monday, Nov 11, 2002, at 13:55 US/Pacific, Daniel Stenberg wrote:

> 2. curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, FALSE);

In trying to use this workaround (on a system with no default bundle
installed), I had to look at the curl(1) source and add the line:
     curl_easy_setopt(tempCURL, CURLOPT_SSL_VERIFYHOST, 1); // also
needed

Should I have had to do that? Should it be documented? I also noticed
that TOT curl_easy_setopt.3 doesn't document current functionality:

> CURLOPT_SSL_VERIFYPEER
> Pass a long that is set to a non-zero value to make
> curl verify the peer's certificate. The certificate to
> verify against must be specified with the CUR-
> LOPT_CAINFO option (Added in 7.4.2) or a certificate
> directory must be specified with the CURLOPT_CAPATH
> option (Added in 7.9.8).

Here's a diff to make it somewhat more up to date:
!cvs diff docs/libcurl/curl_easy_setopt.3
Index: docs/libcurl/curl_easy_setopt.3
===================================================================
RCS file: /cvsroot/curl/curl/docs/libcurl/curl_easy_setopt.3,v
retrieving revision 1.26
diff -T -u -p -b -r1.26 curl_easy_setopt.3
--- docs/libcurl/curl_easy_setopt.3 1 Dec 2002 11:23:06 -0000
1.26
+++ docs/libcurl/curl_easy_setopt.3 2 Dec 2002 02:21:35 -0000
@@ -712,10 +712,13 @@ Pass a long as parameter. Set what versi
         servers make this difficult why you at times may have to use
this option.
         .TP
         .B CURLOPT_SSL_VERIFYPEER
- Pass a long that is set to a non-zero value to make curl verify
the peer's
- certificate. The certificate to verify against must be
specified with the
- CURLOPT_CAINFO option (Added in 7.4.2) or a certificate
directory must be specified
- with the CURLOPT_CAPATH option (Added in 7.9.8).
+ Pass a long that is set to a zero value to stop curl from
verifying the
+ peer's certificate (7.10 starting setting this option to TRUE
by default).
+ Alternate certificates to verify against can be specified with
the
+ CURLOPT_CAINFO option (Added in 7.4.2) or a certificate
directory can be
+ specified with the CURLOPT_CAPATH option (Added in 7.9.8). As
of 7.10,
+ curl installs a default bundle. CURLOPT_SSL_VERIFYHOST may also
+ need to be set to 1 if VERIFYPEER is disabled (it defaults to
2).
         .TP
         .B CURLOPT_CAINFO
         Pass a char * to a zero terminated string naming a file holding
one or more

-Soren

-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
Received on 2002-12-02