On Tue, 11 Mar 2003 RBramante_at_on.com wrote:

> 1) I make an https connection to a server with both host/peer verifications
> disabled.
> 2) https connection succeeds and I receive the expected data.
> 3) Now I make the request again, only this time I request it with peer
> verification enabled, hostname matching. The deal is, it should never get
> to this stage because I pass in a bad path to the ca_cert file. It doesn't
> exist.
> 4) Suprisingly, the connection blasts through and I get the same data as in
> #2.

This is a bug.

This is because the check in ConnectionExists() which checks to see if there
is an open connection to re-use, doesn't take peer verification status into
account. You would also get the same effect if you did use peer certificate
in the first request and then dropped it or changed it for the second one...

> I'm not sure how serious I would consider this, since would there be a real
> world scenario where you would toggle ssl parameters like this?

I guess it all depends on your application. It might be serious to some.

Will you be able to produce a patch for this?

-- 
 Daniel Stenberg -- curl, cURL, Curl, CURL. Groks URLs.
-------------------------------------------------------
This SF.net email is sponsored by:Crypto Challenge is now open! 
Get cracking and register here for some mind boggling fun and 
the chance of winning an Apple iPod:
http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0031en