> Jerry G. Chiuan wrote:
> > I would add these 2 lines before curl_easy_perform( ):
> >
> > /* stop libcurl from verifying peer's SSL certificate during SSL
handshake
> > phrase, def: ON */
> > curl_easy_setopt(m_curlHandle, CURLOPT_SSL_VERIFYPEER, FALSE);
> > /* check only existence of hostname in peer certificate during SSL
handshake
> > phrase */
> > curl_easy_setopt(m_curlHandle, CURLOPT_SSL_VERIFYHOST, 1);
>
> That is not good.
> HTTPS without peer verification is useless.
>
> You can turn off client authentication,
> but you never should turn of peer cert verification.

ya, I agree with this point
but I forgot to mention that my usage depends on users totally trust the
peer, and can bypass the peer verification
e.g. users link to their own company's site

sorry about this confusion

Regds,
- Jerry

-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills. Sign up for IBM's
Free Linux Tutorials. Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
Received on 2003-12-16