Re: Using CURLOPT_SSL_VERIFYHOST
Date: Wed, 22 Mar 2006 13:55:13 +0530
Yeah I buy your point. I may need to use both the options together.
Thanks for your kind response.
Daniel Stenberg wrote:
> On Wed, 22 Mar 2006, Nilesh wrote:
>> curl_easy_setopt(curl,CURLOPT_SSL_VERIFYPEER, 0);
>> Which gaurantees validation of ceritificate using 'hostname' or
>> 'ipaddress' of URL.
> By disabling VERIFYPEER you switch off the verification of the
> server's certificate and by using VERIFYHOST you only verify that the
> name field (common name or subjectaltname) matches the host name of
> the server.
> Thus, a man in the middle attack that would use a new (bad)
> certificate with the correct name field would not be discovered.
Received on 2006-03-22