Re: Does curl REALLY ignore CURLOPT_SSL_VERIFYPEER / CURLOPT_SSL_VERIFYHOST?
Date: Tue, 27 Nov 2007 23:15:41 -0800
On Wed, Nov 28, 2007 at 07:47:52AM +0100, paranoid paranoia wrote:
> actually... that's more like a quick hack that happens to work for me,
> since i set CURLOPT_SSL_VERIFYPEER to 0 after having spent a
> few hours trying to force curl to *not* make any checks. ideally, if
> the cipher spec only alllows anonymous key exchange or pre-shared
> keys, one shouldn't have to explicitly disable peer verification...
I'm not so sure about that. Would that allow a man-in-the-middle attack to
take place? The middleman would only need to use an anonymous key
and the user would never know he wasn't connected to the desired server.
-- http://www.MoveAnnouncer.com The web change of address service Let webmasters know that your web site has movedReceived on 2007-11-28