Re: Does curl REALLY ignore CURLOPT_SSL_VERIFYPEER / CURLOPT_SSL_VERIFYHOST?
Date: Wed, 28 Nov 2007 10:10:13 +0100 (CET)
On Wed, 28 Nov 2007, paranoid paranoia wrote:
>> I'm not so sure about that. Would that allow a man-in-the-middle attack to
>> take place? The middleman would only need to use an anonymous key and the
>> user would never know he wasn't connected to the desired server.
> ok... i must apologize in advance if i may sound agressive, but which part
> of "anonymous" don't people understand?
> if i choose to set my cipher list to "ADH+AES", i *know* that the key
> exchange won't be authenticated, and -apparently- i don't care.
I assume Dan meant that if the _server_ requested anonymous and the client
would agree to that, it would be an easy way for a middle-man to sneak in a
-- Commercial curl and libcurl Technical Support: http://haxx.se/curl.htmlReceived on 2007-11-28