Re: Does curl REALLY ignore CURLOPT_SSL_VERIFYPEER / CURLOPT_SSL_VERIFYHOST?
Date: Thu, 29 Nov 2007 17:07:10 -0800
On Fri, Nov 30, 2007 at 01:25:25AM +0100, paranoid paranoia wrote:
> This doesn't change the fact that most people who
> set their cipher list to include only anonymous and/or
> pre-shared key combinations will be mighty surprised
> that curl insists on retrieving the peer's certificate,
> since these variants don't require/use any... but, that's
> their problem. If the "feature" is well-documented,
> there's hardly anything to complain about.
On the other hand, those people who accidentally set their cipher list to
include anonymous ciphers (or who have them set for them through some
nefarious means) will be might surprised to see that they've fallen victim
to a MITM attack because the server certificate that they've insisted be
verified by curl was not.
-- http://www.MoveAnnouncer.com The web change of address service Let webmasters know that your web site has movedReceived on 2007-11-30