On Tue, Sep 23, 2014 at 12:42:21PM -0400, Karl Dahlke wrote: > > So the open question is whether CURLOPT_VERIFYHOST > > should always match CURLOPT_VERIFYPEER? > > Probably yes, as long as curl understands wild card certificates, > wherein *.foobar.com matches www.foobar.com. > I used such a certificate at my last job and it sure was convenient, > and cheaper than buying a certificate for each subdomain.
I'd say the two should always match as well, otherwise the behavior is counter-intuative (assuming curl treats the options separately) particularly when using self-signed certs simply to get the encryption provided by ssl. At the end of the day, when I switch off ssl verification I expect edbrowse to behave like curl with the --insecure option, i.e. do ssl regardless of whether the certificate can be verified. Incidentally, the afore mentioned curl option works with the systems which caused me to notice this bug. Cheers, Adam.
signature.asc
Description: Digital signature
_______________________________________________ Edbrowse-dev mailing list [email protected] http://lists.the-brannons.com/mailman/listinfo/edbrowse-dev
