[sword-devel] MiTM

2016-09-18 Thread Jaak Ristioja
Hi! In src/mgr/curlhttpt.cpp: /* Disable checking host certificate */ curl_easy_setopt(session, CURLOPT_SSL_VERIFYPEER, false); Why? Afaik this allows the use of self-signed certificates for MiTM. Best regards, J ___ sword-devel mailing

Re: [sword-devel] MiTM

2016-09-18 Thread DM Smith
I'll look into it. > On Sep 18, 2016, at 11:20 AM, Jaak Ristioja wrote: > > Hi! > > In src/mgr/curlhttpt.cpp: > >/* Disable checking host certificate */ >curl_easy_setopt(session, CURLOPT_SSL_VERIFYPEER, false); > > Why? Afaik this allows the use of self-signed

Re: [sword-devel] MiTM

2016-09-18 Thread DM Smith
We are now using a good cert for the CrossWire server, but I don’t know if all SSL services use it yet. I’d be interested if a client has that changed from false to true would properly work. It shouldn’t allow a self signed cert, which is what we used to do. If it doesn’t work, then I’d have

Re: [sword-devel] MiTM

2016-09-18 Thread Greg Hellings
https://curl.haxx.se/libcurl/c/CURLOPT_SSL_VERIFYPEER.html Is curlhttpt.c used for HTTPS? I don't have the source in front of me, but that name suggests it is only for the raw HTTP connection. --Greg On Sep 18, 2016 12:05 PM, "DM Smith" wrote: > I'll look into it. > > >

Re: [sword-devel] MiTM

2016-09-18 Thread Jaak Ristioja
Looking at the source it looks more like its used for FTP instead :) https://github.com/bibletime/crosswire-sword-mirror/blob/trunk/src/mgr/curlhttpt.cpp J On 18.09.2016 20:55, Greg Hellings wrote: > https://curl.haxx.se/libcurl/c/CURLOPT_SSL_VERIFYPEER.html > > Is curlhttpt.c used for HTTPS?