Security consequences of disabling CURLOPT_SSL_VERIFYHOST (libcurl/openssl)

by

  • CURLOPT_SSL_VERIFYPEER checks that the remote certificate is valid, i.e. that you trust that it was issued by a CA you trust and that it’s genuine.

  • CURLOPT_SSL_VERIFYHOST checks that the cert was issued to the entity you wanted to talk to.

To compare it to a real-life scenario, VERIFYPEER is like checking that the form of ID is one that you recognise (i.e. passport from a country you trust, staff card from a company you know, …). VERIFYHOST is like checking the actual name on the card matches who you wanted to talk to.

If you don’t use VERIFYHOST (the correct value is 2, not 1, btw), you disable host name verification and open the door to MITM attacks: anyone with a form of ID you trust can impersonate anyone within the set of IDs you trust, e.g. anyone with a valid passport could pretend they’re anyone else with a valid passport.

More Related Contents:

  1. How to generate a self-signed SSL certificate using OpenSSL?
  2. curl: (60) SSL certificate problem: unable to get local issuer certificate
  3. How can I generate a self-signed certificate with SubjectAltName using OpenSSL? [closed]
  4. Use self signed certificate with cURL?
  5. Building libcurl with SSL support on Windows
  6. How to install OpenSSL in windows 10?
  7. How do you sign a Certificate Signing Request with your Certification Authority?
  8. How to get .pem file from .key and .crt files?
  9. HTTPS and SSL3_GET_SERVER_CERTIFICATE:certificate verify failed, CA is OK
  10. Installation SSL in wamp server: Error in httpd-ssl.conf
  11. Docker container SSL certificates
  12. “verify error:num=20” when connecting to gateway.sandbox.push.apple.com
  13. How do I restore a missing IIS Express SSL Certificate?
  14. Third-Party Signed SSL Certificate for localhost or 127.0.0.1?
  15. curl : (1) Protocol https not supported or disabled in libcurl
  16. SSL Error: unable to get local issuer certificate
  17. curl – Is data encrypted when using the –insecure option?
  18. curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number
  19. OpenSSL: unable to verify the first certificate for Experian URL
  20. How to add subject alernative name to ssl certs?
  21. cURL requires CURLOPT_SSL_VERIFYPEER=FALSE
  22. Difference between self-signed CA and self-signed certificate [closed]
  23. Why does Python requests ignore the verify parameter?
  24. How to install: OpenSSL + WAMP
  25. curl: Unknown error (0x80092012) – The revocation function was unable to check revocation for the certificate
  26. Generating client side certificates in browser and signing on server
  27. Self-signed SSL acceptance on Android
  28. Programmatically Create X509 Certificate using OpenSSL
  29. How to solve ‘libcurl’ not found with Rails on Windows
  30. SSLError: sslv3 alert handshake failure

Leave a Comment