17

What are the security consequences of Enabling CURLOPT_SSL_VERIFYPEER and Disabling CURLOPT_SSL_VERIFYHOST?

user1782427
  • 770
  • 1
  • 8
  • 19

1 Answers1

34

  • CURLOPT_SSL_VERIFYPEER checks that the remote certificate is valid, i.e. that you trust that it was issued by a CA you trust and that it's genuine.

  • CURLOPT_SSL_VERIFYHOST checks that the cert was issued to the entity you wanted to talk to.

To compare it to a real-life scenario, VERIFYPEER is like checking that the form of ID is one that you recognise (i.e. passport from a country you trust, staff card from a company you know, ...). VERIFYHOST is like checking the actual name on the card matches who you wanted to talk to.

If you don't use VERIFYHOST (the correct value is 2, not 1, btw), you disable host name verification and open the door to MITM attacks: anyone with a form of ID you trust can impersonate anyone within the set of IDs you trust, e.g. anyone with a valid passport could pretend they're anyone else with a valid passport.

Bruno
  • 119,590
  • 31
  • 270
  • 376
  • 2
    Thank you for elaborated answer. This lead me to another quick questions: I got a website with a valid SSL certificate https ://www.example.com (cn=www.example.com as it should). When I visit the website via it's IP address, it will show me cert errors (because the cn don't match), removing the SSL_VERIFYHOST will solve it, but will open it up to MiTM attacks. What is the correct solution to handle this? (allow connecting via IP address WITHOUT showing errors). Replacing the entire validation method using CURLOPT_SSL_CTX_FUNCTION only to verify that a specific IP address matches a CN? – user1782427 Dec 06 '12 at 12:45
  • Why would you want to connect with the IP address? It it a certificate from your own CA (or self-signed)? – Bruno Dec 06 '12 at 14:44
  • I have 2 servers (1.1.1.1 and 2.2.2.2), the DNS for example.com contains 2 A records (of those ip addresses). The client randomly choose one of them and connect to the IP address and not the hostname. I would like openSSL to call me when it checks the common name field so i can compare the certificate common name with example.com, if it's okay, i will accept the certificate. I haven't seen that libcurl supports that so i assume i have to write my own implementation. The certificate for example.com is a trusted Verisign cert. – user1782427 Dec 06 '12 at 16:04