0

With this PHP script 

<?php $ch = curl_init(); curl_setopt($ch, CURLOPT_HTTPGET, true); curl_setopt($ch, CURLOPT_URL, 'https://sf.net/'); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2); if (!curl_exec($ch)) { echo "Error #" . curl_errno($ch) . ": " . curl_error($ch); } ?>

I got no error. This seems to be OK.

The expected result should an error message indicating that certificate name sourceforge.net does not match expected sf.net. What do you think?

Improve this question

1 Answer 1

Reset to default
2

If you access sf.net you get the certificate for sf.net and not for sourceforge.net. The certificate for sf.net has as CN *.sf.net and as SAN DNS:*.sf.net, DNS:sf.net. This means that the certificate matches the URL. Don't get confused from the following redirect to sourceforge.net because within this redirect it will get a new certificate which is valid for the new target.

Apart from that, by setting CURLOPT_SSL_VERIFYPEER to false you will accept any certificates no matter if it was issued by a locally trusted CA or not. And it will not help that you set CURLOPT_SSL_VERIFYHOST because with both settings combined you will accept a self-signed certificate for the name sf.net which makes man in the middle attacks trivial.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Thank you for these explanations.Do you mean that I must set CURLOPT_SSL_VERIFYPEER to TRUE and CURLOPT_SSL_VERIFYHOSTto 0?
@LeMoussel: for proper verification you should leave both at what is hopefully the default on your system, which is verifypeer true and verifyhost 2

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.