shanbhagsv
commented
5 years ago Even it use_https is enabled & only ssl_ca_list is set then server certificate is not verified as connection is successful even if ssl_ca_list contains any cacert.pem using which server certificate cannot be verified.
If the profile contains 'use_https' but not 'ssl_ca_list' then the function SSL_CTX_set_default_verify_paths() is never called to initialise an SSL context to point to the operating system's default set of CA certificates. So if a server sends a certificate it is never verified.