SSL certificate verification

[GoogleCodeExporter]

There are two options for SSL verification with the library as it stands:
* supply a path for CURLOPT_CAINFO and get peer verification
* don't, and peer verification is explicitly turned off

In my day job, we need to set peer verification on, but rely on the machine's 
CA list being correctly configured. For a while last year we were accidentally 
running with certificate verification turned off, which is obviously worrying.

We're running a local fork of the library, which modifies the default 
behaviour. My aim is to make it harder for users of the library to leave things 
in an insecure state.

I've attached a patch which makes it default to verifying the certificate, but 
you can disable verification with a call on the GoogleRequest object. On a 
properly configured box, where it has a decent CA list, this will mean you get 
the reasonably secure behaviour out of the box.

I hope this seems like a useful change, but please let me know if you think 
there's a better way to permit this behaviour.

(The patch applies cleanly for me against the 1.3.1 release, with "patch -p1 < 
verification-on-by-default.patch".)

Original issue reported on code.google.com by asho...@gmail.com on 15 Mar 2012 at 2:31

Attachments:

• verification-on-by-default.patch

[GoogleCodeExporter]

I want to use SSL certicficate for http://www.parupedia.com

Original comment by donate.d...@gmail.com on 14 Jul 2012 at 3:24