From e4f6adb023546d864a1548a28b08112c59d9e85a Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Sat, 2 Aug 2014 23:09:22 +0200 Subject: [PATCH] CURLOPT_SSL_VERIFYPEER.3. add a warning about disabling it --- docs/libcurl/opts/CURLOPT_SSL_VERIFYPEER.3 | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/docs/libcurl/opts/CURLOPT_SSL_VERIFYPEER.3 b/docs/libcurl/opts/CURLOPT_SSL_VERIFYPEER.3 index ec158cc08..f2bad7464 100644 --- a/docs/libcurl/opts/CURLOPT_SSL_VERIFYPEER.3 +++ b/docs/libcurl/opts/CURLOPT_SSL_VERIFYPEER.3 @@ -51,6 +51,12 @@ typically also want to ensure that the server is the server you mean to be talking to. Use \fICURLOPT_SSL_VERIFYHOST(3)\fP for that. The check that the host name in the certificate is valid for the host name you're connecting to is done independently of the \fICURLOPT_SSL_VERIFYPEER(3)\fP option. + +WARNING: disabling verification of the certificate allows bad guys to +man-in-the-middle the communication without you knowing it. Disabling +verification makes the communication insecure. Just having encryption on a +transfer is not enough as you cannot be sure that you are communicating with +the correct end-point. .SH DEFAULT By default, curl assumes a value of 1. .SH PROTOCOLS