Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Security consequences of disabling CURLOPT_SSL_VERIFYHOST (libcurl/openssl)

What are the security consequences of Enabling CURLOPT_SSL_VERIFYPEER and Disabling CURLOPT_SSL_VERIFYHOST?

like image 653
user1782427 Avatar asked Dec 06 '12 09:12

user1782427


1 Answers

  • CURLOPT_SSL_VERIFYPEER checks that the remote certificate is valid, i.e. that you trust that it was issued by a CA you trust and that it's genuine.

  • CURLOPT_SSL_VERIFYHOST checks that the cert was issued to the entity you wanted to talk to.

To compare it to a real-life scenario, VERIFYPEER is like checking that the form of ID is one that you recognise (i.e. passport from a country you trust, staff card from a company you know, ...). VERIFYHOST is like checking the actual name on the card matches who you wanted to talk to.

If you don't use VERIFYHOST (the correct value is 2, not 1, btw), you disable host name verification and open the door to MITM attacks: anyone with a form of ID you trust can impersonate anyone within the set of IDs you trust, e.g. anyone with a valid passport could pretend they're anyone else with a valid passport.

like image 81
Bruno Avatar answered Oct 20 '22 10:10

Bruno