Hey,
So I found an interesting paper on SSL validation in non-browser clients: http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf
One of the things is points out is that many clients set CURLOPT_SSL_VERIFYHOST to true. However, this actually disables certain validation steps, and the proper value for this should actually be 2. And in our CurlHttpRequest, the default for sslVerifyHost is true.
I'm going to submit a patch to change the default to 2 so that we actually perform validation, but I wanted to check and ask if there was any prior reason that we explicitly didn't set it to 2.
*--* *Tyler Romeo* Stevens Institute of Technology, Class of 2015 Major in Computer Science www.whizkidztech.com | tylerromeo@gmail.com