Hey,
So I found an interesting paper on SSL validation in non-browser clients:
http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf
One of the things is points out is that many clients set
CURLOPT_SSL_VERIFYHOST to true. However, this actually disables certain
validation steps, and the proper value for this should actually be 2. And
in our CurlHttpRequest, the default for sslVerifyHost is true.
I'm going to submit a patch to change the default to 2 so that we actually
perform validation, but I wanted to check and ask if there was any prior
reason that we explicitly didn't set it to 2.
*--*
*Tyler Romeo*
Stevens Institute of Technology, Class of 2015
Major in Computer Science
www.whizkidztech.com | tylerromeo(a)gmail.com