Security consequences of disabling CURLOPT_SSL_VERIFYHOST (libcurl/openssl)

What are the security consequences of Enabling CURLOPT_SSL_VERIFYPEER and Disabling CURLOPT_SSL_VERIFYHOST?


Solution 1:

  • CURLOPT_SSL_VERIFYPEER checks that the remote certificate is valid, i.e. that you trust that it was issued by a CA you trust and that it's genuine.

  • CURLOPT_SSL_VERIFYHOST checks that the cert was issued to the entity you wanted to talk to.

To compare it to a real-life scenario, VERIFYPEER is like checking that the form of ID is one that you recognise (i.e. passport from a country you trust, staff card from a company you know, ...). VERIFYHOST is like checking the actual name on the card matches who you wanted to talk to.

If you don't use VERIFYHOST (the correct value is 2, not 1, btw), you disable host name verification and open the door to MITM attacks: anyone with a form of ID you trust can impersonate anyone within the set of IDs you trust, e.g. anyone with a valid passport could pretend they're anyone else with a valid passport.