[luckylion]

Any predictions how much the usage of CURLOPT_SSL_VERIFYPEER, false will increase in the next 7 days?

[josephcsible]

IMO, there's a bit of a design flaw with curl here. There should be an easy flag to say "trust the particular certificate with this hash, no matter what's wrong with it", but there isn't, so people instead use the one that says "trust whatever certificate you get, no matter what's wrong with it".

[user5994461]

Trusting a specific hash would blow up when the service rotate its self-signed certificate, defeating the point of ignoring certificate error.

[josephcsible]

If you're rotating a self-signed certificate, then how do you suppose that clients securely trust it? Or if you just mean replacing it when it expires, then this could instead be tied to the underlying public key alone, which can be reused.

[pornel]

If your clients support "rotating" self-signed certs just like that, it's a huge MITM vulnerability and makes HTTPS as secure as a TSA checkpoint.

[gregmac]

Yikes.. yeah, if you're going to do this, consider wrapping it in an `if (date < 2020-06-15)` and be sure to fix it properly before then. This reduces the ability to just forget about it (or have the fix constantly deprioritized) and leave your software with a security vulnerablty.

[elithrar]

Predictions? https://github.com/search?o=desc&q=SSL+verify&s=committer-da...

:)