From 60074b37a2623b187c6a3e7903443df00d633e33 Mon Sep 17 00:00:00 2001
From: Andreas Baumann <abaumann@yahoo.com>
Date: Tue, 29 Sep 2009 06:46:24 +0000
Subject: changed insecure and verify-host options to negative, default is DO
 verification

---
 src/check_curl.c   | 19 ++++++++++---------
 src/check_curl.ggo |  4 ++--
 2 files changed, 12 insertions(+), 11 deletions(-)

diff --git a/src/check_curl.c b/src/check_curl.c
index cfef2cf..774e9ec 100644
--- a/src/check_curl.c
+++ b/src/check_curl.c
@@ -161,21 +161,22 @@ int main( int argc, char *argv[] ) {
 	}
 	
 	/* --cacert: CA certificate file to verify SSL connection against (SSL) */
-	curl_easy_setopt( curl, CURLOPT_SSL_VERIFYHOST, 2 );
 	if( args_info.cacert_given ) {
 		curl_easy_setopt( curl, CURLOPT_CAINFO, args_info.cacert_arg );
-		curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 1 );
+		/* per default if we have a CA verify both the peer and the
+		 * hostname in the certificate, can be switched off later */
+		curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 2 );
+		curl_easy_setopt( curl, CURLOPT_SSL_VERIFYHOST, 2 );
 	}
 
-	/* --insecure: choose level of CA chain validation (SSL) */
-	if( args_info.insecure_given ) {
-		curl_easy_setopt( curl, CURLOPT_SSL_VERIFYPEER, 0 );
+	/* --no-verify-peer: choose level of CA chain validation (SSL) */
+	if( args_info.no_verify_peer_given ) {
+		curl_easy_setopt( curl, CURLOPT_SSL_VERIFYPEER, 1 );
+	}
 
-		/* --verify-host: make it an additional option, not as in curl! (SSL) */
+	/* --no-verify-host: make it an additional option, not as in curl! (SSL) */
+	if( args_info.no_verify_host_given ) {
 		curl_easy_setopt( curl, CURLOPT_SSL_VERIFYHOST, 1 );
-		if( args_info.verify_host_given ) {
-			curl_easy_setopt( curl, CURLOPT_SSL_VERIFYHOST, 2 );
-		}
 	}
 	
 	/* --cert: client certificate to present to server (SSL) */
diff --git a/src/check_curl.ggo b/src/check_curl.ggo
index da5d116..4207e85 100644
--- a/src/check_curl.ggo
+++ b/src/check_curl.ggo
@@ -94,10 +94,10 @@ option "useragent"	A	"String to be sent in http header as \"User Agent\""
 	typestr="STRING"
 	optional
 
-option	"insecure"	-	"Allow connections to SSL sites without certs (SSL)"
+option	"no-verify-peer"	-	"Allow connections to SSL sites without certs (SSL)"
 	optional
 
-option	"verify-host"	-	"Verify that the host and the certificate host match (SSL)"
+option	"no-verify-host"	-	"Don't verify that the host and the certificate host match (SSL)"
 	optional
 
 option	"cacert"	-	"CA certificate to verify peer against (SSL)"
-- 
cgit v1.2.3-54-g00ecf