no-verify not the same as curl --insecure
Opened this issue · 2 comments
when connecting to a self signed cert with an unknown issuer, passing --no-verify still throws this error:
error trying to connect: invalid peer certificate contents: invalid peer certificate: UnknownIssuer
When I run the same command with curl --insecure, it works.
I don't have a great understanding of SSL, so appreciate any insight here.
The option you need is --verify=no.
This is a nasty gotcha in the way we interpret options. --no-verify means "ignore all --verify options that came before", like --no-session, --no-auth, etcetera. (We inherited this from HTTPie.)
Maybe we should print a warning/suggestion if a TLS error happens and you passed --no-verify without a --verify to cancel out.
Maybe we should print a warning/suggestion if a TLS error happens and you passed
--no-verifywithout a--verifyto cancel out.
Something like this could also be helpful if we add cURL's --noproxy option (disables system proxy), which is too similar to --proxy's negation flag i.e --no-proxy. However, I don't know if we can reliably check the error in this case.
Would it be enough to print a warning as soon we detect a negation flag has no effect and is too similar to another flag?