On Tue, Sep 23, 2014 at 12:42:21PM -0400, Karl Dahlke wrote:
> > So the open question is whether CURLOPT_VERIFYHOST
> > should always match CURLOPT_VERIFYPEER?
> 
> Probably yes, as long as curl understands wild card certificates,
> wherein *.foobar.com matches www.foobar.com.
> I used such a certificate at my last job and it sure was convenient,
> and cheaper than buying a certificate for each subdomain.

I'd say the two should always match as well,
otherwise the behavior is counter-intuative (assuming curl treats the options separately)
particularly when using self-signed certs simply to get the encryption provided by ssl.
At the end of the day, when I switch off ssl verification I expect edbrowse to
behave like curl with the --insecure option, i.e.
do ssl regardless of whether the certificate can be verified.

Incidentally, the afore mentioned curl option works with the systems which
caused me to notice this bug.

Cheers,
Adam.