[Ur] Using Persona Authentication API
Chris Double
chris.double at double.co.nz
Tue Dec 10 17:37:42 EST 2013
On Wed, Dec 11, 2013 at 8:14 AM, Sergey Mironov <grrwlf at gmail.com> wrote:
> It is possible to workaround it by changing CURLOPT_SSL_VERIFYPEER to
> 0. This probably means that I don't have some important certificates
> installed (I'm not an SSL expert, so I may be wrong). Can anybody
> advise me what to check first?
The verify peer check is from a reccomendation in the Persona
'Security Considerations' document:
<https://developer.mozilla.org/en/Persona/Security_Considerations>
"You must ensure that your HTTPS request verifies the certificate
sent from the server against a trusted root certificate. If you don't,
then an attacker could pose as verifier.login.persona.org and issue
false verifications."
If you are on Linux you can update the certificate store that cURL
uses by following this:
<http://www.mylinuxguide.com/ssl-root-certificate-update-in-linux-for-curl/>
Chris.
--
http://www.bluishcoder.co.nz
More information about the Ur
mailing list