Bug #18890
Updated by Ward Vandewege about 2 years ago
ARVADOS_API_HOST_INSECURE is interpreted in our codebase as "do not validate TLS certificate validity". This includes "do not check if the hostname matches the name on the certificate".
The Python SDK keep code is a bit of an outlier, because it only disables @pycurl.SSL_VERIFYPEER@ when @ARVADOS_API_HOST_INSECURE@ is set, which means the certificate validity check is disabled, but the hostname on the certificate still needs to match the hostname connected to.
libcurl has another flag to disable the hostname check, @pycurl.SSL_VERIFYHOST@ (it's called @CURLOPT_SSL_VERIFYHOST@ in https://curl.se/libcurl/c/curl_easy_setopt.html).
We should also disable @pycurl.SSL_VERIFYHOST@ when @ARVADOS_API_HOST_INSECURE@ is set, for consistency's sake.