The documentation for CURLOPT_PINNEDPUBLICKEY available at:
Does not state what happens when
BOTH CURLOPT_SSL_VERIFYHOST == 0 AND CURLOPT_SSL_VERIFYPEER == 0.
This is bad because (at least vtls/openssl.c) ignores the pinned public
key (other than to emit a verbose mode message) when VERIFYHOST and VERIFYPEER
For example (using curl 7.40 built with OpenSSL):
cd /tmp openssl genrsa | openssl rsa -pubout > dummykey.pem curl -vI --pinnedpubkey dummykey.pem https://github.com/
This appears in the output:
* SSL: public key does not match pinned public key! curl: (90) SSL: public key does not match pinned public key!
and curl's exit status is 90. However, if we repeat like so:
curl -vI -k --pinnedpubkey dummykey.pem https://github.com/
Then only this appears in the output:
* SSL: public key does not match pinned public key!
And curl's exit status is 0.
That is completely unexpected and not mentioned anywhere in the docs for CURLOPT_PINNEDPUBLICKEY, so either it's a bug or the docs are wrong. And while you might also want to VERIFYHOST when using a pinned public key, that shouldn't be required to use one.
Please take appropriate action. I'm inclined to believe it's a bug because the whole point of using pinned public keys is so that you can completely ignore trusted root certificates etc. in favor of a pinned public key.