I am trying to write a pycurl script to access a secured site (HTTPS).
c = pycurl.Curl()
c.setopt(pycurl.USERAGENT, 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/8.0')
You are right, the way you are doing it subjects you to a man-in-the-middle attack, especially in light of the most recent SSL vulnerabilities. You can resolve it as follows:
import pycurl curl = pycurl.Curl() curl.setopt(pycurl.URL, "https://your-secure-website.com/") curl.setopt(pycurl.SSL_VERIFYPEER, 1) curl.setopt(pycurl.SSL_VERIFYHOST, 2) curl.setopt(pycurl.CAINFO, "/path/to/updated-certificate-chain.crt") curl.perform()
curl by default comes with an outdated certificate list. Whether you want to update it or just use your own certs for testing, make sure to place the updated-certificate-chain.crt file in an accessible location and use the pycurl.CAINFO option to point to it.
Also make sure pycurl.SSL_VERIFYHOST is set to 2, the highest security check setting.