no-verify not the same as curl --insecure

[jedahan]

when connecting to a self signed cert with an unknown issuer, passing --no-verify still throws this error:

error trying to connect: invalid peer certificate contents: invalid peer certificate: UnknownIssuer

When I run the same command with curl --insecure, it works.

I don't have a great understanding of SSL, so appreciate any insight here.

[blyxxyz]

The option you need is --verify=no.

This is a nasty gotcha in the way we interpret options. --no-verify means "ignore all --verify options that came before", like --no-session, --no-auth, etcetera. (We inherited this from HTTPie.)

---

Maybe we should print a warning/suggestion if a TLS error happens and you passed --no-verify without a --verify to cancel out.

[ducaale]

Maybe we should print a warning/suggestion if a TLS error happens and you passed --no-verify without a --verify to cancel out.

Something like this could also be helpful if we add cURL's --noproxy option (disables system proxy), which is too similar to --proxy's negation flag i.e --no-proxy. However, I don't know if we can reliably check the error in this case.

Would it be enough to print a warning as soon we detect a negation flag has no effect and is too similar to another flag?