I need to send an https post to an external server. Is it best practice to first verify the external peer and then afterwards in a separate request to send the post data? Or is it ok to ask to verify the peer and send the post data in the same request? I'm using pycurl if that helps any. Thanks for any help.
From the CURL docs:
When CURLOPT_SSL_VERIFYPEER is nonzero, and the verification fails to prove that the certificate is authentic, the connection fails. When the option is zero, the peer certificate verification succeeds regardless.
The SSL negotiation phase happens before any data is sent, so if the external peer fails to verify, the connection will fail before any data is sent. It should be OK to do it all as one request.
SSL -- Negotiation Phase http://www.ietf.org/proceedings/32/sec/cat.elgamal.slides.html
- The client initiates the session
- The server responds and sends its certificate
- The client generates the master key and sends it encrypted using the server's public key
- Requires a server certificate but does not require a client certificate
- Requires a certain level of trust in the server's certificate
- Optional client certificate can be used to authenticate the client to the server