I did this

The documentation for CURLOPT_SSL_VERIFYHOST (https://curl.se/libcurl/c/CURLOPT_SSL_VERIFYHOST.html) says that it applies to TLS protocols. It speaks about certificates and what fields in the certificates are examined. It doesn't mention SSH or the sftp protocol at all.

Since c92d2e1 this setting is also used by SSH, at least when using the libssh backend. It is somewhat surprising that changing a CURLOPT_SSL_* setting could affect an sftp:// connection. I would have assumed that this setting could only impact SSL/TLS connections and that the settings that affected an SSH connection would all match CURLOPT_SSH_*.

The fact that this setting is used by SSH should be documented. The documentation should also describe exactly what this setting does for SSH. The existing documentation which refers to certificates is not adequate since the SSH verification code does not deal with certificates. The interaction with CURLOPT_SSH_KNOWNHOSTS, CURLOPT_SSH_HOST_PUBLIC_KEY_MD5, CURLOPT_SSH_KEYFUNCTION, etc. should probably also be described somewhere.

Alternatively, maybe this setting should not be used by the libssh backend. That would restore parity with the libssh2 backend. It would also fix the documentation for https://curl.se/libcurl/c/CURLOPT_SSH_KNOWNHOSTS.html which currently implies that not setting this option will not perform known host checking. I think that's true for the libssh2 backend, but not true for the libssh backend.

Possibly tangentially related: https://curl.se/libcurl/c/CURLOPT_SSH_KEYFUNCTION.html claims that "The callback is only called if CURLOPT_SSH_KNOWNHOSTS is also set." which I think is true for libssh2 but not true for libssh.

I expected the following

No response

curl/libcurl version

git HEAD

operating system

N/A