Is it possible to setup lighttpd server and curl client so that both the client and the server verify each other's self-signed SSL certificate but the file is downloaded without SSL encryption?
Technically, it's possible to specify the the OpenSSL library not to use any encryption (SSL_RSA_WITH_NULL_MD5, SSL_RSA_WITH_NULL_SHA and similar) but it doesn't make any sense from a security point of view: that would make it wide open to a man-in-the-middle attack.
I checked the lighthttpd documentation and it doesn't seem that you can pass it directly an OpenSSL cyphersuit constant. You might want to try it, though.
Technically, it's possible to specify the the OpenSSL library not to use any encryption (SSL_RSA_WITH_NULL_MD5, SSL_RSA_WITH_NULL_SHA and similar) but it doesn't make any sense from a security point of view: that would make it wide open to a man-in-the-middle attack.
I checked the lighthttpd documentation and it doesn't seem that you can pass it directly an OpenSSL cyphersuit constant. You might want to try it, though.