in apt-https Verify-Peer does not fail a connection on error

Description: Ubuntu 10.04.3 LTS
Release: 10.04
Package: apt-transport-https (0.7.25.3ubuntu9.7)

I have enabled Verify-Peer in the https options for apt. The debug reads as follows:

Trying 192.168.234.53... connected
  Connected to 192.168.234.53 (192.168.234.53) port 443 (#0)
 found 149 certificates in /etc/ssl/certs/ca-certificates.crt
 SSL re-using session ID
        server certificate verification OK
        common name: 127.0.0.1 (does not match '192.168.234.53')
        server certificate expiration date OK
        server certificate activation date OK
        certificate public key: RSA
        certificate version: #3
        subject: CN=127.0.0.1
        start date: Fri, 30 Sep 2011 14:55:55 GMT
        expire date: Sun, 29 Sep 2013 14:55:55 GMT

When checking the source I can see, that the following code is executed:

   // ... and hostname against cert CN or subjectAltName
   int default_verify = 2;
   bool verify = _config->FindB("Acquire::https::Verify-Host",true);
   knob = "Acquire::https::"+remotehost+"::Verify-Host";
   verify = _config->FindB(knob.c_str(),verify);
   if (!verify)
      default_verify = 0;
   curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, verify);

According to documentation the CURLOPT_SSL_VERIFYHOST accepts the values 0, 1 and 2. The value 1 is not recommended, as it flags the non-matching hostname, but does not fail the connection.
The variable "default_verify" is set to 2 or 0 in the above code, but is not used. Instead the boolean variable "verify" is used in the call to set CURLOPT_SSL_VERIFYHOST.

Probably the default_verify should be used in this call.

As the connection is not failed (but only logged), this might result in an connection to an unwanted host, thus the security vulnerability.