cURL / Mailing Lists / curl-library / Single Mail


"The Most Dangerous Code in the World"

From: Daniel Stenberg <>
Date: Wed, 24 Oct 2012 22:45:17 +0200 (CEST)

Hi friends,

The Most Dangerous Code in the World: Validating SSL Certificates in
Non-Browser Software" is a report from 6 authors I noticed today:

Among many things it has the following charming remark about libcurl's API:
"This interface is almost perversely bad."

From what I understand, the single reason behind that statement is that we
have the CURLOPT_SSL_VERIFY HOST option which takes a three-value option and
not just a boolean. The authors found several source codes that treated it as
a boolean and set it to TRUE (== 1) and thus it doesn't check the certificate

So instead of posting a patch to us, instead of mailing us a suggestion,
instead of posting a bug report they write this document.

List admin:
Received on 2012-10-24