cURL / Mailing Lists / curl-library / Single Mail


Re: "The Most Dangerous Code in the World"

From: Daniel Stenberg <>
Date: Mon, 29 Oct 2012 13:42:01 +0100 (CET)

On Mon, 29 Oct 2012, Oscar Koeroo wrote:

> I've send an email yesterday evening about all the various backends and how
> they implement, for example, RFC2818 compliance and in particular I checked
> how this VERIFYHOST setting is actually used and I'd like to propose the
> removal or muting (for backwards compatibility) of the use of the VERIFYHOST
> setting completely.

Sorry, but that's not now I read it and I disagree. I'm all for removing the
difference between 1 and 2, which is what I'm suggesting and read your
excellent write-up as backing up my position.

I did not see a motivation to completely remove the support to disable the
host name verification. Can you elaborate on why you think we should or need
to do that?

That feature is WIDELY used and thus we simply cannot do that without an
SONAME bump and that is a major headache and road block.

List admin:
Received on 2012-10-29