cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: "The Most Dangerous Code in the World"

From: Alessandro Ghedini <al3xbio_at_gmail.com>
Date: Tue, 30 Oct 2012 11:52:19 +0100

On Mon, Oct 29, 2012 at 10:23:03PM +0100, Oscar Koeroo wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 29-10-12 21:43, Alessandro Ghedini wrote:
> > Anyway, I just run a quick grep on all the sources of the packages that
> > build depend on libcurl and those that explicitly set
> > CURLOPT_SSL_VERIFYPEER are very few, even less those that set it to 1
> > (possibily 5-6). This said I still have to check those that use
> > php5-curl, pycurl, ... (but there aren't many).
> >
> > So, overall I think the impact of the change could be much lower than I
> > thought and the testing/fixing part won't take very much (I hope).
>
> Did you check if these application deviated from the libcurl defaults? I'm
> interested which deviated from the default libcurl package into either
> specifically GnuTLS or OpenSSL.

I'm not sure I understand what you mean by "into either GnuTLS or OpenSSL". What
I've done is checking what applications explicitly set the CURLOPT_SSL_VERIFYHOST
option and see which of those set it to 1 (the packages list is not divided into
which use GnuTLS or OpenSSL, but that could be done easily if needed).

Cheers

-- 
perl -E '$_=q;$/= @{[@_]};and s;\S+;<inidehG ordnasselA>;eg;say~~reverse'

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html

Received on 2012-10-30