cURL / Mailing Lists / curl-library / Single Mail


Re: "The Most Dangerous Code in the World"

From: Alessandro Ghedini <>
Date: Tue, 30 Oct 2012 11:52:19 +0100

On Mon, Oct 29, 2012 at 10:23:03PM +0100, Oscar Koeroo wrote:
> Hash: SHA1
> On 29-10-12 21:43, Alessandro Ghedini wrote:
> > Anyway, I just run a quick grep on all the sources of the packages that
> > build depend on libcurl and those that explicitly set
> > CURLOPT_SSL_VERIFYPEER are very few, even less those that set it to 1
> > (possibily 5-6). This said I still have to check those that use
> > php5-curl, pycurl, ... (but there aren't many).
> >
> > So, overall I think the impact of the change could be much lower than I
> > thought and the testing/fixing part won't take very much (I hope).
> Did you check if these application deviated from the libcurl defaults? I'm
> interested which deviated from the default libcurl package into either
> specifically GnuTLS or OpenSSL.

I'm not sure I understand what you mean by "into either GnuTLS or OpenSSL". What
I've done is checking what applications explicitly set the CURLOPT_SSL_VERIFYHOST
option and see which of those set it to 1 (the packages list is not divided into
which use GnuTLS or OpenSSL, but that could be done easily if needed).


perl -E '$_=q;$/= @{[@_]};and s;\S+;<inidehG ordnasselA>;eg;say~~reverse'

List admin:

Received on 2012-10-30