cURL / Mailing Lists / curl-library / Single Mail


Re: "The Most Dangerous Code in the World"

From: Daniel Stenberg <>
Date: Tue, 30 Oct 2012 23:26:11 +0100 (CET)

On Sat, 27 Oct 2012, Nick Zitzmann wrote:

> Here is a patch that rolls this out to curl_darwinssl.c as well. I noticed
> that my code had always ignored that option. Now, before you panic and start
> writing up a CVE, let me point out that it always ignored that option and
> always verified the domain name unless the host in the URL was an IP
> address. There just wasn't any way to turn that off.
> This patch makes it possible to disable that check, just like in the other
> TLS/SSL back-ends. Please add this onto your patch.

Thanks, I've incorporated it into my patch!

List admin:
Received on 2012-10-30