cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: CVE-2013-4545 and GnuTLS backend

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Sat, 30 Nov 2013 14:11:02 +0100 (CET)

On Sat, 30 Nov 2013, Oscar Koeroo wrote:

> I now (better) understand the motivations for the change. I personally rate
> this as a security through obscurity solution which in effect does add
> something.

No, that's not what this change brings. This change makes the code again work
like it used to, and how it is documented to work. It doesn't really add
anything and it doesn't change behavior (in other aspects than how a bugfix
can change behavior).

> I just hope nobody sees the new fix as an opportunity to leverage a wider
> disabling of the peer cert check.

It really can't, as libcurl already worked like this before. This was a
regression.

We can of course discuss if the option should work like this or even exist in
the future, but that doesn't change the past and what's in the code right now.

-- 
  / daniel.haxx.se
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette:  http://curl.haxx.se/mail/etiquette.html
Received on 2013-11-30