Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 12 Mar 2014 21:36:10 +1100
From: Michael Samuel <>
Subject: Re: Re: CVE request: claws-mail vcalendar plugin
 stores user/password in cleartext

On 12 March 2014 20:56, Marcus Meissner <> wrote:

> Note comment by author(?):
> "However, while I agree that CURLOPT_SSL_VERIFYHOST should probably be
> enabled, I do not see any usefulness in enabling CURLOPT_SSL_VERIFYPEER. I
> do not really buy into the extortion racket that certificate authority
> companies run."

For people that take this (somewhat valid) stance WRT CAs, the answer is to
the self-signed certificate and either add it to the system's ca-trust
store, or specify
CURLOPT_CAINFO with a file containing the self-signed certificate.

Note that CURLOPT_CAINFO doesn't do proper pinning - this won't work with a
CA-issued certificate unless the CA certificate was in the file too, as the
certificate would contain the CA:false basicConstraint.  That CA could
issue another
certificate for the host and it would be accepted.

Disabling SSL_VERIFYPEER is as obviously broken as an inetd service calling
An author's claim that this is fine runs counter to users' expectation that
enabling TLS
provides security.


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ