[Bug 1677958] Re: no SSL certificate verify
Nish Aravamudan
nish.aravamudan at canonical.com
Tue May 16 17:48:45 UTC 2017
To be clear, this bug is in example code to demonstrate how one uses
libnghttp2, not in any actual libnghttp2 code.
The upstream developer Tatsuhiro Tsujikawa (offlist) said:
> Thank you for the security analysis.
> examples/client.c is an example program to show how to use libnghttp2, and we made it intentionally simple.
> In addition, since developers often use self-signed certificates for developments, we omitted any verification after handshake. We never expect to see this as used in production scenario.
Ruan, I believe the upstream developer is waiting on you to respond with
how you would like them to proceed: either a block comment or removal of
the example code.
** Changed in: nghttp2 (Ubuntu)
Status: Confirmed => Invalid
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to nghttp2 in Ubuntu.
https://bugs.launchpad.net/bugs/1677958
Title:
no SSL certificate verify
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nghttp2/+bug/1677958/+subscriptions
More information about the Ubuntu-server-bugs
mailing list