Re: The Most Dangerous Code in the World

2012-10-25 Thread Oscar Koeroo
On 10/25/2012 07:16 AM, SM wrote: Hi Daniel, At 13:45 24-10-2012, Daniel Stenberg wrote: The Most Dangerous Code in the World: Validating SSL Certificates in Non-Browser Software is a report from 6 authors I noticed today: http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf cURL is also

RE: The Most Dangerous Code in the World

2012-10-25 Thread Yehezkel Horowitz
cURL is also mentioned in the FAQ at https://crypto.stanford.edu/~dabo/pubs/abstracts/ssl-client-bugs.html This is the quote from the FAQ Q: How do I use cURL securely? A: CURLOPT_SSL_VERIFYPEER must be set to TRUE, CURLOPT_SSL_VERIFYHOST must be left to its default value or set to 2.

RE: The Most Dangerous Code in the World

2012-10-25 Thread Daniel Stenberg
On Thu, 25 Oct 2012, Yehezkel Horowitz wrote: As to what we can do to make cURL even better (in order to protect unprofessional users that don't know what they are doing), We could make '1' to act as '2' (verify peer identity), and add a special magic value (i.e. 27934) that will act as

RE: The Most Dangerous Code in the World

2012-10-25 Thread Mark Tully
As to what we can do to make cURL even better (in order to protect unprofessional users that don't know what they are doing), We could make '1' to act as '2' (verify peer identity), and add a special magic value (i.e. 27934) that will act as todays '1' (check for CN existence but don't

Re: Sleep and wakeup on http request AND communication socket number

2012-10-25 Thread Daniel Stenberg
On Thu, 25 Oct 2012, JALINDAR wrote: I got to know how to open know socket number using CURLOPT_LOCALPORT but how to wait on this socket? libcurl opens its own sockets normally. CURLOPT_LOCALPORT is used to make libcurl bind the local end of the socket to a specific port. Use the multi /

Re: Sleep and wakeup on http request AND communication socket number

2012-10-25 Thread Dan Fandrich
On Thu, Oct 25, 2012 at 07:28:28PM +0800, JALINDAR wrote: Then how to get at least opened socket for handle by libcurl.as i have to send this port number to the server This is obviously not for one of the standard protocols that libcurl supports, then. There is a way to get the

Re: The Most Dangerous Code in the World

2012-10-25 Thread Jan Ehrhardt
Daniel Stenberg in gmane.comp.web.curl.library (Wed, 24 Oct 2012 22:45:17 +0200 (CEST)): From what I understand, the single reason behind that statement is that we have the CURLOPT_SSL_VERIFY HOST option which takes a three-value option and not just a boolean. The authors found several source

Re: The Most Dangerous Code in the World

2012-10-25 Thread William Betts
It's made it to slashdot http://it.slashdot.org/story/12/10/25/2020223/ssl-holes-found-in-critical-non-browser-software --- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html