On Sat, 4 Nov 2023, Peter via fpc-devel wrote:
Hi,
Issue 40479 is about a security risk when OpenSSL is used in fcl-web
(TFPHTTPClient). Using the current source/trunk, TLS certificates
having a wrong hostname are accepted, while they should be rejected.
An easy patch for this is available, I kindly ask for a review by one
of the developers:
https://gitlab.com/freepascal.org/fpc/source/-/issues/40479
If I can help in any way to facilitate this review, please let me know.
You have already done more than what was needed, so no need to do anything else,
it is only a matter of available time for us (me).
If anything, this patch shows IMO that people are better off with GnuTLS rather
than OpenSSL, GnuTLS is more safe by default.
(BTW I also submitted a patch for a GnuTLS problem, which is less
important because it is no security risk, but still a review is highly
appreciated:
https://gitlab.com/freepascal.org/fpc/source/-/issues/40195#note_1621128840)
I checked the patch and I applied it.
Many thanks for taking the time to investigate and fix these issues !
If you see a patch is not being treated "soon enough", pleae don't hesitate
to ping here, or even in a personal mail.
Michael.
___
fpc-devel maillist - fpc-devel@lists.freepascal.org
https://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-devel