To be clear, this bug is in example code to demonstrate how one uses libnghttp2, not in any actual libnghttp2 code.
The upstream developer Tatsuhiro Tsujikawa (offlist) said: > Thank you for the security analysis. > examples/client.c is an example program to show how to use libnghttp2, and we > made it intentionally simple. > In addition, since developers often use self-signed certificates for > developments, we omitted any verification after handshake. We never expect > to see this as used in production scenario. Ruan, I believe the upstream developer is waiting on you to respond with how you would like them to proceed: either a block comment or removal of the example code. ** Changed in: nghttp2 (Ubuntu) Status: Confirmed => Invalid -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1677958 Title: no SSL certificate verify To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nghttp2/+bug/1677958/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs