To be clear, this bug is in example code to demonstrate how one uses
libnghttp2, not in any actual libnghttp2 code.
The upstream developer Tatsuhiro Tsujikawa (offlist) said:
> Thank you for the security analysis.
> examples/client.c is an example program to show how to use libnghttp2, and we
> made it intentionally simple.
> In addition, since developers often use self-signed certificates for
> developments, we omitted any verification after handshake. We never expect
> to see this as used in production scenario.
Ruan, I believe the upstream developer is waiting on you to respond with
how you would like them to proceed: either a block comment or removal of
the example code.
** Changed in: nghttp2 (Ubuntu)
Status: Confirmed => Invalid
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1677958
Title:
no SSL certificate verify
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nghttp2/+bug/1677958/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
