Hello Ruan,
Thank you for keeping us apprised of the situation.
I see in that function, that they do call
SSL_set_verify(ssl, SSL_VERIFY_PEER, verify_cb);
[elided from your excerpt]
but you are saying the MITM attack exists because they are not verifying
the global context?
** Changed in: nghttp2 (Ubuntu)
Status: Invalid => New
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to nghttp2 in Ubuntu.
https://bugs.launchpad.net/bugs/1677958
Title:
no SSL certificate verify
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nghttp2/+bug/1677958/+subscriptions
--
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
