Hello Ruan, Thank you for keeping us apprised of the situation.
I see in that function, that they do call SSL_set_verify(ssl, SSL_VERIFY_PEER, verify_cb); [elided from your excerpt] but you are saying the MITM attack exists because they are not verifying the global context? ** Changed in: nghttp2 (Ubuntu) Status: Invalid => New -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to nghttp2 in Ubuntu. https://bugs.launchpad.net/bugs/1677958 Title: no SSL certificate verify To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nghttp2/+bug/1677958/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs