Keyserver/security bug 1447 (and 1446 too)

Kristian Fiskerstrand kristian.fiskerstrand at sumptuouscapital.com
Mon Dec 3 17:55:25 CET 2012



Sent from my iPad

On Dec 3, 2012, at 5:32 PM, David Shaw <dshaw at jabberwocky.com> wrote:

> On Dec 3, 2012, at 2:27 AM, Phil Pennock <gnupg-devel at spodhuis.org> wrote:
> 
>> On 2012-12-02 at 12:57 -0500, David Shaw wrote:
>>> As far as I know, libcurl uses the host from the passed-in URL for SNI
>>> and there isn't a direct option to set the SNI to an arbitrary value,
>>> but looking at the options, CURLOPT_RESOLVE could be used to fix this
>>> by feeding in a record with the pool name and the address of the
>>> chosen server.
>> 
>> It's not going to help for deployed application code, where you need to
>> deal with the library as it exists on machines in the wild, but you
>> might be interested in playing with Kristian Fiskerstrand's patch,
>> described at:
>> 
>> http://blog.sumptuouscapital.com/2012/10/curl-and-using-http-host-header-for-sni/
>> 
>> Basically, "Copy the SNI from the HTTP Host: header".
> 
> I'm all for that patch, but yeah, it doesn't really help for deployed code.  I certainly wouldn't cry if the Curl people adopted it, or something similar.

For what it is worth, the respective thread on the curl mailing list for this is [0] , but the use case can be mostly mitigated by the use of CURLOPT_RESOLVE, so I'm using the patch in my local crawler, but haven't pushed for it upstream.


[0] http://curl.haxx.se/mail/lib-2012-11/0109.html

Kristian


More information about the Gnupg-devel mailing list