Keyserver/security bug 1447 (and 1446 too)

Kristian Fiskerstrand kristian.fiskerstrand at
Mon Dec 3 17:55:25 CET 2012

Sent from my iPad

On Dec 3, 2012, at 5:32 PM, David Shaw <dshaw at> wrote:

> On Dec 3, 2012, at 2:27 AM, Phil Pennock <gnupg-devel at> wrote:
>> On 2012-12-02 at 12:57 -0500, David Shaw wrote:
>>> As far as I know, libcurl uses the host from the passed-in URL for SNI
>>> and there isn't a direct option to set the SNI to an arbitrary value,
>>> but looking at the options, CURLOPT_RESOLVE could be used to fix this
>>> by feeding in a record with the pool name and the address of the
>>> chosen server.
>> It's not going to help for deployed application code, where you need to
>> deal with the library as it exists on machines in the wild, but you
>> might be interested in playing with Kristian Fiskerstrand's patch,
>> described at:
>> Basically, "Copy the SNI from the HTTP Host: header".
> I'm all for that patch, but yeah, it doesn't really help for deployed code.  I certainly wouldn't cry if the Curl people adopted it, or something similar.

For what it is worth, the respective thread on the curl mailing list for this is [0] , but the use case can be mostly mitigated by the use of CURLOPT_RESOLVE, so I'm using the patch in my local crawler, but haven't pushed for it upstream.



More information about the Gnupg-devel mailing list