Keyserver/security bug 1447 (and 1446 too)
kristian.fiskerstrand at sumptuouscapital.com
Mon Dec 3 17:55:25 CET 2012
Sent from my iPad
On Dec 3, 2012, at 5:32 PM, David Shaw <dshaw at jabberwocky.com> wrote:
> On Dec 3, 2012, at 2:27 AM, Phil Pennock <gnupg-devel at spodhuis.org> wrote:
>> On 2012-12-02 at 12:57 -0500, David Shaw wrote:
>>> As far as I know, libcurl uses the host from the passed-in URL for SNI
>>> and there isn't a direct option to set the SNI to an arbitrary value,
>>> but looking at the options, CURLOPT_RESOLVE could be used to fix this
>>> by feeding in a record with the pool name and the address of the
>>> chosen server.
>> It's not going to help for deployed application code, where you need to
>> deal with the library as it exists on machines in the wild, but you
>> might be interested in playing with Kristian Fiskerstrand's patch,
>> described at:
>> Basically, "Copy the SNI from the HTTP Host: header".
> I'm all for that patch, but yeah, it doesn't really help for deployed code. I certainly wouldn't cry if the Curl people adopted it, or something similar.
For what it is worth, the respective thread on the curl mailing list for this is  , but the use case can be mostly mitigated by the use of CURLOPT_RESOLVE, so I'm using the patch in my local crawler, but haven't pushed for it upstream.
More information about the Gnupg-devel