And there are many more (162k) if just searching for CURLOPT_SSL_VERIFYPEER, but they might not come from the incorrect documentation in php-mod, and I'm not sure how many of them are actually safe.
lemme show you 140,000 (![url=https://onlycasino.legal/users/MostlyHarmless])[/url] places in code where certificate verification is switched off when using libcurl: github.com/search?q=CURLOPT_SS…
yikes! I disabled it on a pet project recently, but there’s no way I’d do so in a professional setting. My colleagues wouldn’t pass it through code review either! Some big companies have very odd practices…
(Something is funky with my container and no amount of futzing with certificate files was resolving it. It’s to fetch my bin collection schedule so hardly mission or privacy critical! 😅)
Xilokar
in reply to daniel:// stenberg:// • • •daniel:// stenberg://
in reply to Xilokar • • •ѕенааѕ
in reply to daniel:// stenberg:// • • •Alerta! Alerta!
in reply to daniel:// stenberg:// • • •The amount of times I see
TLS_REQCERT never
as THE solution to TLS issues in LDAP connections is unfathomable....
🙈
🤷
sijmen
in reply to daniel:// stenberg:// • • •daniel:// stenberg://
in reply to sijmen • • •Stefan Eissing
in reply to daniel:// stenberg:// • • •daniel:// stenberg://
in reply to daniel:// stenberg:// • • •"The libcurl CURLOPT_SSL_VERIFYPEER option was disabled on a subset of requests made by Nest production devices"
github.com/advisories/GHSA-fq2…
CVE-2024-32928 - GitHub Advisory Database
GitHubChris 🏃 🐧
in reply to daniel:// stenberg:// • • •daniel:// stenberg://
in reply to daniel:// stenberg:// • • •"An issue was discovered in TCPDF before 6.8.0. If libcurl is used, CURLOPT_SSL_VERIFYHOST and CURLOPT_SSL_VERIFYPEER are set unsafely."
github.com/advisories/GHSA-9mg…
CVE-2024-56521 - GitHub Advisory Database
GitHubdaniel:// stenberg://
in reply to daniel:// stenberg:// • • •"Improper Certificate Validation vulnerability in LibreOffice "LibreOfficeKit" mode disables TLS certification verification"
nvd.nist.gov/vuln/detail/cve-2…
I'll stop now.
NVD - cve-2024-5261
nvd.nist.govouuan
in reply to daniel:// stenberg:// • • •We can search for this snippet on GitHub: github.com/search?q=%2FsetOpt%…
And there are many more (162k) if just searching for CURLOPT_SSL_VERIFYPEER, but they might not come from the incorrect documentation in php-mod, and I'm not sure how many of them are actually safe.
GitHub
GitHubdaniel:// stenberg://
in reply to ouuan • • •@ouuan that's how I fell down this rabbit hole: mastodon.social/@bagder/113979…
daniel:// stenberg://
2025-02-10 13:36:33
Andreas Scherbaum
in reply to daniel:// stenberg:// • • •@ouuan You have two days to fix the Internet! After that it's weekend, and no deployments on Friday!
/s
Mat Gadd
in reply to daniel:// stenberg:// • • •yikes! I disabled it on a pet project recently, but there’s no way I’d do so in a professional setting. My colleagues wouldn’t pass it through code review either! Some big companies have very odd practices…
(Something is funky with my container and no amount of futzing with certificate files was resolving it. It’s to fetch my bin collection schedule so hardly mission or privacy critical! 😅)
Chilly 🛡️
in reply to daniel:// stenberg:// • • •abadidea
in reply to daniel:// stenberg:// • • •Ross McKay
in reply to daniel:// stenberg:// • • •🎉
"stop setting CURLOPT_SSL_VERIFYPEER to false or 0" is my top-rated comment on php.net
from _12 years ago!_
Tobias Fiebig
in reply to daniel:// stenberg:// • • •