Holes discovered in SSL certificate validation
Posted Nov 1, 2012 12:42 UTC (Thu) by zmower
Parent article: Holes discovered in SSL certificate validation
Amazon's Flexible Payments Service PHP library attempts to enable hostname verification by setting cURL's CURLOPT_SSL_VERIFYHOST parameter to true. Unfortunately, the correct, default value of this parameter is 2; setting it to true silently changes it to 1 and disables certificate validation. PayPal Payments Standard PHP library introduced the same bug when updating a previous, broken implementation.
As an Ada programmer, I laughed hard at this. Static typing FTW!
to post comments)