[fpc-devel] Request for review of patch for security risk in fcl-web/openssl

Michael Van Canneyt michael at freepascal.org
Sun Nov 5 10:33:39 CET 2023



On Sat, 4 Nov 2023, Peter via fpc-devel wrote:

> Hi,
>
> Issue 40479 is about a security risk when OpenSSL is used in fcl-web
> (TFPHTTPClient). Using the current source/trunk, TLS certificates
> having a wrong hostname are accepted, while they should be rejected.
>
> An easy patch for this is available, I kindly ask for a review by one
> of the developers:
>
> https://gitlab.com/freepascal.org/fpc/source/-/issues/40479
>
> If I can help in any way to facilitate this review, please let me know.

You have already done more than what was needed, so no need to do anything else, 
it is only a matter of available time for us (me).

If anything, this patch shows IMO that people are better off with GnuTLS rather
than OpenSSL, GnuTLS is more safe by default.

> (BTW I also submitted a patch for a GnuTLS problem, which is less
> important because it is no security risk, but still a review is highly
> appreciated:
> https://gitlab.com/freepascal.org/fpc/source/-/issues/40195#note_1621128840)

I checked the patch and I applied it.

Many thanks for taking the time to investigate and fix these issues !

If you see a patch is not being treated "soon enough", pleae don't hesitate 
to ping here, or even in a personal mail.

Michael.


More information about the fpc-devel mailing list