** Also affects: nghttp2 (Ubuntu Xenial)
Importance: Undecided
Status: New
** Changed in: nghttp2 (Ubuntu)
Status: New => Fix Released
** Changed in: nghttp2 (Ubuntu Xenial)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Hello Ruan,
Thank you for keeping us apprised of the situation.
I see in that function, that they do call
SSL_set_verify(ssl, SSL_VERIFY_PEER, verify_cb);
[elided from your excerpt]
but you are saying the MITM attack exists because they are not verifying
the global context?
** Changed in: ngh
To be clear, this bug is in example code to demonstrate how one uses
libnghttp2, not in any actual libnghttp2 code.
The upstream developer Tatsuhiro Tsujikawa (offlist) said:
> Thank you for the security analysis.
> examples/client.c is an example program to show how to use libnghttp2, and we
>
