Aaron Zauner <[email protected]> writes: >And still the case with most ruby deployments: >https://github.com/search?q=OpenSSL%3A%3ASSL%3A%3AVERIFY_NONE&type=Code&utf8=%E2%9C%93
That produces nearly 49K results for Ruby, more than an order of magnitude more than the next highest, Python. Is there any chance that we're seeing a lot of false positives here, for example because it's being set to some default initialisation value that's later overridden? The matching also seems to be pretty fuzzy (there are 266 results for C code, which won't be doing the above), but also things like (from the Python results): ctx.set_verify(SSL.VERIFY_PEER, _callback) # ctx.set_verify(SSL.VERIFY_NONE, _callback) which is clearly a false positive. For the Ruby code there are a lot of results found in "bypass_ssl" and "fix_ssl"-named items and similar, I'm wondering whether this is mainstream SSL-usage code or some debug module that happens to be included somewhere that the search is finding. Peter. _______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
