search

ikod / dlang-requests

dlang http client library inspired by python-requests
Boost Software License 1.0
154 stars 32 forks source link

SSL Peer Verification is off by default #72

Closed schuetzm closed 6 years ago

schuetzm commented 6 years ago

Going by the source documentation (https://github.com/ikod/dlang-requests/blob/master/source/requests/request.d#L185), it seems sslSetVerifyPeer() is off by default. Needless to say, this is a very bad idea from a security POV. Please make sure the default is true.

ikod commented 6 years ago

Hello,

Thanks for report. This change will probably break some clients, but looks like you are right, it should be enabled by default.

чт, 19 Апр 2018 г., 12:55 Marc Schütz notifications@github.com:

Going by the source documentation ( https://github.com/ikod/dlang-requests/blob/master/source/requests/request.d#L185), it seems sslSetVerifyPeer() is off by default. Needless to say, this is a very bad idea from a security POV. Please make sure the default is true.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/ikod/dlang-requests/issues/72, or mute the thread https://github.com/notifications/unsubscribe-auth/ABNuSepl0TkL6YGH_uqhWphwg9Y-aLLYks5tqF8WgaJpZM4TbfZ6 .

ikod commented 6 years ago

Hello, @schuetzm

Fix is on github master. please check, and if it is ok, I'll make new release.

WebFreak001 commented 6 years ago

the readme still shows sslSetVerifyPeer(true) in the example and implicitly suggests that it is off by default, making most people who don't read further think it's disabled by default.

ikod commented 6 years ago

Hello @WebFreak001

Now all ssl related options explicitly listed and example fixed in README.md.

Thanks for report!