It looks like Axel's SSL's connections do not verify server certificate hostnames. To fix this the SSL context should set a certificate callback or use SSL_set1_host to set the intended hostname.
This is an issue since it uses SSL_CTX_set_default_verify_paths and loads all root authorities from the OS. See https://wiki.openssl.org/index.php/Hostname_validation for a description of this nuance with the OpenSSL APIs.
It looks like Axel's SSL's connections do not verify server certificate hostnames. To fix this the SSL context should set a certificate callback or use
SSL_set1_hostto set the intended hostname.This is an issue since it uses
SSL_CTX_set_default_verify_pathsand loads all root authorities from the OS. See https://wiki.openssl.org/index.php/Hostname_validation for a description of this nuance with the OpenSSL APIs.Here is potentially insecure code
https://github.com/axel-download-accelerator/axel/blob/master/src/ssl.c#L83
The text was updated successfully, but these errors were encountered: