libcurl skips the certificate verification for a QUIC connection under certain conditions, when built to use wolfSSL. If told to use an unknown/bad cipher or curve, the error path accidentally skips the verification and returns OK, thus ignoring any certificate problems.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Debian | 12 | all | curl | <= 7.88.1-10+deb12u7 | curl_7.88.1-10+deb12u7_all.deb |
Debian | 11 | all | curl | <= 7.74.0-1.3+deb11u13 | curl_7.74.0-1.3+deb11u13_all.deb |
Debian | 999 | all | curl | < 8.7.1-1 | curl_8.7.1-1_all.deb |
Debian | 13 | all | curl | < 8.7.1-1 | curl_8.7.1-1_all.deb |