TODO: Configurable loading of OpenSSL configuration file

author Daniel Stenberg <daniel@haxx.se>

Tue, 10 Jul 2018 08:57:20 +0000 (10:57 +0200)

committer Daniel Stenberg <daniel@haxx.se>

Tue, 10 Jul 2018 08:57:20 +0000 (10:57 +0200)
author Daniel Stenberg <daniel@haxx.se>
Tue, 10 Jul 2018 08:57:20 +0000 (10:57 +0200)
committer Daniel Stenberg <daniel@haxx.se>
Tue, 10 Jul 2018 08:57:20 +0000 (10:57 +0200)
diff --git a/docs/TODO b/docs/TODO

index cea637868b3f1f7ed047fa2290f57e8a73bf45bb..269c9300650776192c7cbb04e64ae2178528c732 100644 (file)
--- a/docs/TODO
+++ b/docs/TODO
@@ -112,6 +112,7 @@
   13.6 Provide callback for cert verification
   13.7 improve configure --with-ssl
   13.8 Support DANE
+ 13.9 Configurable loading of OpenSSL configuration file
   13.11 Support intermediate & root pinning for PINNEDPUBLICKEY
   13.12 Support HSTS
   13.13 Support HPKP
@@ -767,6 +768,17 @@ that doesn't exist on the server, just like --ftp-create-dirs.
   Björn Stenberg wrote a separate initial take on DANE that was never
   completed.
  
+13.9 Configurable loading of OpenSSL configuration file
+
+ libcurl calls the OpenSSL function CONF_modules_load_file() in openssl.c,
+ Curl_ossl_init(). "We regard any changes in the OpenSSL configuration as a
+ security risk or at least as unnecessary."
+
+ Please add a configuration switch or something similar to disable the
+ CONF_modules_load_file() call.
+
+ See https://github.com/curl/curl/issues/2724
+
  13.11 Support intermediate & root pinning for PINNEDPUBLICKEY
  
   CURLOPT_PINNEDPUBLICKEY does not consider the hashes of intermediate & root
author	Daniel Stenberg <daniel@haxx.se>
	Tue, 10 Jul 2018 08:57:20 +0000 (10:57 +0200)
committer	Daniel Stenberg <daniel@haxx.se>
	Tue, 10 Jul 2018 08:57:20 +0000 (10:57 +0200)