Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 18 May 2016 08:18:11 +0200 (CEST)
From: Daniel Stenberg <>
To: Curl Announce -- curl users <>,,
        libcurl hacking <>,
Subject: [SECURITY ADVISORY] curl: TLS certificate check bypass with

TLS certificate check bypass with mbedTLS/PolarSSL

Project cURL Security Advisory, May 18th 2016 -


libcurl did not check the server certificate of TLS connections done to a host
specified as an IP address, or when explicitly asked to use SSLv3.

This flaw only exists when libcurl is built to use mbedTLS or PolarSSL as TLS

The documentation for mbedTLS and PolarSSL (wrongly) says that the API
function *ssl_set_hostname() is used only for setting the name for the TLS
extension SNI. The set string is however even more importantly used by the
libraries to verify the server certificate, and if no "hostname" is set it
will just skip the check and successfully continue with the handshake.

libcurl would wrongly avoid using the function when the specified host name
was given as an IP address or when SSLv3 is used, as SNI isn't supposed to be
used then. This then leads to that all uses of TLS oriented protocols (HTTPS,
FTPS, IMAPS, POPS3, SMTPS, etc) will allow connections to servers with
unverified server certificates as long as they're specified as IP addresses or
using SSLv3.

By tricking a libcurl-using client to use a URL with a host specified as IP
address only, an application could be made to connect to an impostor server or
Man In The Middle host without noticing.

Note: PolarSSL is the old name and releases of the library that nowadays is
known and released under the name mbedTLS.

We are not aware of any exploit of this flaw.


This flaw also affects the curl command line tool.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2016-3739 to this issue.


This flaw is relevant for all versions of curl and libcurl that support
PolarSSL or mbedTLS.

- Affected versions: libcurl 7.21.0 to and including 7.48.0
- Not affected versions: libcurl < 7.21.0 and libcurl >= 7.49.0

libcurl is used by many applications, but not always advertised as such!


In version 7.49.0, libcurl properly sets the "hostname" even when it is just
an IP address and even when using SSLv3 that doesn't have SNI.

A [patch for CVE-2016-3739]( is available.


We suggest you take one of the following actions immediately, in order of

  A - Upgrade curl and libcurl to version 7.49.0

  B - Apply the patch to your version and rebuild

  C - Build your libcurl with another TLS backend to work around this flaw.


It was first reported to the curl project on April 21st 2016. We contacted
distros@...nwall on May 8th.

libcurl 7.49.0 was released on May 18 2016, coordinated with the publication
of this advisory.


Reported by Moti Avrahami. Patched by Daniel Stenberg.

Thanks a lot!



Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.