On Fri, Nov 11, 2016 at 01:23:31PM +0100, Jan Niehusmann wrote: > Hi, > > But who knows which other packages are silently broken the same way?
At least something like that also came up with xmltooling. It's probably caused by this: curl_easy_setopt(easy, CURLOPT_SSL_CTX_FUNCTION, &sslCtxFunction_cb); You get an SSL_CTX from OpenSSL 1.1 and you call an OpenSSL 1.0 function with that handle. And libcurl really shouldn't have been exposing such functions directly. If something like that is really needed libcurl should have made a proper wrapper. PS: Is there a reason zurl implements it's own hostname validation checking an doesn't just use libcurls? Kurt
