Hi all,
I just wanted to make sure everybody is aware of this critical bug in the SSL client implementations (HTTPS, SMTP/TLS, …): https://github.com/rejectedsoftware/vibe.d/issues/469
It results in the connection being vulnerable to man-in-the-middle attacks, as any valid certificate will be accepted by the client code, even if it is not issued for the correct host name/IP.
Best,
David
(As I'm not aware of any production vibe.d deployments where this could be an exploitable issue yet, I chose to immediately publish this. If anybody wants me to follow usual Responsible Disclosure procedures in the future, please let me know, although this should also be documented on vibed.org.)