{"id":"CURL-CVE-2016-3739","summary":"TLS certificate check bypass with mbedTLS/PolarSSL","details":"libcurl did not check the server certificate of TLS connections done to a host\nspecified as an IP address, or when explicitly asked to use SSLv3.\n\nThis flaw only exists when libcurl is built to use mbedTLS or PolarSSL as the\nTLS backend.\n\nThe documentation for mbedTLS and PolarSSL (wrongly) says that the API\nfunction `ssl_set_hostname()` is used only for setting the name for the TLS\nextension SNI. The set string is however even more importantly used by the\nlibraries to verify the server certificate, and if no \"hostname\" is set it\nskips the check and successfully continue with the handshake.\n\nlibcurl would wrongly avoid using the function when the specified hostname was\ngiven as an IP address or when SSLv3 is used, as SNI is not supposed to be\nused then. This then leads to that all uses of TLS oriented protocols (HTTPS,\nFTPS, IMAPS, POPS3, SMTPS, etc) allows connections to servers with unverified\nserver certificates as long as they are specified as IP addresses or using\nSSLv3.\n\nBy tricking a libcurl-using client to use a URL with a host specified as IP\naddress only, an application could be made to connect to an impostor server or\nMan In The Middle host without noticing.\n\nNote: PolarSSL is the old name and releases of the library that nowadays is\nknown and released under the name mbedTLS.","aliases":["CVE-2016-3739"],"modified":"2026-05-19T14:06:59.115002Z","published":"2016-05-18T08:00:00Z","database_specific":{"URL":"https://curl.se/docs/CVE-2016-3739.json","www":"https://curl.se/docs/CVE-2016-3739.html","last_affected":"7.48.0","CWE":{"id":"CWE-297","desc":"Improper Validation of Certificate with Host Mismatch"},"package":"curl","severity":"High","affects":"both"},"affected":[{"ranges":[{"type":"SEMVER","events":[{"introduced":"7.21.0"},{"fixed":"7.49.0"}]},{"type":"GIT","repo":"https://github.com/curl/curl.git","events":[{"introduced":"51427e1947ddc07b4ce8ad9dcb04846125170f83"},{"fixed":"6efd2fa529a189bf41736a610f6184cd8ad94b4d"}]}],"versions":["7.48.0","7.47.1","7.47.0","7.46.0","7.45.0","7.44.0","7.43.0","7.42.1","7.42.0","7.41.0","7.40.0","7.39.0","7.38.0","7.37.1","7.37.0","7.36.0","7.35.0","7.34.0","7.33.0","7.32.0","7.31.0","7.30.0","7.29.0","7.28.1","7.28.0","7.27.0","7.26.0","7.25.0","7.24.0","7.23.1","7.23.0","7.22.0","7.21.7","7.21.6","7.21.5","7.21.4","7.21.3","7.21.2","7.21.1","7.21.0","curl-7_48_0","curl-7_47_1","curl-7_47_0","curl-7_46_0","curl-7_45_0","curl-7_44_0","curl-7_43_0","curl-7_42_0","curl-7_41_0","curl-7_40_0","curl-7_39_0","curl-7_38_0","curl-7_37_1","curl-7_37_0","curl-7_36_0","curl-7_35_0","curl-7_34_0","curl-7_33_0","curl-7_32_0","curl-7_31_0","curl-7_30_0","curl-7_29_0","curl-7_28_1","curl-7_28_0","curl-7_27_0","curl-7_26_0","curl-7_25_0","curl-7_23_1","curl-7_23_0","curl-7_22_0","curl-7_21_7","curl-7_21_6","curl-7_21_5","curl-7_21_4","curl-7_21_3","curl-7_21_2","curl-7_21_1","curl-7_21_0"],"database_specific":{"vanir_signatures_modified":"2026-05-19T14:06:59Z","source":"https://curl.se/docs/CURL-CVE-2016-3739.json","vanir_signatures":[{"signature_version":"v1","deprecated":false,"digest":{"line_hashes":["202569997823797167088441078705887588675","140997351942235197458575876881876230698","95856649312950224624428804969501053919","231872359366839169123633691355951768597","242123234287323998123007407185640467515","188319951280381205884646307466977721287","32464786281486503244053591555064270046","340133065903618466084750668242347162542","6829067414076471645178413472443550005","278215882298194168328363957778405548004"],"threshold":0.9},"source":"https://github.com/curl/curl.git/commit/6efd2fa529a189bf41736a610f6184cd8ad94b4d","signature_type":"Line","target":{"file":"lib/vtls/mbedtls.c"},"id":"CURL-CVE-2016-3739-1f7cde52"},{"signature_version":"v1","deprecated":false,"digest":{"line_hashes":["91477970112647442103438772945601033890","218301914338796467834243165078488752148","199157532542976154053541621729926549550","231872359366839169123633691355951768597","303354181271854098824122155148907554613","223636590846625461169116129542565210113","134873669455333081670362266164411366586","197549729935323838870862303803933001812","331061034828677157003209928854333536774","278215882298194168328363957778405548004"],"threshold":0.9},"source":"https://github.com/curl/curl.git/commit/6efd2fa529a189bf41736a610f6184cd8ad94b4d","signature_type":"Line","target":{"file":"lib/vtls/polarssl.c"},"id":"CURL-CVE-2016-3739-47e09da7"},{"signature_version":"v1","deprecated":false,"digest":{"length":6840,"function_hash":"278335692291154105246462499520271183002"},"source":"https://github.com/curl/curl.git/commit/6efd2fa529a189bf41736a610f6184cd8ad94b4d","signature_type":"Function","target":{"file":"lib/vtls/polarssl.c","function":"polarssl_connect_step1"},"id":"CURL-CVE-2016-3739-930f1429"},{"signature_version":"v1","deprecated":false,"digest":{"length":7431,"function_hash":"119002447290259833848037898670058351115"},"source":"https://github.com/curl/curl.git/commit/6efd2fa529a189bf41736a610f6184cd8ad94b4d","signature_type":"Function","target":{"file":"lib/vtls/mbedtls.c","function":"mbed_connect_step1"},"id":"CURL-CVE-2016-3739-f3299443"}]}}],"schema_version":"1.7.5","credits":[{"name":"Moti Avrahami","type":"FINDER"},{"name":"Daniel Stenberg","type":"REMEDIATION_DEVELOPER"}]}