Holy shit! So they are really not checking the CN and knew it since 2013-11-28. I've lost the last bit of respect I had for apple (that was mostly building webkit) now.

(I deleted my gp, because it's pretty much obsolete now with your full disclousure. Thanks!)

FYI: This curl bug is totally unrelated to the bug just patched.

If they aren't, it's quite a coincidence ;-) Curl relies on third-party libraries for SSL.

http://daniel.haxx.se/blog/2012/06/28/darwin-native-ssl-for-...

Secure Transport by Apple is also known as Darwin/SSL.

Interesting: bare IP addresses as you demonstrated but they do still appear to catch mismatched hostnames:

https://213.133.107.227.xip.io/

Still an epic QA failure but much less of a threat if it doesn't allow arbitrary MITM attacks.

Doesn't seem to do it in 10.9.2 which is using the same curl version: http://pastebin.com/AZ38WYaB

So OS X as well as iOS?

I think so but I only discovered the OSX issue.

Good find. What about 10.8 and earlier? Have you heard anything about iOS6?

Nope. I'm just a Ruby developer, not a security researcher :)