In November, I asked if a CVE had been assigned to Axis2/C for failing to check hostnames when validating SSL/TLS certificates: http://www.openwall.com/lists/oss-security/2012/11/07/1 This was part of the fallout from this paper: http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf I was not confident enough in my reading of the source code to say that Axis2/C was vulnerable, so I did not pursue the issue at the time. Since then, I have re-read the code, emailed three developers privately, emailed the axis-c-dev mail list, and filed a JIRA bug report. None of these communications have received any kind of response. https://issues.apache.org/jira/browse/AXIS2C-1619 http://mail-archives.apache.org/mod_mbox/axis-c-dev/201301.mbox/browser Please assign a CVE for Axis2/C for failing to validate hostnames when checking SSL certificates.