- Constantine Sapuntzakis provided the fix that ensures that an SSL connection

won't be reused unless protection level for peer and host verification match.
2009-11-14 02:30:30 +00:00 · 2009-11-14 02:30:30 +00:00 · 90bc6ee8f3
commit 90bc6ee8f3
parent 5e75817d44
4 changed files with 17 additions and 0 deletions
--- a/4
+++ b/4
@ -6,6 +6,10 @@

                                  Changelog

+Yang Tse (14 Nov 2009)
+- Constantine Sapuntzakis provided the fix that ensures that an SSL connection
+  won't be reused unless protection level for peer and host verification match.
+
 Kamil Dudka (12 Nov 2009)
 - Kevin Baughman provided a fix preventing libcurl-NSS from crash on doubly
  closed NSPR descriptor. The issue was hard to find, reported several times
--- a/1
+++ b/1
@ -18,6 +18,7 @@ This release includes the following bugfixes:
 o progress meter/callback during FTP connection
 o DNS cache timeout while transfer in progress
 o compilation when configured --with-gssapi having GNU GSS installed
+ o SSL connection reused with mismatched protection level

 This release includes the following known bugs:

--- a/lib/url.c
+++ b/lib/url.c
@ -2689,6 +2689,12 @@ ConnectionExists(struct SessionHandle *data,
      /* don't do mixed SSL and non-SSL connections */
      continue;

+    if(needle->protocol&PROT_SSL) {
+      if((data->set.ssl.verifypeer != check->verifypeer) ||
+         (data->set.ssl.verifyhost != check->verifyhost))
+        continue;
+    }
+
    if(needle->bits.proxy != check->bits.proxy)
      /* don't do mixed proxy and non-proxy connections */
      continue;
@ -4326,6 +4332,9 @@ static CURLcode create_conn(struct SessionHandle *data,
  conn->bits.ftp_use_epsv = data->set.ftp_use_epsv;
  conn->bits.ftp_use_eprt = data->set.ftp_use_eprt;

+  conn->verifypeer = data->set.ssl.verifypeer;
+  conn->verifyhost = data->set.ssl.verifyhost;
+
  if(data->multi && Curl_multi_canPipeline(data->multi) &&
      !conn->master_buffer) {
    /* Allocate master_buffer to be used for pipelining */
--- a/lib/urldata.h
+++ b/lib/urldata.h
@ -1083,6 +1083,9 @@ struct connectdata {
 #if defined(HAVE_GSSAPI) || defined(USE_WINDOWS_SSPI)
  int socks5_gssapi_enctype;
 #endif
+
+  long verifypeer;
+  long verifyhost;
 };

 /* The end of connectdata. */