- Michael Smith posted bug report #2786255
(http://curl.haxx.se/bug/view.cgi?id=2786255) with a patch, identifying how libcurl did not deal with SSL session ids properly if the server rejected a re-use of one. Starting now, it will forget the rejected one and remember the new. This change was for OpenSSL only, it is likely that other SSL lib code needs similar fixes.
This commit is contained in:
Daniel Stenberg
44
lib/ssluse.c
44
lib/ssluse.c
@@ -2177,35 +2177,43 @@ ossl_connect_step3(struct connectdata *conn,
|
||||
int sockindex)
|
||||
{
|
||||
CURLcode retcode = CURLE_OK;
|
||||
void *ssl_sessionid=NULL;
|
||||
void *old_ssl_sessionid=NULL;
|
||||
struct SessionHandle *data = conn->data;
|
||||
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
|
||||
int incache;
|
||||
SSL_SESSION *our_ssl_sessionid;
|
||||
|
||||
DEBUGASSERT(ssl_connect_3 == connssl->connecting_state);
|
||||
|
||||
if(Curl_ssl_getsessionid(conn, &ssl_sessionid, NULL)) {
|
||||
/* Since this is not a cached session ID, then we want to stach this one
|
||||
in the cache! */
|
||||
SSL_SESSION *our_ssl_sessionid;
|
||||
#ifdef HAVE_SSL_GET1_SESSION
|
||||
our_ssl_sessionid = SSL_get1_session(connssl->handle);
|
||||
our_ssl_sessionid = SSL_get1_session(connssl->handle);
|
||||
|
||||
/* SSL_get1_session() will increment the reference
|
||||
count and the session will stay in memory until explicitly freed with
|
||||
SSL_SESSION_free(3), regardless of its state.
|
||||
This function was introduced in openssl 0.9.5a. */
|
||||
/* SSL_get1_session() will increment the reference
|
||||
count and the session will stay in memory until explicitly freed with
|
||||
SSL_SESSION_free(3), regardless of its state.
|
||||
This function was introduced in openssl 0.9.5a. */
|
||||
#else
|
||||
our_ssl_sessionid = SSL_get_session(connssl->handle);
|
||||
our_ssl_sessionid = SSL_get_session(connssl->handle);
|
||||
|
||||
/* if SSL_get1_session() is unavailable, use SSL_get_session().
|
||||
This is an inferior option because the session can be flushed
|
||||
at any time by openssl. It is included only so curl compiles
|
||||
under versions of openssl < 0.9.5a.
|
||||
/* if SSL_get1_session() is unavailable, use SSL_get_session().
|
||||
This is an inferior option because the session can be flushed
|
||||
at any time by openssl. It is included only so curl compiles
|
||||
under versions of openssl < 0.9.5a.
|
||||
|
||||
WARNING: How curl behaves if it's session is flushed is
|
||||
untested.
|
||||
*/
|
||||
WARNING: How curl behaves if it's session is flushed is
|
||||
untested.
|
||||
*/
|
||||
#endif
|
||||
|
||||
incache = !(Curl_ssl_getsessionid(conn, &old_ssl_sessionid, NULL));
|
||||
if (incache) {
|
||||
if (old_ssl_sessionid != our_ssl_sessionid) {
|
||||
infof(data, "old SSL session ID is stale, removing\n");
|
||||
Curl_ssl_delsessionid(conn, old_ssl_sessionid);
|
||||
incache = FALSE;
|
||||
}
|
||||
}
|
||||
if (!incache) {
|
||||
retcode = Curl_ssl_addsessionid(conn, our_ssl_sessionid,
|
||||
0 /* unknown size */);
|
||||
if(retcode) {
|
||||
|
||||
Reference in New Issue
Block a user