This is something I found today doing some negative testing for our app.

1) I make an https connection to a server with both host/peer verifications
disabled.
2) https connection succeeds and I receive the expected data.
3) Now I make the request again, only this time I request it with peer
verification enabled, hostname matching. The deal is, it should never get
to this stage because I pass in a bad path to the ca_cert file. It doesn't
exist.
4) Suprisingly, the connection blasts through and I get the same data as in
#2.

I think there is an issue with handle reuse and cached ssl data, because
the above steps will continue ad infinitum as long as debug shows
"Re-using existing connection! (#0)". If I wait around a bit and the debug
shows "Connection 0 seems to be dead!" then the connection fails as I
expected with "[35] error setting cerficate verify locations". Corollary
to this, if I request the misconfigured connection when the app first
starts it will fail indefinitely as expected. But then as soon as a
successful https connection establishes it will succeed as long as the
handle remains intact.

My guess is that the connection cache may not be taking changes in the
requested ssl config into account when finding a connection to reuse?

I'm not sure how serious I would consider this, since would there be a real
world scenario where you would toggle ssl parameters like this?
Nevertheless, I suppose it is misleading in that you are requesting
specific behavior that is being ignored.

Comments?

-------------------------------------------------------
This SF.net email is sponsored by:Crypto Challenge is now open!
Get cracking and register here for some mind boggling fun and
the chance of winning an Apple iPod:
http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0031en
Received on 2003-03-11