cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: libcurl and recycled https connections

From: Götz Babin-Ebell <babin-ebell_at_trustcenter.de>
Date: Tue, 11 Mar 2003 21:48:13 +0100

Hello,

RBramante_at_on.com wrote:
> This is something I found today doing some negative testing for our app.
>
> 1) I make an https connection to a server with both host/peer verifications
> disabled.
> 2) https connection succeeds and I receive the expected data.
> 3) Now I make the request again, only this time I request it with peer
> verification enabled, hostname matching. The deal is, it should never get
> to this stage because I pass in a bad path to the ca_cert file. It doesn't
> exist.
> 4) Suprisingly, the connection blasts through and I get the same data as in
> #2.

> I think there is an issue with handle reuse and cached ssl data, because
> the above steps will continue ad infinitum as long as debug shows
> "Re-using existing connection! (#0)". If I wait around a bit and the debug
> shows "Connection 0 seems to be dead!" then the connection fails as I
> expected with "[35] error setting cerficate verify locations". Corollary
> to this, if I request the misconfigured connection when the app first
> starts it will fail indefinitely as expected. But then as soon as a
> successful https connection establishes it will succeed as long as the
> handle remains intact.

> My guess is that the connection cache may not be taking changes in the
> requested ssl config into account when finding a connection to reuse?
Yep.

As long as there is an valid session to reuse,
no certificates are passed and no certificate verification is done.

This results in a speedup of session startup.
But requires that your local configuration is not changed.

> I'm not sure how serious I would consider this, since would there be a real
> world scenario where you would toggle ssl parameters like this?

If you do that, you must drop your session cache.
This is a mishandling of the SSL connection.

Bye

Goetz

-- 
Goetz Babin-Ebell, TC TrustCenter AG, http://www.trustcenter.de
Sonninstr. 24-28, 20097 Hamburg, Germany
Tel.: +49-(0)40 80 80 26 -0,  Fax: +49-(0)40 80 80 26 -126

-------------------------------------------------------
This SF.net email is sponsored by:Crypto Challenge is now open!
Get cracking and register here for some mind boggling fun and
the chance of winning an Apple iPod:
http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0031en

Received on 2003-03-11