cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: [PATCHv2] mbedtls: Implement CURLOPT_PINNEDPUBLICKEY

From: Thomas Glanzmann <thomas_at_glanzmann.de>
Date: Mon, 11 Jan 2016 18:56:15 +0100

Hello Ray,

> - There is a comment in the code that says a peer cert is not available
> after an SSL session resume, specifically "If the session was resumed, there
> will be no peer cert". It appears that was copied from PolarSSL. I looked in
> the mbedTLS documentation to confirm but there's nothing documented in
> mbedtls_ssl_get_peer_cert. However mbedtls_ssl_get_session [2] has a notice
> that says "Currently, peer certificate is lost in the operation." Yet I
> tested it and the peer certificate seems to be available on resume:

> ./curl -v --pinnedpubkey sha256//C4G4mPCYzTEVZBFSwJ5u+IxQYaKOxhQwBz7YeD/ELxk= https://google.com https://google.com

for me this command uses the _same_ connection. If I add a '-0' to force
HTTP/1.0 it uses two connections. However according to my wireshark
output and the documentation does not support SSL resumption using
session ids but only using SSL tickets. However even if I reconfigure my
https server to support ssl tickets, I get the following message in my
curl output 'old SSL session ID is stale, removing' which indicates that
it does not reuse the session whatever I do. I'll ask on the mbedtls
mailinglist what the current state is. If someone knows what I need to
do to see a SSL session resumption using mbedtls let me know.

Cheers,
        Thomas
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2016-01-11