curl / Mailing Lists / curl-library / Single Mail

curl-library

Re: Session ID Reuse in libcurl

From: Samuel Hurst <samuelh_at_rd.bbc.co.uk>
Date: Mon, 28 Nov 2016 14:24:21 +0000

Hi Daniel,

On 28/11/16 14:00, Daniel Stenberg wrote:
> No, it was introduced back in 2002... but session ID reuse should work
> even without the use of the share interface. I think it could still be
> intersting to do the test as it could help pinpoint where the problem lies.

I'll let you know how I get on.

> We don't have any test cases for session ID reuse so maybe it broke at
> some point and nobody noticed. Do you have an easy/good way to test this?

I can reproduce it using the curl command line. Unfortunately the exact
server I'm testing with is not public-facing, I can try and get
something set up, but in the meantime I'll try and describe the process
below in case someone else has something suitable:

There's a single server resolving to IP address a.b.c.d, with two
hostnames a.foo.bar and b.foo.bar listed in the SSL certificate.
According to the curl manpage: "By default all transfers are done using
the (SSL) cache" so just doing:

curl https://a.foo.bar/something.txt https://b.foo.bar/else.txt

Should work. I tried setting "--sessionid" to force it but it made no
difference.

-Sam

-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html

Received on 2016-11-28