curl / Mailing Lists / curl-library / Single Mail

curl-library

RE: Session ID Reuse in libcurl

From: Lucas Pardue <Lucas.Pardue_at_bbc.co.uk>
Date: Mon, 28 Nov 2016 18:19:58 +0000

Hi Daniel,

> On Mon, 28 Nov 2016, Daniel Stenberg wrote:
>
> > curl https://a.foo.bar/something.txt https://b.foo.bar/else.txt
> >
> > Should work. I tried setting "--sessionid" to force it but it made no
> > difference.
>
> Sorry but no, libcurl will only try to reuse session IDs for connections done to
> the same name, port and protocol as used previously.
>

I find this topic really interesting. Are the rules you describe just for libcurl or is that how all (good) TLS clients are supposed to behave? I've searched for a definitive, simple answer to session ID reuse but it has so far escaped me. Session reuse is talked about in the various RFCs I have come across but when SNI is thrown into the mix I'm unsure as to the answer.

The reason I ask is because if it is allowed by the specs, this may be something we wish to explore implementing in the codebase. If this is something the specs recommend not to do, then it should certainly not be implemented.

To expand on some of the detail Sam provided. We have a Wireshark trace where the old libcurl client (CentOS 7 libcurl/7.29.0 and NSS/3.19.1) makes several requests to different names on the same host. We observe the client reusing a session ID like so: (sanitsation-wise we have host example.net and certificate SAN example.net and *.example.net)

example.net (no session ID, SNI example.net, session ID X returned by server)
1.example.net (give session ID X, SNI 1.example.net)
2.example.net (give session ID X, SNI 2.example.net)
3.example.net (give session ID X, SNI 3.example.net)
4.example.net (give session ID X, SNI 4.example.net)
5.example.net (give session ID X, SNI 5.example.net)

Regards
Lucas

-----------------------------
http://www.bbc.co.uk
This e-mail (and any attachments) is confidential and
may contain personal views which are not the views of the BBC unless specifically stated.
If you have received it in
error, please delete it from your system.
Do not use, copy or disclose the
information in any way nor act in reliance on it and notify the sender
immediately.
Please note that the BBC monitors e-mails
sent or received.
Further communication will signify your consent to
this.
-----------------------------

-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2016-11-28