curl / Mailing Lists / curl-library / Single Mail

curl-library

Re: Session ID Reuse in libcurl

From: Kamil Dudka <kdudka_at_redhat.com>
Date: Tue, 29 Nov 2016 12:38:36 +0100

On Monday, November 28, 2016 18:19:58 Lucas Pardue wrote:
> To expand on some of the detail Sam provided. We have a Wireshark trace
> where the old libcurl client (CentOS 7 libcurl/7.29.0 and NSS/3.19.1) makes
> several requests to different names on the same host. We observe the client
> reusing a session ID like so: (sanitsation-wise we have host example.net
> and certificate SAN example.net and *.example.net)

You might be hitting this bug:

    https://bugzilla.mozilla.org/1202264

curl works around the bug with the following patch:

    https://github.com/bagder/curl/commit/958d2ffb

... which is included in libcurl-7.29.0-30.el7 and newer.

Kamil
-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2016-11-29