Buy commercial curl support from WolfSSL. We help you work
out your issues, debug your libcurl applications, use the API, port to new
platforms, add new features and more. With a team lead by the curl founder
himself.
TLS connection re-usage on the same hostname with different client certificate
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Yongkang Huang via curl-library <curl-library_at_lists.haxx.se>
Date: Wed, 1 Dec 2021 23:52:44 +0000
Hi!
I’m not sure this is something need to be handled by the application or libcurl.
When I reuse the TLS connection for a big payment company with different account we integrate in our application, we call a hostname api.bigcompany.com with the client cert of these accounts for mTLS. After the TLS connection is built, a username/password will be used for authentication in the following HTTP request.
However, this company enforces the match of the username/password and the client cert, we hit an issue that
1. All the request go through the same CURLM so connection could be reused
2. CURLM will search the cached connection based on hostname, in this case api.bigcompany.com
3. However, A TLS connection built by account A could not share with account B because they are built with different client cert, otherwise the HTTP username/password authentication will fail.
I’m wondering should user just sharding the CURLM connection pool or we should follow-up with distinguish cached connection based on some TLS cert information like fingerprint.
Thanks
Yongkang Huang
Date: Wed, 1 Dec 2021 23:52:44 +0000
Hi!
I’m not sure this is something need to be handled by the application or libcurl.
When I reuse the TLS connection for a big payment company with different account we integrate in our application, we call a hostname api.bigcompany.com with the client cert of these accounts for mTLS. After the TLS connection is built, a username/password will be used for authentication in the following HTTP request.
However, this company enforces the match of the username/password and the client cert, we hit an issue that
1. All the request go through the same CURLM so connection could be reused
2. CURLM will search the cached connection based on hostname, in this case api.bigcompany.com
3. However, A TLS connection built by account A could not share with account B because they are built with different client cert, otherwise the HTTP username/password authentication will fail.
I’m wondering should user just sharding the CURLM connection pool or we should follow-up with distinguish cached connection based on some TLS cert information like fingerprint.
Thanks
Yongkang Huang
-- Unsubscribe: https://lists.haxx.se/listinfo/curl-library Etiquette: https://curl.haxx.se/mail/etiquette.htmlReceived on 2021-12-02