curl / Mailing Lists / curl-library / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

TLS connection re-usage on the same hostname with different client certificate

From: Yongkang Huang via curl-library <curl-library_at_lists.haxx.se>
Date: Wed, 1 Dec 2021 23:52:44 +0000

Hi!

Iím not sure this is something need to be handled by the application or libcurl.
When I reuse the TLS connection for a big payment company with different account we integrate in our application, we call a hostname api.bigcompany.com with the client cert of these accounts for mTLS. After the TLS connection is built, a username/password will be used for authentication in the following HTTP request.

However, this company enforces the match of the username/password and the client cert, we hit an issue that


  1. All the request go through the same CURLM so connection could be reused
  2. CURLM will search the cached connection based on hostname, in this case api.bigcompany.com
  3. However, A TLS connection built by account A could not share with account B because they are built with different client cert, otherwise the HTTP username/password authentication will fail.

Iím wondering should user just sharding the CURLM connection pool or we should follow-up with distinguish cached connection based on some TLS cert information like fingerprint.

Thanks

Yongkang Huang




-- 
Unsubscribe: https://lists.haxx.se/listinfo/curl-library
Etiquette:   https://curl.haxx.se/mail/etiquette.html
Received on 2021-12-02