curl / Mailing Lists / curl-library / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

Re: TLS connection re-usage on the same hostname with different client certificate

From: Daniel Stenberg via curl-library <>
Date: Thu, 2 Dec 2021 09:28:48 +0100 (CET)

On Wed, 1 Dec 2021, Yongkang Huang via curl-library wrote:

> 3. However, A TLS connection built by account A could not share with
> account B because they are built with different client cert, otherwise the
> HTTP username/password authentication will fail.
> Iím wondering should user just sharding the CURLM connection pool or we
> should follow-up with distinguish cached connection based on some TLS cert
> information like fingerprint.

libcurl handles this situation automatically.

When finding a connnection to the host name in the pool, and it uses TLS,
libcurl will also make sure that a number of TLS related properties match so
that reusing the connection still follows the options and restrictions set for
current transfer. If a TLS connection uses a client certificate, it can only
be reused by another transfer if that transfer uses the *same* client
certificate. If it uses another client certificate, it will not be a match and
libcurl will continue searching for other connections to reuse or ultimately,
if failing that, create a new one.

In the code you can see this in lib/url.c:ConnectionExists() which is the big
find-a-connection-to-reuse function which in itself calls
lib/vtls/vtls.c:Curl_ssl_config_matches() to make sure the TLS config matches
before the connection is deemed okay to use.

  | Commercial curl support up to 24x7 is available!
  | Private help, bug fixes, support, ports, new features

Received on 2021-12-02