- Yehoshua Hershberg found a problem that would make libcurl re-use a

  connection with the multi interface even if a previous use of it caused a
  CURLE_PEER_FAILED_VERIFICATION to get returned. I now make sure that failed
  SSL connections properly close the connections.

4 files changed, 12 insertions, 6 deletions

diff --git a/CHANGES b/CHANGES
index f9a3c9fba..dce9c68c5 100644
--- a/CHANGES
+++ b/CHANGES
@@ -6,6 +6,12 @@
 
                                   Changelog
 
+Daniel Stenberg (5 Aug 2008)
+- Yehoshua Hershberg found a problem that would make libcurl re-use a
+  connection with the multi interface even if a previous use of it caused a
+  CURLE_PEER_FAILED_VERIFICATION to get returned. I now make sure that failed
+  SSL connections properly close the connections.
+
 Daniel Stenberg (4 Aug 2008)
 - Test cases 1051, 1052 and 1055 were added by Daniel Fandrich on July 30 and
   proved how PUT and POST with a redirect could lead to a "hang" due to the
diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index 10e566063..f885fc89c 100644
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -47,6 +47,7 @@ This release includes the following bugfixes:
  o no longer link with gdi32 on Windows cross-compiled targets
  o HTTP PUT with -C - sent bad Content-Range: header
  o HTTP PUT or POST with redirect could lead to hang
+ o re-use of connections with failed SSL connects in the multi interface
 
 This release includes the following known bugs:
 
@@ -67,7 +68,7 @@ advice from friends like these:
  Rob Crittenden, Dengminwen, Christopher Palow, Hans-Jurgen May,
  Phil Pellouchoud, Eduard Bloch, John Lightsey, Stephen Collyer, Tor Arntsen,
  Rolland Dudemaine, Phil Blundell, Scott Barrett, Andreas Schuldei,
- Peter Lamberg, David Bau, Pramod Sharma
+ Peter Lamberg, David Bau, Pramod Sharma, Yehoshua Hershberg
 
 
         Thanks! (and sorry if I forgot to mention someone)
diff --git a/TODO-RELEASE b/TODO-RELEASE
index c2b2da5d5..ea1f18298 100644
--- a/TODO-RELEASE
+++ b/TODO-RELEASE
@@ -14,10 +14,6 @@ To be addressed before 7.19.0 (planned release: August 2008)
        * Third version of the patch fixing a failure to chose a proper data
          type submitted to the mailing list 2008-08-04.
 
-
-146 - Yehoshua Hershberg's re-using of connections that failed with
-      CURLE_PEER_FAILED_VERIFICATION
-
 148 - Introduction of m4/reentrant.m4 is triggering some problems on Solaris
       systems. The problem manifests when buildconf runs aclocal, at some point
       aclocal fails when using GNU m4 version 1.4.5 it runs out of memory.  If
diff --git a/lib/http.c b/lib/http.c
index 173de8edc..a2a5cd1f5 100644
--- a/lib/http.c
+++ b/lib/http.c
@@ -1815,8 +1815,11 @@ static CURLcode https_connecting(struct connectdata *conn, bool *done)
 
   /* perform SSL initialization for this socket */
   result = Curl_ssl_connect_nonblocking(conn, FIRSTSOCKET, done);
-  if(result)
+  if(result) {
+    conn->bits.close = TRUE; /* a failed connection is marked for closure
+                                to prevent (bad) re-use or similar */
     return result;
+  }
 
   return CURLE_OK;
 }