diff options
| author | Daniel Stenberg <daniel@haxx.se> | 2009-05-04 21:57:14 +0000 |
|---|---|---|
| committer | Daniel Stenberg <daniel@haxx.se> | 2009-05-04 21:57:14 +0000 |
| commit | a16cca768051ae7c2020426fef00bb0ec537477a (patch) | |
| tree | 3ebc663ce5ded5627c12e954663795ab3a29a9f5 /lib/ssluse.c | |
| parent | 644482fc990a55f0cce2837bd29d2c5dad7f7b35 (diff) | |
- Michael Smith posted bug report #2786255
(http://curl.haxx.se/bug/view.cgi?id=2786255) with a patch, identifying how
libcurl did not deal with SSL session ids properly if the server rejected a
re-use of one. Starting now, it will forget the rejected one and remember
the new. This change was for OpenSSL only, it is likely that other SSL lib
code needs similar fixes.
Diffstat (limited to 'lib/ssluse.c')
| -rw-r--r-- | lib/ssluse.c | 44 |
1 files changed, 26 insertions, 18 deletions
diff --git a/lib/ssluse.c b/lib/ssluse.c index 2e6928d77..a86c2808b 100644 --- a/lib/ssluse.c +++ b/lib/ssluse.c @@ -2177,35 +2177,43 @@ ossl_connect_step3(struct connectdata *conn, int sockindex) { CURLcode retcode = CURLE_OK; - void *ssl_sessionid=NULL; + void *old_ssl_sessionid=NULL; struct SessionHandle *data = conn->data; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; + int incache; + SSL_SESSION *our_ssl_sessionid; DEBUGASSERT(ssl_connect_3 == connssl->connecting_state); - if(Curl_ssl_getsessionid(conn, &ssl_sessionid, NULL)) { - /* Since this is not a cached session ID, then we want to stach this one - in the cache! */ - SSL_SESSION *our_ssl_sessionid; #ifdef HAVE_SSL_GET1_SESSION - our_ssl_sessionid = SSL_get1_session(connssl->handle); + our_ssl_sessionid = SSL_get1_session(connssl->handle); - /* SSL_get1_session() will increment the reference - count and the session will stay in memory until explicitly freed with - SSL_SESSION_free(3), regardless of its state. - This function was introduced in openssl 0.9.5a. */ + /* SSL_get1_session() will increment the reference + count and the session will stay in memory until explicitly freed with + SSL_SESSION_free(3), regardless of its state. + This function was introduced in openssl 0.9.5a. */ #else - our_ssl_sessionid = SSL_get_session(connssl->handle); + our_ssl_sessionid = SSL_get_session(connssl->handle); - /* if SSL_get1_session() is unavailable, use SSL_get_session(). - This is an inferior option because the session can be flushed - at any time by openssl. It is included only so curl compiles - under versions of openssl < 0.9.5a. + /* if SSL_get1_session() is unavailable, use SSL_get_session(). + This is an inferior option because the session can be flushed + at any time by openssl. It is included only so curl compiles + under versions of openssl < 0.9.5a. - WARNING: How curl behaves if it's session is flushed is - untested. - */ + WARNING: How curl behaves if it's session is flushed is + untested. + */ #endif + + incache = !(Curl_ssl_getsessionid(conn, &old_ssl_sessionid, NULL)); + if (incache) { + if (old_ssl_sessionid != our_ssl_sessionid) { + infof(data, "old SSL session ID is stale, removing\n"); + Curl_ssl_delsessionid(conn, old_ssl_sessionid); + incache = FALSE; + } + } + if (!incache) { retcode = Curl_ssl_addsessionid(conn, our_ssl_sessionid, 0 /* unknown size */); if(retcode) { |