- Constantine Sapuntzakis provided the fix that ensures that an SSL connection

  won't be reused unless protection level for peer and host verification match.

1 files changed, 9 insertions, 0 deletions

diff --git a/lib/url.c b/lib/url.c
index 8f425d4e2..d3ec1c074 100644
--- a/lib/url.c
+++ b/lib/url.c
@@ -2689,6 +2689,12 @@ ConnectionExists(struct SessionHandle *data,
       /* don't do mixed SSL and non-SSL connections */
       continue;
 
+    if(needle->protocol&PROT_SSL) {
+      if((data->set.ssl.verifypeer != check->verifypeer) ||
+         (data->set.ssl.verifyhost != check->verifyhost))
+        continue;
+    }
+
     if(needle->bits.proxy != check->bits.proxy)
       /* don't do mixed proxy and non-proxy connections */
       continue;
@@ -4326,6 +4332,9 @@ static CURLcode create_conn(struct SessionHandle *data,
   conn->bits.ftp_use_epsv = data->set.ftp_use_epsv;
   conn->bits.ftp_use_eprt = data->set.ftp_use_eprt;
 
+  conn->verifypeer = data->set.ssl.verifypeer;
+  conn->verifyhost = data->set.ssl.verifyhost;
+
   if(data->multi && Curl_multi_canPipeline(data->multi) &&
       !conn->master_buffer) {
     /* Allocate master_buffer to be used for pipelining */