aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--RELEASE-NOTES2
-rw-r--r--lib/nss.c12
2 files changed, 9 insertions, 5 deletions
diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index 0bf433647..c809d35fd 100644
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -27,7 +27,7 @@ This release includes the following bugfixes:
o HTTP: remove stray CRLF in chunk-encoded content-free request bodies
o build: fix AIX compilation and usage of events/revents
o VC Makefiles: add missing hostcheck
- o
+ o nss: clear session cache if a client certificate from file is used
This release includes the following known bugs:
diff --git a/lib/nss.c b/lib/nss.c
index 298ddad17..5c9c11c5f 100644
--- a/lib/nss.c
+++ b/lib/nss.c
@@ -1054,13 +1054,17 @@ void Curl_nss_close(struct connectdata *conn, int sockindex)
as closed to avoid double close */
fake_sclose(conn->sock[sockindex]);
conn->sock[sockindex] = CURL_SOCKET_BAD;
+
+ if((connssl->client_nickname != NULL) || (connssl->obj_clicert != NULL))
+ /* A server might require different authentication based on the
+ * particular path being requested by the client. To support this
+ * scenario, we must ensure that a connection will never reuse the
+ * authentication data from a previous connection. */
+ SSL_InvalidateSession(connssl->handle);
+
if(connssl->client_nickname != NULL) {
free(connssl->client_nickname);
connssl->client_nickname = NULL;
-
- /* force NSS to ask again for a client cert when connecting
- * next time to the same server */
- SSL_InvalidateSession(connssl->handle);
}
/* destroy all NSS objects in order to avoid failure of NSS shutdown */
Curl_llist_destroy(connssl->obj_list, NULL);