From 958d2ffb198166a062a0ff20d009c64972a2b374 Mon Sep 17 00:00:00 2001
From: Kamil Dudka <kdudka@redhat.com>
Date: Fri, 18 Sep 2015 17:10:05 +0200
Subject: nss: prevent NSS from incorrectly re-using a session

Without this workaround, NSS re-uses a session cache entry despite the
server name does not match.  This causes SNI host name to differ from
the actual host name.  Consequently, certain servers (e.g. github.com)
respond by 400 to such requests.

Bug: https://bugzilla.mozilla.org/1202264
---
 lib/vtls/nss.c | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'lib/vtls')

diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
index 048273cf2..09214a52b 100644
--- a/lib/vtls/nss.c
+++ b/lib/vtls/nss.c
@@ -1806,6 +1806,10 @@ static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex)
   if(SSL_SetURL(connssl->handle, conn->host.name) != SECSuccess)
     goto error;
 
+  /* prevent NSS from re-using the session for a different hostname */
+  if(SSL_SetSockPeerID(connssl->handle, conn->host.name) != SECSuccess)
+    goto error;
+
   return CURLE_OK;
 
 error:
-- 
cgit v1.2.3