From 90bc6ee8f38eec0dd6c7c8dbea22b0cba2998ee2 Mon Sep 17 00:00:00 2001
From: Yang Tse <yangsita@gmail.com>
Date: Sat, 14 Nov 2009 02:30:30 +0000
Subject: - Constantine Sapuntzakis provided the fix that ensures that an SSL
 connection   won't be reused unless protection level for peer and host
 verification match.

---
 lib/url.c     | 9 +++++++++
 lib/urldata.h | 3 +++
 2 files changed, 12 insertions(+)

(limited to 'lib')

diff --git a/lib/url.c b/lib/url.c
index 8f425d4e2..d3ec1c074 100644
--- a/lib/url.c
+++ b/lib/url.c
@@ -2689,6 +2689,12 @@ ConnectionExists(struct SessionHandle *data,
       /* don't do mixed SSL and non-SSL connections */
       continue;
 
+    if(needle->protocol&PROT_SSL) {
+      if((data->set.ssl.verifypeer != check->verifypeer) ||
+         (data->set.ssl.verifyhost != check->verifyhost))
+        continue;
+    }
+
     if(needle->bits.proxy != check->bits.proxy)
       /* don't do mixed proxy and non-proxy connections */
       continue;
@@ -4326,6 +4332,9 @@ static CURLcode create_conn(struct SessionHandle *data,
   conn->bits.ftp_use_epsv = data->set.ftp_use_epsv;
   conn->bits.ftp_use_eprt = data->set.ftp_use_eprt;
 
+  conn->verifypeer = data->set.ssl.verifypeer;
+  conn->verifyhost = data->set.ssl.verifyhost;
+
   if(data->multi && Curl_multi_canPipeline(data->multi) &&
       !conn->master_buffer) {
     /* Allocate master_buffer to be used for pipelining */
diff --git a/lib/urldata.h b/lib/urldata.h
index d3101c03a..40ed8285d 100644
--- a/lib/urldata.h
+++ b/lib/urldata.h
@@ -1083,6 +1083,9 @@ struct connectdata {
 #if defined(HAVE_GSSAPI) || defined(USE_WINDOWS_SSPI)
   int socks5_gssapi_enctype;
 #endif
+
+  long verifypeer;
+  long verifyhost;
 };
 
 /* The end of connectdata. */
-- 
cgit v1.2.3