diff options
author | Jay Satiro <raysatiro@yahoo.com> | 2017-03-22 01:59:49 -0400 |
---|---|---|
committer | Daniel Stenberg <daniel@haxx.se> | 2017-04-18 07:56:34 +0200 |
commit | 33cfcfd9f0378625d3bddbd2c8ac5aad4b646f26 (patch) | |
tree | e5c65c7cafb11e9e0405bd14d923a035dc063eb6 /lib/vtls/gtls.c | |
parent | 997504ea50887c80a0f90b88bb1778aad75f7ee9 (diff) | |
download | curl-33cfcfd9f0378625d3bddbd2c8ac5aad4b646f26.tar.gz |
TLS: Fix switching off SSL session id when client cert is used
Move the sessionid flag to ssl_primary_config so that ssl and proxy_ssl
will each have their own sessionid flag.
Regression since HTTPS-Proxy support was added in cb4e2be. Prior to that
this issue had been fixed in 247d890, CVE-2016-5419.
Bug: https://github.com/curl/curl/issues/1341
Reported-by: lijian996@users.noreply.github.com
The new incarnation of this bug is called CVE-2017-7468 and is documented
here: https://curl.haxx.se/docs/adv_20170419.html
Diffstat (limited to 'lib/vtls/gtls.c')
-rw-r--r-- | lib/vtls/gtls.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c index 51a5aa85b..0230778e2 100644 --- a/lib/vtls/gtls.c +++ b/lib/vtls/gtls.c @@ -873,7 +873,7 @@ gtls_connect_step1(struct connectdata *conn, /* This might be a reconnect, so we check for a session ID in the cache to speed up things */ - if(data->set.general_ssl.sessionid) { + if(SSL_SET_OPTION(primary.sessionid)) { void *ssl_sessionid; size_t ssl_idsize; @@ -1404,7 +1404,7 @@ gtls_connect_step3(struct connectdata *conn, conn->recv[sockindex] = gtls_recv; conn->send[sockindex] = gtls_send; - if(data->set.general_ssl.sessionid) { + if(SSL_SET_OPTION(primary.sessionid)) { /* we always unconditionally get the session id here, as even if we already got it from the cache and asked to use it in the connection, it might've been rejected and then a new one is in use now and we need to |