nss: prevent NSS from incorrectly re-using a session

Without this workaround, NSS re-uses a session cache entry despite the server name does not match. This causes SNI host name to differ from the actual host name. Consequently, certain servers (e.g. github.com) respond by 400 to such requests. Bug: https://bugzilla.mozilla.org/1202264
author: Kamil Dudka <kdudka@redhat.com> 2015-09-18 17:10:05 +0200
committer: Kamil Dudka <kdudka@redhat.com> 2015-09-18 17:38:51 +0200
commit: 958d2ffb198166a062a0ff20d009c64972a2b374 (patch)
tree: 72cc69c08e28f2f3226abc00bed55671d68d5f14 /lib/vtls/nss.c
parent: a9fd53887ba07cd8313a8b9706f2dc71d6b8ed1b (diff)
download: curl-958d2ffb198166a062a0ff20d009c64972a2b374.tar.gz
1 files changed, 4 insertions, 0 deletions
diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
index 048273cf2..09214a52b 100644
--- a/lib/vtls/nss.c
+++ b/lib/vtls/nss.c
@@ -1806,6 +1806,10 @@ static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex)
   if(SSL_SetURL(connssl->handle, conn->host.name) != SECSuccess)
     goto error;
 
+  /* prevent NSS from re-using the session for a different hostname */
+  if(SSL_SetSockPeerID(connssl->handle, conn->host.name) != SECSuccess)
+    goto error;
+
   return CURLE_OK;
 
 error:
author	Kamil Dudka <kdudka@redhat.com>	2015-09-18 17:10:05 +0200
committer	Kamil Dudka <kdudka@redhat.com>	2015-09-18 17:38:51 +0200
commit	958d2ffb198166a062a0ff20d009c64972a2b374 (patch)
tree	72cc69c08e28f2f3226abc00bed55671d68d5f14 /lib/vtls/nss.c
parent	a9fd53887ba07cd8313a8b9706f2dc71d6b8ed1b (diff)
download	curl-958d2ffb198166a062a0ff20d009c64972a2b374.tar.gz