1 From fafbab1a3a52a383d92d2b5b1fb63785a15f2d73 Mon Sep 17 00:00:00 2001

     2 From: Daniel Stenberg <[email protected]>

     3 Date: Fri, 19 Dec 2014 08:50:00 +0100

     4 Subject: [PATCH] darwinssl: fix session ID keys to only reuse identical

     5  sessions

     6 

     7 ...to avoid a session ID getting cached without certificate checking and

     8 then after a subsequent _enabling_ of the check libcurl could still

     9 re-use the session done without cert checks.

    10 

    11 Bug: http://curl.haxx.se/docs/adv_20150108A.html

    12 Reported-by: Marc Hesse

    13 ---

    14  lib/vtls/curl_darwinssl.c | 6 ++++--

    15  1 file changed, 4 insertions(+), 2 deletions(-)

    16 

    17 This fix is already available upstream in curl version 7.40.0

    18 

    19 --- lib/vtls/curl_darwinssl.c.orig	2015-01-05 16:57:56.063227733 -0800

    20 +++ lib/vtls/curl_darwinssl.c	2015-01-05 16:58:54.820470409 -0800

    21 @@ -1483,7 +1483,10 @@

    22    else {

    23      CURLcode retcode;

    24  

    25 -    ssl_sessionid = malloc(256*sizeof(char));

    26 +    ssl_sessionid =

    27 +      aprintf("%s:%d:%d:%s:%hu", data->set.str[STRING_SSL_CAFILE],

    28 +              data->set.ssl.verifypeer, data->set.ssl.verifyhost,

    29 +              conn->host.name, conn->remote_port);

    30      ssl_sessionid_len = snprintf(ssl_sessionid, 256, "curl:%s:%hu",

    31        conn->host.name, conn->remote_port);

    32      err = SSLSetPeerID(connssl->ssl_ctx, ssl_sessionid, ssl_sessionid_len);