From 958d2ffb198166a062a0ff20d009c64972a2b374 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Fri, 18 Sep 2015 17:10:05 +0200 Subject: [PATCH] nss: prevent NSS from incorrectly re-using a session Without this workaround, NSS re-uses a session cache entry despite the server name does not match. This causes SNI host name to differ from the actual host name. Consequently, certain servers (e.g. github.com) respond by 400 to such requests. Bug: https://bugzilla.mozilla.org/1202264 --- RELEASE-NOTES | 2 ++ lib/vtls/nss.c | 4 ++++ 2 files changed, 6 insertions(+) diff --git a/RELEASE-NOTES b/RELEASE-NOTES index a1d40d5950..770145dfad 100644 --- a/RELEASE-NOTES +++ b/RELEASE-NOTES @@ -58,6 +58,7 @@ This release includes the following bugfixes: o winbuild: run buildconf.bat if necessary o buildconf.bat: fix syntax error o curl_sspi: fix possibly undefined CRYPT_E_REVOKED [16] + o nss: prevent NSS from incorrectly re-using a session [18] This release includes the following known bugs: @@ -96,3 +97,4 @@ References to bug reports and discussions on issues: [15] = http://curl.haxx.se/bug/?i=409 [16] = http://curl.haxx.se/bug/?i=411 [17] = http://daniel.haxx.se/blog/2015/09/11/unnecessary-use-of-curl-x/ + [18] = https://bugzilla.mozilla.org/1202264 diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c index 048273cf2c..09214a52b6 100644 --- a/lib/vtls/nss.c +++ b/lib/vtls/nss.c @@ -1806,6 +1806,10 @@ static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex) if(SSL_SetURL(connssl->handle, conn->host.name) != SECSuccess) goto error; + /* prevent NSS from re-using the session for a different hostname */ + if(SSL_SetSockPeerID(connssl->handle, conn->host.name) != SECSuccess) + goto error; + return CURLE_OK; error: