You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

72 lines
2.1 KiB

From f3fb07d2576c71a6409c0c1662c3b5ac61c283ab Mon Sep 17 00:00:00 2001
From: Kamil Dudka <kdudka@redhat.com>
Date: Fri, 18 Sep 2015 17:07:22 +0200
Subject: [PATCH 1/2] nss: check return values of NSS functions
Upstream-commit: a9fd53887ba07cd8313a8b9706f2dc71d6b8ed1b
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
lib/nss.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/lib/nss.c b/lib/nss.c
index 0691394..763390d 100644
--- a/lib/nss.c
+++ b/lib/nss.c
@@ -1491,9 +1491,13 @@ static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex)
}
/* Force handshake on next I/O */
- SSL_ResetHandshake(connssl->handle, /* asServer */ PR_FALSE);
+ if(SSL_ResetHandshake(connssl->handle, /* asServer */ PR_FALSE)
+ != SECSuccess)
+ goto error;
- SSL_SetURL(connssl->handle, conn->host.name);
+ /* propagate hostname to the TLS layer */
+ if(SSL_SetURL(connssl->handle, conn->host.name) != SECSuccess)
+ goto error;
return CURLE_OK;
--
2.5.2
From 6b301701920a7b36df02bd94cdde259882e521d2 Mon Sep 17 00:00:00 2001
From: Kamil Dudka <kdudka@redhat.com>
Date: Fri, 18 Sep 2015 17:10:05 +0200
Subject: [PATCH 2/2] nss: prevent NSS from incorrectly re-using a session
Without this workaround, NSS re-uses a session cache entry despite the
server name does not match. This causes SNI host name to differ from
the actual host name. Consequently, certain servers (e.g. github.com)
respond by 400 to such requests.
Bug: https://bugzilla.mozilla.org/1202264
Upstream-commit: 958d2ffb198166a062a0ff20d009c64972a2b374
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
lib/nss.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/lib/nss.c b/lib/nss.c
index 763390d..88d1a0d 100644
--- a/lib/nss.c
+++ b/lib/nss.c
@@ -1499,6 +1499,10 @@ static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex)
if(SSL_SetURL(connssl->handle, conn->host.name) != SECSuccess)
goto error;
+ /* prevent NSS from re-using the session for a different hostname */
+ if(SSL_SetSockPeerID(connssl->handle, conn->host.name) != SECSuccess)
+ goto error;
+
return CURLE_OK;
error:
--
2.5.2