From a22c0daa87598a016bf0b5c93bb2ff63be5577f9 Mon Sep 17 00:00:00 2001 From: Paul Donohue Date: Tue, 15 Oct 2013 21:36:32 +0200 Subject: [PATCH 1/2] NSS: acknowledge the --no-sessionid/CURLOPT_SSL_SESSIONID_CACHE option Upstream-commit: f63603dec4519857498602f7a00acc0ffed29753 Signed-off-by: Kamil Dudka --- lib/nss.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/lib/nss.c b/lib/nss.c index 83bb354..1f02988 100644 --- a/lib/nss.c +++ b/lib/nss.c @@ -1362,8 +1362,9 @@ static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex) if(SSL_OptionSet(model, SSL_HANDSHAKE_AS_CLIENT, PR_TRUE) != SECSuccess) goto error; - /* do not use SSL cache if we are not going to verify peer */ - ssl_no_cache = (data->set.ssl.verifypeer) ? PR_FALSE : PR_TRUE; + /* do not use SSL cache if disabled or we are not going to verify peer */ + ssl_no_cache = (conn->ssl_config.sessionid && data->set.ssl.verifypeer) ? + PR_FALSE : PR_TRUE; if(SSL_OptionSet(model, SSL_NO_CACHE, ssl_no_cache) != SECSuccess) goto error; -- 2.5.5 From e164f1a355900f7f164d28ac9f937ad82d9ca45f Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Fri, 1 Jul 2016 13:32:31 +0200 Subject: [PATCH 2/2] TLS: switch off SSL session id when client cert is used CVE-2016-5419 Bug: https://curl.haxx.se/docs/adv_20160803A.html Reported-by: Bru Rom Contributions-by: Eric Rescorla and Ray Satiro Upstream-commit: 247d890da88f9ee817079e246c59f3d7d12fde5f Signed-off-by: Kamil Dudka --- lib/sslgen.c | 10 ++++++++++ lib/url.c | 1 + lib/urldata.h | 1 + 3 files changed, 12 insertions(+) diff --git a/lib/sslgen.c b/lib/sslgen.c index 4875874..3036bb2 100644 --- a/lib/sslgen.c +++ b/lib/sslgen.c @@ -147,6 +147,15 @@ Curl_clone_ssl_config(struct ssl_config_data *source, else dest->random_file = NULL; + if(source->clientcert) { + dest->clientcert = strdup(source->clientcert); + if(!dest->clientcert) + return FALSE; + dest->sessionid = FALSE; + } + else + dest->clientcert = NULL; + return TRUE; } @@ -157,6 +166,7 @@ void Curl_free_ssl_config(struct ssl_config_data* sslc) Curl_safefree(sslc->cipher_list); Curl_safefree(sslc->egdsocket); Curl_safefree(sslc->random_file); + Curl_safefree(sslc->clientcert); } #ifdef USE_SSL diff --git a/lib/url.c b/lib/url.c index 7257b5e..959510d 100644 --- a/lib/url.c +++ b/lib/url.c @@ -5255,6 +5255,7 @@ static CURLcode create_conn(struct SessionHandle *data, data->set.ssl.random_file = data->set.str[STRING_SSL_RANDOM_FILE]; data->set.ssl.egdsocket = data->set.str[STRING_SSL_EGDSOCKET]; data->set.ssl.cipher_list = data->set.str[STRING_SSL_CIPHER_LIST]; + data->set.ssl.clientcert = data->set.str[STRING_CERT]; #ifdef USE_TLS_SRP data->set.ssl.username = data->set.str[STRING_TLSAUTH_USERNAME]; data->set.ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD]; diff --git a/lib/urldata.h b/lib/urldata.h index 723e40d..f4c6222 100644 --- a/lib/urldata.h +++ b/lib/urldata.h @@ -340,6 +340,7 @@ struct ssl_config_data { char *CAfile; /* certificate to verify peer against */ const char *CRLfile; /* CRL to check certificate revocation */ const char *issuercert;/* optional issuer certificate filename */ + char *clientcert; char *random_file; /* path to file containing "random" data */ char *egdsocket; /* path to file containing the EGD daemon socket */ char *cipher_list; /* list of ciphers to use */ -- 2.5.5