You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I've tried to reuse SSL context of the easy handle for a TLS connection with OCSP stapling. When doing so, certificate status verification fails. The reason is that when TLS session is reused OCSP response is not sent by the server, as required by TLS specification.
The code to reproduce the issue (the server must support OCSP stapling) :
int main(int argc, char* argv[])
{
(void)argc;
CURLcode ret;
CURL* hnd;
fprintf(stdout, "libcurl version: %s\n", curl_version());
hnd = curl_easy_init();
curl_easy_setopt(hnd, CURLOPT_URL, argv[1]);
curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
// Self-signed certificate for testing
curl_easy_setopt(hnd, CURLOPT_CAINFO, argv[2]);
curl_easy_setopt(hnd, CURLOPT_SSL_VERIFYHOST, 0L);
// Use OCSP
curl_easy_setopt(hnd, CURLOPT_SSL_VERIFYSTATUS, 1L);
// do not reuse connection to force reuse of the SSL context
curl_easy_setopt(hnd, CURLOPT_FORBID_REUSE, 1L);
ret = curl_easy_perform(hnd);
fprintf(stdout, "Curl call 1 completed with: %d - %s\n\n", ret, curl_easy_strerror(ret));
curl_easy_setopt(hnd, CURLOPT_URL, argv[1]);
ret = curl_easy_perform(hnd);
fprintf(stdout, "Curl call 2 completed with: %d - %s\n\n", ret, curl_easy_strerror(ret));
curl_easy_cleanup(hnd);
hnd = NULL;
return (int)ret;
}
The output of the test code:
(Test server: Apache/2.4.58 (Unix) OpenSSL/3.0.11)
libcurl version: libcurl/8.4.0 OpenSSL/3.1.4 zlib/1.3 brotli/1.1.0 zstd/1.5.5 libidn2/2.3.4 libpsl/0.21.2 (+libidn2/2.3.4) libssh2/1.11.0 nghttp2/1.58.0
* Trying 172.19.0.2:443...
* Connected to 172.19.0.2 (172.19.0.2) port 443
* ALPN: curl offers h2,http/1.1
* CAfile: ./etc/tp25poc.ca.crt
* CApath: none
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN: server accepted h2
* Server certificate:
* subject: C=DE; OU=TDTP25 Test; CN=localhost
* start date: Nov 24 08:23:09 2023 GMT
* expire date: Nov 21 08:23:09 2033 GMT
* issuer: C=DE; OU=TDTP25 Test; CN=TDTP25 Test Root CA
* SSL certificate verify ok.
* SSL certificate status: good (0)
* old SSL session ID is stale, removing
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://172.19.0.2/teapot.php
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: 172.19.0.2]
* [HTTP/2] [1] [:path: /teapot.php]
* [HTTP/2] [1] [accept: */*]
> GET /teapot.php HTTP/2
Host: 172.19.0.2
Accept: */*
< HTTP/2 418
< x-client: 172.19.0.1
< content-type: text/html; charset=UTF-8
< date: Fri, 24 Nov 2023 08:54:48 GMT
< server: Apache/2.4.58 (Unix) OpenSSL/3.0.11
<
<html>
<h1>418 I'm a teapot</h1><br>
</html>
* Closing connection
Curl call 1 completed with: 0 - No error
* Hostname 172.19.0.2 was found in DNS cache
* Trying 172.19.0.2:443...
* Connected to 172.19.0.2 (172.19.0.2) port 443
* ALPN: curl offers h2,http/1.1
* SSL reusing session ID
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN: server accepted h2
* Server certificate:
* subject: C=DE; OU=TDTP25 Test; CN=localhost
* start date: Nov 24 08:23:09 2023 GMT
* expire date: Nov 21 08:23:09 2033 GMT
* issuer: C=DE; OU=TDTP25 Test; CN=TDTP25 Test Root CA
* SSL certificate verify ok.
* No OCSP response received
* Closing connection
Curl call 2 completed with: 91 - SSL server certificate status verification FAILED
Here for the second request it is visible that SSL context is reused and then it tries to get OCSP response from the OpenSSL but OpenSSL does not contain it any more.
I expected the following
The expectation is that when SSL context is reused and the server agrees to restore known TLS session, OCSP status check is not performed.
I did this
I've tried to reuse SSL context of the
easy
handle for a TLS connection with OCSP stapling. When doing so, certificate status verification fails. The reason is that when TLS session is reused OCSP response is not sent by the server, as required by TLS specification.The code to reproduce the issue (the server must support OCSP stapling) :
The output of the test code:
(Test server: Apache/2.4.58 (Unix) OpenSSL/3.0.11)
Here for the second request it is visible that SSL context is reused and then it tries to get OCSP response from the OpenSSL but OpenSSL does not contain it any more.
I expected the following
The expectation is that when SSL context is reused and the server agrees to restore known TLS session, OCSP status check is not performed.
curl/libcurl version
libcurl version: libcurl/8.4.0 OpenSSL/3.1.4 zlib/1.3 brotli/1.1.0 zstd/1.5.5 libidn2/2.3.4 libpsl/0.21.2 (+libidn2/2.3.4) libssh2/1.11.0 nghttp2/1.58.0
operating system
Linux *** 6.1.62-1-MANJARO #1 SMP PREEMPT_DYNAMIC Thu Nov 9 03:01:44 UTC 2023 x86_64 GNU/Linux
The text was updated successfully, but these errors were encountered: