Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CURLOPT_SSL_CTX_FUNCTION can't mark a connection not suitable for re-use #2916

Closed
bagder opened this issue Aug 27, 2018 · 5 comments
Closed

CURLOPT_SSL_CTX_FUNCTION can't mark a connection not suitable for re-use #2916

bagder opened this issue Aug 27, 2018 · 5 comments
Labels
TLS

Comments

@bagder
Copy link
Member

bagder commented Aug 27, 2018

I did this

If I write an application that uses the CURLOPT_SSL_CTX_FUNCTION callback, and in said callback my code reaches in and fiddles with TLS connection level details that makes the connection unsuitable for ordinary connection pooling and reuse, there is still no way for my callback to signal this information to libcurl.

I expected the following

Maybe a magic return code that says this? Maybe another way to flag it?

curl/libcurl version

git master

operating system

independent
@bagder bagder added the TLS label Aug 27, 2018
@bagder
Copy link
Member Author

bagder commented Aug 28, 2018

I think the most sensible way to fix this is to introduce a magic return code. The callback is made to return a CURLcode (reminder: don't make callbacks returns this type in the future) so the magic value needs to be a number that is way outside of the normal range, so it won't collide with a future expanded error range.

Something like this:

#define CURL_SSL_CTX_NO_REUSE 0xffffff

Returning this value would equal returning CURLE_OK but also marking the connection for no further reuse since the application has done something to the SSL context that makes libcurl unable to do proper reuse checks.

Using this return code on older libcurls without support for it will just make libcurl error out instead and return that error code.

@jay
Copy link
Member

jay commented Aug 29, 2018

Why not pass the curl handle in ctx data and then use it to set CURLOPT_FORBID_REUSE and then multi_done will tear it down

@bagder
Copy link
Member Author

bagder commented Aug 29, 2018

set CURLOPT_FORBID_REUSE

Hm, yes that should work already now and doesn't need any modifications... Perhaps we should just mention this in the documentation and be done with it?

@jay
Copy link
Member

jay commented Aug 29, 2018

how about

diff --git a/docs/libcurl/opts/CURLOPT_SSL_CTX_FUNCTION.3 b/docs/libcurl/opts/CU
index 0d73610..04d8e29 100644
--- a/docs/libcurl/opts/CURLOPT_SSL_CTX_FUNCTION.3
+++ b/docs/libcurl/opts/CURLOPT_SSL_CTX_FUNCTION.3
@@ -61,7 +61,8 @@ change the actual URI of an HTTPS request.
 WARNING: The \fICURLOPT_SSL_CTX_FUNCTION(3)\fP callback allows the application
 to reach in and modify SSL details in the connection without libcurl itself
 knowing anything about it, which then subsequently can lead to libcurl
-unknowingly reusing SSL connections with different properties.
+unknowingly reusing SSL connections with different properties. To remedy this
+you may set \fICURLOPT_FORBID_REUSE(3)\fP from the callback function.
 .SH DEFAULT
 NULL
 .SH PROTOCOLS

@bagder
Copy link
Member Author

bagder commented Aug 29, 2018

I'm a big 👍 on landing that and then closing this!

@jay jay closed this as completed in c10f5b0 Aug 29, 2018
falconindy pushed a commit to falconindy/curl that referenced this issue Sep 10, 2018
@jay @falconindy
CURLOPT_SSL_CTX_FUNCTION.3: clarify connection reuse warning
48563e6 
Reported-by: Daniel Stenberg

Closes curl#2916
@lock lock bot locked as resolved and limited conversation to collaborators Nov 27, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
TLS
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bagder @jay