Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SSL session reuse does not work with TLS1.2 with OpenSSL since 7.77.0 #7222

Closed
ngg opened this issue Jun 9, 2021 · 0 comments
Closed

SSL session reuse does not work with TLS1.2 with OpenSSL since 7.77.0 #7222

ngg opened this issue Jun 9, 2021 · 0 comments
Labels
TLS

Comments

@ngg
Copy link
Contributor

ngg commented Jun 9, 2021
edited

I did this

I'm looking at the Client Hello messages in Wireshark when running the following command:

curl -v -I --tls-max 1.2 --http1.1 "https://example.com/[1-3]" -H "Connection:close"

I expected the following

I've expected to see reused Session IDs, but they are not.

curl/libcurl version

I've bisected the failure to the 7f4a9a9 commit, here is the output of curl -v when I compiled that commit:

curl 7.77.0-DEV (x86_64-pc-linux-gnu) libcurl/7.77.0-DEV OpenSSL/1.1.1k zlib/1.2.11 brotli/1.0.9 zstd/1.4.9 libidn2/2.3.0 libpsl/0.21.0 (+libidn2/2.3.0) nghttp2/1.41.0 OpenLDAP/2.4.57
Release-Date: [unreleased]
Protocols: dict file ftp ftps gopher gophers http https imap imaps ldap ldaps mqtt pop3 pop3s rtsp smb smbs smtp smtps telnet tftp 
Features: alt-svc AsynchDNS brotli HSTS HTTP2 HTTPS-proxy IDN IPv6 Largefile libz NTLM NTLM_WB PSL SSL TLS-SRP UnixSockets zstd

operating system

I've checked on Linux x64, but there is a bug report in the curl-library mailing list with topic TLS session ID re-use broken in 7.77.0 that uses the https://curl.se/windows/dl-7.77.0_2/curl-7.77.0_2-win64-mingw.zip version on Windows.
@bagder bagder added the TLS label Jun 9, 2021
bagder added a commit that referenced this issue Jun 10, 2021
@bagder
openssl: don't remove session id entry in disassociate
89f91cb 
When a connection is disassociated from a transfer, the Session ID entry
should remain.

Regression since 7f4a9a9 (shipped in libcurl 7.77.0)
Reported-by: Gergely Nagy
Reported-by: Paul Groke

Fixes #7222
@bagder bagder mentioned this issue Jun 10, 2021
Closed
@bagder bagder closed this as completed in a5adf8c Jun 11, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
TLS
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

openssl: don't remove session id entry in disassociate curl/curl
2 participants
@bagder @ngg