You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.
Since 7.52.0, with libcurl built with nss, if a cipher list is specified with multiple entries on subsequent requests such as: curl_easy_setopt(curl, CURLOPT_SSL_CIPHER_LIST, "ecdhe_ecdsa_aes_128_gcm_sha_256,ecdhe_rsa_aes_128_gcm_sha_256,dhe_rsa_aes_128_gcm_sha_256,rsa_aes_128_gcm_sha_25");
we see a new https connection created on each request as opposed to reusing the existing connection. This broke with commit cb4e2be proxy: Support HTTPS proxy and SOCKS+HTTP(s)
The issue is that the method set_ciphers (in lib/vtls/nss.c) clobbers the cipher_list entry kept on each connection by replacing any commas with null characters. After this method is called the cipher_list on a connection will now only contain the first entry (in the above example: ecdhe_ecdsa_aes_128_gcm_sha_256) and it is not necessarily the cipher negotiated for the connection.
The above is an issue in ConnectionExists and Curl_ssl_config_matches as it expects the cipher_list of a new request to exactly match the cipher_list found on an existing connection in order for that connection to be reused.
A relatively simple fix is to call strdup on the cipher_list before passing to set_ciphers (I can push this for review if desired). But looking at the original commit that broke this it appears that we may be inadvertently sharing cipher_list pointers -- perhaps further investigation is needed.
I expected the following
I expected a subsequent request with the same cipher_list (and other properties) to reuse the existing connection.
Linux xx.xx.xx.xx 4.19.84-33.70.amzn2.x86_64 #1 SMP Sun Nov 17 03:35:39 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
The text was updated successfully, but these errors were encountered:
This commit makes a clone of the connection's ssl config
cipher_list before passing it to nss.c's set_ciphers method
as that method clobbers its input by changing commas to
Without this commit if a multiple entry cipher list is specified
than reuse of a connection in the connection cache is not possible.
This addresses curl#8160.