Since 7.52.0, with libcurl built with nss, if a cipher list is specified with multiple entries on subsequent requests such as: curl_easy_setopt(curl, CURLOPT_SSL_CIPHER_LIST, "ecdhe_ecdsa_aes_128_gcm_sha_256,ecdhe_rsa_aes_128_gcm_sha_256,dhe_rsa_aes_128_gcm_sha_256,rsa_aes_128_gcm_sha_25");
we see a new https connection created on each request as opposed to reusing the existing connection. This broke with commit cb4e2be proxy: Support HTTPS proxy and SOCKS+HTTP(s)
The issue is that the method set_ciphers (in lib/vtls/nss.c) clobbers the cipher_list entry kept on each connection by replacing any commas with null characters. After this method is called the cipher_list on a connection will now only contain the first entry (in the above example: ecdhe_ecdsa_aes_128_gcm_sha_256) and it is not necessarily the cipher negotiated for the connection.
The above is an issue in ConnectionExists and Curl_ssl_config_matches as it expects the cipher_list of a new request to exactly match the cipher_list found on an existing connection in order for that connection to be reused.
A relatively simple fix is to call strdup on the cipher_list before passing to set_ciphers (I can push this for review if desired). But looking at the original commit that broke this it appears that we may be inadvertently sharing cipher_list pointers -- perhaps further investigation is needed.
I expected the following
I expected a subsequent request with the same cipher_list (and other properties) to reuse the existing connection.
Linux xx.xx.xx.xx 4.19.84-33.70.amzn2.x86_64 #1 SMP Sun Nov 17 03:35:39 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
The text was updated successfully, but these errors were encountered:
This commit makes a clone of the connection's ssl config
cipher_list before passing it to nss.c's set_ciphers method
as that method clobbers its input by changing commas to
Without this commit if a multiple entry cipher list is specified
than reuse of a connection in the connection cache is not possible.
This addresses curl#8160.