connection reuse: starttls#21665
Closed
icing wants to merge 3 commits into
Closed
Conversation
Add test_31_13 to check connection reuse on mixed --ssl-reqd setting. For that add debug env var CURL_DBG_NO_USE_SSL_ON_FIRST to disable --ssl-reqd for the first url. Check that the connection without SSL from the first url is not reused on the second URL that requires it. Tweak special ftp: protocol check to fail a DEBUGASSERT on mismatched `use_ssl` settings as that should have been caught before in the connection reuse matching (imap/smtp etc. do not have this extra check and rely on the general part doing its job).
Contributor
Author
|
@bagder this is related to the report you mentioned yesterday. |
bagder
approved these changes
May 19, 2026
There was a problem hiding this comment.
Pull request overview
Adds a test for FTP connection reuse with mixed --ssl-reqd settings, and refactors where the SSL-use match is enforced during connection reuse so the check now applies regardless of scheme match. A debug-only env var is introduced to coerce the first URL to skip --ssl-reqd, enabling the new test scenario. The ftp code switches to reading use_ssl from ftp_conn (per-connection) instead of data->set, and the FTP connection-match function turns a previous symmetric use_ssl mismatch into a DEBUGASSERT-guarded sanity check, relying on the centralized url_match_ssl_use() to do the real filtering.
Changes:
- Move the
url_match_ssl_use()call out ofurl_match_destination()intourl_match_conn()so STARTTLS reuse mismatches are caught for all schemes. - Use per-connection
ftpc->use_ssl(instead ofdata->set.use_ssl) in FTP control/PROT/PBSZ logic and drop the symmetricuse_sslequality inftp_conns_match()in favor of a DEBUGASSERT for the unsafe direction. - Add
CURL_DBG_NO_USE_SSL_ON_FIRSTdebug env var (set viaconfig2setopts) plus docs and a newtest_31_13_starttls_reusePython test.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| lib/url.c | Relocates the SSL-use match from destination matching to the main per-connection matcher. |
| lib/ftp.c | Reads use_ssl from ftp_conn and replaces strict equality with a one-sided DEBUGASSERT. |
| src/config2setopts.c | Adds debug-only override that clears CURLOPT_USE_SSL on the first URL when env var set. |
| docs/libcurl/libcurl-env-dbg.md | Documents the new CURL_DBG_NO_USE_SSL_ON_FIRST debug env var. |
| tests/http/test_31_vsftpds.py | Adds test_31_13_starttls_reuse to verify no reuse across mixed STARTTLS requirements. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
outcast36
pushed a commit
to greearb/curl
that referenced
this pull request
Jun 3, 2026
Add test_31_13 to check connection reuse on mixed --ssl-reqd setting. For that add debug env var CURL_DBG_NO_USE_SSL_ON_FIRST to disable --ssl-reqd for the first url. Check that the connection without SSL from the first url is not reused on the second URL that requires it. Tweak special ftp: protocol check to fail a DEBUGASSERT on mismatched `use_ssl` settings as that should have been caught before in the connection reuse matching (imap/smtp etc. do not have this extra check and rely on the general part doing its job). Closes curl#21665
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add test_31_13 to check connection reuse on mixed --ssl-reqd setting. For that add debug env var CURL_DBG_NO_USE_SSL_ON_FIRST to disable --ssl-reqd for the first url. Check that the connection without SSL from the first url is not reused on the second URL that requires it.
Tweak special ftp: protocol check to fail a DEBUGASSERT on mismatched
use_sslsettings as that should have been caught before in the connection reuse matching (imap/smtp etc. do not have this extra check and rely on the general part doing its job).