Commit 4ce22c60 authored by Daniel Stenberg's avatar Daniel Stenberg
Browse files

darwinssl: fix session ID keys to only reuse identical sessions 

...to avoid a session ID getting cached without certificate checking and
then after a subsequent _enabling_ of the check libcurl could still
re-use the session done without cert checks.

Bug: http://curl.haxx.se/docs/adv_20150108A.html
Reported-by: Marc Hesse
parent 3df8e788

lib/vtls/curl_darwinssl.c

+5 −4
Original line number Diff line number Diff line
@@ -6,7 +6,7 @@ 
 *                             \___|\___/|_| \_\_____|

 *

 * Copyright (C) 2012 - 2014, Nick Zitzmann, <nickzman@gmail.com>.

 * Copyright (C) 2012 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.

 * Copyright (C) 2012 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al.

 *

 * This software is licensed as described in the file COPYING, which

 * you should have received as part of this distribution. The terms
@@ -1482,8 +1482,9 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn, 
     to starting the handshake. */

  else {

    CURLcode result;



    ssl_sessionid = aprintf("curl:%s:%hu",

    ssl_sessionid =

      aprintf("%s:%d:%d:%s:%hu", data->set.str[STRING_SSL_CAFILE],

              data->set.ssl.verifypeer, data->set.ssl.verifyhost,

              conn->host.name, conn->remote_port);

    ssl_sessionid_len = strlen(ssl_sessionid);