- Michael Smith posted bug report #2786255

                                  Changelog

Daniel Stenberg (4 May 2009)

- Michael Smith posted bug report #2786255

  (http://curl.haxx.se/bug/view.cgi?id=2786255) with a patch, identifying how

  libcurl did not deal with SSL session ids properly if the server rejected a

  re-use of one. Starting now, it will forget the rejected one and remember

  the new. This change was for OpenSSL only, it is likely that other SSL lib

  code needs similar fixes.

Yang Tse (4 May 2009)

- Applied David McCreedy's "transfer.c fixes for CURL_DO_LINEEND_CONV and

  non-ASCII platform HTTP requests" patch addressing two HTTP PUT problems:

 o TFTP problems after a failed transfer to the same host

 o improved out of the box TPF compatibility

 o HTTP PUT protocol line endings portions mangled from CRLF to CRCRLF

 o Rejected SSL session ids are killed properly (for OpenSSL builds)

This release includes the following known bugs:

 Andre Guibert de Bruet, Andreas Farber, Frank Hempel, Pierre Brico,

 Kamil Dudka, Jim Freeman, Daniel Johnson, Toshio Kuratomi, Martin Storsjo,

 Pramod Sharma, Gisle Vanem, Leanic Lefever, Rainer Koenig, Sven Wegener,

 Tim Chen, Constantine Sapuntzakis, David McCreedy

 Tim Chen, Constantine Sapuntzakis, David McCreedy, Michael Smith

        Thanks! (and sorry if I forgot to mention someone)

    return 1;

}

/*

 * Delete the given session ID from the cache.

 */

void Curl_ssl_delsessionid(struct connectdata *conn, void *ssl_sessionid)

{

  int i;

  for(i=0; i< conn->data->set.ssl.numsessions; i++) {

    struct curl_ssl_session *check = &conn->data->state.session[i];

    if (check->sessionid == ssl_sessionid) {

      kill_session(check);

      break;

    }

  }

}

/*

 * Store session id in the session cache. The ID passed on to this function

 * must already have been extracted and allocated the proper way for the SSL

CURLcode Curl_ssl_addsessionid(struct connectdata *conn,

                               void *ssl_sessionid,

                               size_t idsize);

/* delete a session from the cache */

void Curl_ssl_delsessionid(struct connectdata *conn, void *ssl_sessionid);

#define SSL_SHUTDOWN_TIMEOUT 10000 /* ms */

                   int sockindex)

{

  CURLcode retcode = CURLE_OK;

  void *ssl_sessionid=NULL;

  void *old_ssl_sessionid=NULL;

  struct SessionHandle *data = conn->data;

  struct ssl_connect_data *connssl = &conn->ssl[sockindex];

  int incache;

  SSL_SESSION *our_ssl_sessionid;

  DEBUGASSERT(ssl_connect_3 == connssl->connecting_state);

  if(Curl_ssl_getsessionid(conn, &ssl_sessionid, NULL)) {

    /* Since this is not a cached session ID, then we want to stach this one

       in the cache! */

    SSL_SESSION *our_ssl_sessionid;

#ifdef HAVE_SSL_GET1_SESSION

  our_ssl_sessionid = SSL_get1_session(connssl->handle);

     untested.

  */

#endif

  incache = !(Curl_ssl_getsessionid(conn, &old_ssl_sessionid, NULL));

  if (incache) {

    if (old_ssl_sessionid != our_ssl_sessionid) {

      infof(data, "old SSL session ID is stale, removing\n");

      Curl_ssl_delsessionid(conn, old_ssl_sessionid);

      incache = FALSE;

    }

  }

  if (!incache) {

    retcode = Curl_ssl_addsessionid(conn, our_ssl_sessionid,

                                    0 /* unknown size */);

    if(retcode) {