romenskiy2012/curl
1
0
Fork 0
mirror of https://github.com/curl/curl.git synced 2026-05-16 16:36:20 +03:00
Code Issues Projects Releases Packages Wiki Activity

url: fix connection reuse for starttls protocols

Browse source 
When a connection is tested for reuse in a transfer that *may* upgrade
to TLS (commonly via STARTTLS), the SSL configuration must match the
existing connection.

Reported-by: Andrew Nesbit
Closes #21522
This commit is contained in:
Stefan Eissing 2026-05-07 10:30:07 +02:00 committed by Daniel Stenberg
parent ef3b7903aa
commit a86efdd7ca
No known key found for this signature in database
GPG key ID: 5CC908FDB71E12C2
1 changed files with 10 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

15
lib/url.c
View file

@ -691,7 +691,11 @@ struct url_conn_match {
BIT(want_proxy_ntlm_http);
BIT(want_nego_http);
BIT(want_proxy_nego_http);
BIT(req_tls); /* require TLS use from a clear-text start */
BIT(may_tls); /* May upgrade clear-text connection to TLS, can only reuse
* connections that have matching TLS configuration.
* Always TRUE if `req_tls` is TRUE. */
BIT(require_tls); /* Requires TLS use from a clear-text start, can only
* reuse connections that have TLS. */
BIT(wait_pipe);
BIT(force_reuse);
BIT(seen_pending_conn);
@ -824,7 +828,7 @@ static bool url_match_ssl_use(struct connectdata *conn,
(get_protocol_family(conn->scheme) != m->needle->scheme->protocol))
return FALSE;
}
else if(m->req_tls)
else if(m->require_tls)
/* a clear-text STARTTLS protocol with required TLS */
return FALSE;
return TRUE;
@ -1005,8 +1009,8 @@ static bool url_match_destination(struct connectdata *conn,
static bool url_match_ssl_config(struct connectdata *conn,
struct url_conn_match *m)
{
/* If talking TLS, conn needs to use the same SSL options. */
if((m->needle->scheme->flags & PROTOPT_SSL) &&
/* If talking/upgrading to TLS, conn needs to use the same SSL options. */
if(((m->needle->scheme->flags & PROTOPT_SSL) || m->may_tls) &&
!Curl_ssl_conn_config_match(m->data, conn, FALSE)) {
DEBUGF(infof(m->data, "Connection #%" FMT_OFF_T
" has different SSL parameters, cannot reuse",
@ -1278,7 +1282,8 @@ static bool url_attach_existing(struct Curl_easy *data,
(needle->scheme->protocol & PROTO_FAMILY_HTTP);
#endif
#endif
match.req_tls = data->set.use_ssl >= CURLUSESSL_CONTROL;
match.require_tls = data->set.use_ssl >= CURLUSESSL_CONTROL;
match.may_tls = data->set.use_ssl > CURLUSESSL_NONE;
/* Find a connection in the pool that matches what "data + needle"
* requires. If a suitable candidate is found, it is attached to "data". */