patches/curl/q/t_vtls_reuse-client-session.diff

   1 Subject: [PATCH] allow session resume with same client certificate
   2
   3 cURL 7.50.1 introduced a fix for CVE-2016-5419 that prevents resuming a TLS session
   4 whenever a client certificate is in use.  Stock cURL could have resumed a TLS session
   5 that was actually authenticated using a different client certificate without this fix.
   6
   7 However, the darwin vtls used by the Git OS X Installer always includes the client
   8 certificate file name in the computed session id so it is incapable of resuming a TLS
   9 session with a mismatched client certificate.
  10
  11 Re-enable the ability to resume TLS sessions that use client certificates to avoid the
  12 unnecessary performance penalty since the Git OS X Installer darwin vtls is not in any
  13 way vulnerable to the CVE-2016-5419 problem.
  14
  15 Signed-off-by: Kyle J. McKay <mackyle@gmail.com>
  16
  17 ---
  18  lib/vtls/vtls.c | 1 -
  19  1 file changed, 1 deletion(-)
  20
  21 diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
  22 index 56a88234..794ffa9f 100644
  23 --- a/lib/vtls/vtls.c
  24 +++ b/lib/vtls/vtls.c
  25 @@ -159,7 +159,6 @@ Curl_clone_ssl_config(struct ssl_config_data *source,
  26      dest->clientcert = strdup(source->clientcert);
  27      if(!dest->clientcert)
  28        return FALSE;
  29 -    dest->sessionid = FALSE;
  30    }
  31    else
  32      dest->clientcert = NULL;
  33 ---