|
 |
c260e0 |
From f3fb07d2576c71a6409c0c1662c3b5ac61c283ab Mon Sep 17 00:00:00 2001
|
|
|
c260e0 |
From: Kamil Dudka <kdudka@redhat.com>
|
|
|
c260e0 |
Date: Fri, 18 Sep 2015 17:07:22 +0200
|
|
|
c260e0 |
Subject: [PATCH 1/2] nss: check return values of NSS functions
|
|
|
c260e0 |
|
|
|
c260e0 |
Upstream-commit: a9fd53887ba07cd8313a8b9706f2dc71d6b8ed1b
|
|
|
c260e0 |
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
|
|
c260e0 |
---
|
|
|
c260e0 |
lib/nss.c | 8 ++++++--
|
|
|
c260e0 |
1 file changed, 6 insertions(+), 2 deletions(-)
|
|
|
c260e0 |
|
|
|
c260e0 |
diff --git a/lib/nss.c b/lib/nss.c
|
|
|
c260e0 |
index 0691394..763390d 100644
|
|
|
c260e0 |
--- a/lib/nss.c
|
|
|
c260e0 |
+++ b/lib/nss.c
|
|
|
c260e0 |
@@ -1491,9 +1491,13 @@ static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex)
|
|
|
c260e0 |
}
|
|
|
c260e0 |
|
|
|
c260e0 |
/* Force handshake on next I/O */
|
|
|
c260e0 |
- SSL_ResetHandshake(connssl->handle, /* asServer */ PR_FALSE);
|
|
|
c260e0 |
+ if(SSL_ResetHandshake(connssl->handle, /* asServer */ PR_FALSE)
|
|
|
c260e0 |
+ != SECSuccess)
|
|
|
c260e0 |
+ goto error;
|
|
|
c260e0 |
|
|
|
c260e0 |
- SSL_SetURL(connssl->handle, conn->host.name);
|
|
|
c260e0 |
+ /* propagate hostname to the TLS layer */
|
|
|
c260e0 |
+ if(SSL_SetURL(connssl->handle, conn->host.name) != SECSuccess)
|
|
|
c260e0 |
+ goto error;
|
|
|
c260e0 |
|
|
|
c260e0 |
return CURLE_OK;
|
|
|
c260e0 |
|
|
|
c260e0 |
--
|
|
|
c260e0 |
2.5.2
|
|
|
c260e0 |
|
|
|
c260e0 |
|
|
|
c260e0 |
From 6b301701920a7b36df02bd94cdde259882e521d2 Mon Sep 17 00:00:00 2001
|
|
|
c260e0 |
From: Kamil Dudka <kdudka@redhat.com>
|
|
|
c260e0 |
Date: Fri, 18 Sep 2015 17:10:05 +0200
|
|
|
c260e0 |
Subject: [PATCH 2/2] nss: prevent NSS from incorrectly re-using a session
|
|
|
c260e0 |
|
|
|
c260e0 |
Without this workaround, NSS re-uses a session cache entry despite the
|
|
|
c260e0 |
server name does not match. This causes SNI host name to differ from
|
|
|
c260e0 |
the actual host name. Consequently, certain servers (e.g. github.com)
|
|
|
c260e0 |
respond by 400 to such requests.
|
|
|
c260e0 |
|
|
|
c260e0 |
Bug: https://bugzilla.mozilla.org/1202264
|
|
|
c260e0 |
|
|
|
c260e0 |
Upstream-commit: 958d2ffb198166a062a0ff20d009c64972a2b374
|
|
|
c260e0 |
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
|
|
c260e0 |
---
|
|
|
c260e0 |
lib/nss.c | 4 ++++
|
|
|
c260e0 |
1 file changed, 4 insertions(+)
|
|
|
c260e0 |
|
|
|
c260e0 |
diff --git a/lib/nss.c b/lib/nss.c
|
|
|
c260e0 |
index 763390d..88d1a0d 100644
|
|
|
c260e0 |
--- a/lib/nss.c
|
|
|
c260e0 |
+++ b/lib/nss.c
|
|
|
c260e0 |
@@ -1499,6 +1499,10 @@ static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex)
|
|
|
c260e0 |
if(SSL_SetURL(connssl->handle, conn->host.name) != SECSuccess)
|
|
|
c260e0 |
goto error;
|
|
|
c260e0 |
|
|
|
c260e0 |
+ /* prevent NSS from re-using the session for a different hostname */
|
|
|
c260e0 |
+ if(SSL_SetSockPeerID(connssl->handle, conn->host.name) != SECSuccess)
|
|
|
c260e0 |
+ goto error;
|
|
|
c260e0 |
+
|
|
|
c260e0 |
return CURLE_OK;
|
|
|
c260e0 |
|
|
|
c260e0 |
error:
|
|
|
c260e0 |
--
|
|
|
c260e0 |
2.5.2
|
|
|
c260e0 |
|