git.ipfire.org Git - thirdparty/curl.git/commit

author	Stefan Eissing <stefan@eissing.org>
	Tue, 27 Jan 2026 12:28:09 +0000 (13:28 +0100)
committer	Daniel Stenberg <daniel@haxx.se>
	Tue, 27 Jan 2026 13:03:47 +0000 (14:03 +0100)
commit	065b149df07256174891dfcde307c39c98908d5f
tree	b6f7bfc2df6e1c2a73621fdc7d9ca7ae64912c5f	tree \| snapshot
parent	af508e364193a0343e06233fbd5912a8c7d25f2e	commit \| diff

OpenSSL: check reuse of sessions for verify status

OpenSSL records its peer verification status inside its SSL_SESSION
objects. When a session is later reused, the SSL connection inherits
this verify status.

Session keys prevent reuse of sessions between connections that verify
the peer and those who do not. However, when Apple SecTrust is used
to verify a connection, this does not update the Sessions verify
status (and there is no setter). On session reuse, OpenSSL fails
the verification and Apple SecTrust cannot verify either since the
certificate peer chain is not available.

Fix this by checking the verification status on session reuse and
remove the session again if the peer needs to be verified, but the
session is not.

Reported-by: Christian Schmitza
Fixes #20435
Closes #20446

lib/vtls/gtls.c		diff \| blob \| blame \| history
lib/vtls/openssl.c		diff \| blob \| blame \| history
tests/http/test_02_download.py		diff \| blob \| blame \| history
tests/http/test_08_caddy.py		diff \| blob \| blame \| history
tests/http/test_17_ssl_use.py		diff \| blob \| blame \| history
tests/http/test_19_shutdown.py		diff \| blob \| blame \| history
tests/libtest/cli_hx_download.c		diff \| blob \| blame \| history