clear session cache if a client cert from file is used
This commit is contained in:
parent
a5f3441ddf
commit
513526c871
55
0002-curl-7.28.1-b36f1d26.patch
Normal file
55
0002-curl-7.28.1-b36f1d26.patch
Normal file
@ -0,0 +1,55 @@
|
|||||||
|
From fefd7cdcde39c56651f6e2c32be9cd79354ffdc4 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
Date: Fri, 11 Jan 2013 10:24:21 +0100
|
||||||
|
Subject: [PATCH 2/3] nss: clear session cache if a client cert from file is used
|
||||||
|
|
||||||
|
This commit fixes a regression introduced in 052a08ff.
|
||||||
|
|
||||||
|
NSS caches certs/keys returned by the SSL_GetClientAuthDataHook callback
|
||||||
|
and if we connect second time to the same server, the cached cert/key
|
||||||
|
pair is used. If we use multiple client certificates for different
|
||||||
|
paths on the same server, we need to clear the session cache to force
|
||||||
|
NSS to call the hook again. The commit 052a08ff prevented the session
|
||||||
|
cache from being cleared if a client certificate from file was used.
|
||||||
|
|
||||||
|
The condition is now fixed to cover both cases: consssl->client_nickname
|
||||||
|
is not NULL if a client certificate from the NSS database is used and
|
||||||
|
connssl->obj_clicert is not NULL if a client certificate from file is
|
||||||
|
used.
|
||||||
|
|
||||||
|
Review by: Kai Engert
|
||||||
|
|
||||||
|
[upstream commit b36f1d26f830453ebaa17238f9bd1e396f618720]
|
||||||
|
---
|
||||||
|
lib/nss.c | 12 ++++++++----
|
||||||
|
1 files changed, 8 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lib/nss.c b/lib/nss.c
|
||||||
|
index 794eccb..f97090a 100644
|
||||||
|
--- a/lib/nss.c
|
||||||
|
+++ b/lib/nss.c
|
||||||
|
@@ -1058,13 +1058,17 @@ void Curl_nss_close(struct connectdata *conn, int sockindex)
|
||||||
|
as closed to avoid double close */
|
||||||
|
fake_sclose(conn->sock[sockindex]);
|
||||||
|
conn->sock[sockindex] = CURL_SOCKET_BAD;
|
||||||
|
+
|
||||||
|
+ if((connssl->client_nickname != NULL) || (connssl->obj_clicert != NULL))
|
||||||
|
+ /* A server might require different authentication based on the
|
||||||
|
+ * particular path being requested by the client. To support this
|
||||||
|
+ * scenario, we must ensure that a connection will never reuse the
|
||||||
|
+ * authentication data from a previous connection. */
|
||||||
|
+ SSL_InvalidateSession(connssl->handle);
|
||||||
|
+
|
||||||
|
if(connssl->client_nickname != NULL) {
|
||||||
|
free(connssl->client_nickname);
|
||||||
|
connssl->client_nickname = NULL;
|
||||||
|
-
|
||||||
|
- /* force NSS to ask again for a client cert when connecting
|
||||||
|
- * next time to the same server */
|
||||||
|
- SSL_InvalidateSession(connssl->handle);
|
||||||
|
}
|
||||||
|
/* destroy all NSS objects in order to avoid failure of NSS shutdown */
|
||||||
|
Curl_llist_destroy(connssl->obj_list, NULL);
|
||||||
|
--
|
||||||
|
1.7.1
|
||||||
|
|
@ -11,6 +11,9 @@ Source3: hide_selinux.c
|
|||||||
# prevent NSS from crashing on client auth hook failure
|
# prevent NSS from crashing on client auth hook failure
|
||||||
Patch1: 0001-curl-7.28.1-68d2830e.patch
|
Patch1: 0001-curl-7.28.1-68d2830e.patch
|
||||||
|
|
||||||
|
# clear session cache if a client cert from file is used
|
||||||
|
Patch2: 0002-curl-7.28.1-b36f1d26.patch
|
||||||
|
|
||||||
# patch making libcurl multilib ready
|
# patch making libcurl multilib ready
|
||||||
Patch101: 0101-curl-7.27.0-multilib.patch
|
Patch101: 0101-curl-7.27.0-multilib.patch
|
||||||
|
|
||||||
@ -105,6 +108,7 @@ documentation of the library, too.
|
|||||||
|
|
||||||
# upstream patches
|
# upstream patches
|
||||||
%patch1 -p1
|
%patch1 -p1
|
||||||
|
%patch2 -p1
|
||||||
|
|
||||||
# Fedora patches
|
# Fedora patches
|
||||||
%patch101 -p1
|
%patch101 -p1
|
||||||
@ -230,6 +234,7 @@ rm -rf $RPM_BUILD_ROOT
|
|||||||
%changelog
|
%changelog
|
||||||
* Tue Jan 15 2013 Kamil Dudka <kdudka@redhat.com> 7.28.1-2
|
* Tue Jan 15 2013 Kamil Dudka <kdudka@redhat.com> 7.28.1-2
|
||||||
- prevent NSS from crashing on client auth hook failure
|
- prevent NSS from crashing on client auth hook failure
|
||||||
|
- clear session cache if a client cert from file is used
|
||||||
|
|
||||||
* Tue Nov 20 2012 Kamil Dudka <kdudka@redhat.com> 7.28.1-1
|
* Tue Nov 20 2012 Kamil Dudka <kdudka@redhat.com> 7.28.1-1
|
||||||
- new upstream release
|
- new upstream release
|
||||||
|
Loading…
Reference in New Issue
Block a user