Curl fails to consider some security related options when reusing TLS connections. For example:
As a result for example TLS connection with lower security (CURLSSLOPT_ALLOW_BEAST
, CURLSSLOPT_NO_REVOKE
) connection reused when it should no longer be. Also connection that has been authenticated perviously with CURLSSLOPT_AUTO_CLIENT_CERT
might be reused for connections that should not be.
(echo -ne "HTTP/1.1 200 OK\r\nContent-Length: 6\r\n\r\nHello\n"; sleep 5; echo -ne "HTTP/1.1 200 OK\r\nContent-Length: 6\r\n\r\nAgain\n") | openssl s_server -cert cert.pem -key privkey.pem -cert_chain chain.pem -accept 9443
curl -v --ssl-no-revoke --ssl-allow-beast https://targethost.tld:9443 -: https://targethost.tld:9443
Connections are made using the same reused connection even though security settings change.
With curl built against openssl:
curl http://cdp.geotrust.com/GeoTrustRSACA2018.crl | openssl crl -out testcrl.pem
curl -v https://curl.se -: --crlfile crlfile.pem https://curl.se
The crlfile.pem use should result in curl: (60) SSL certificate problem: unable to get certificate CRL
but is ignored since previous connection is reused.
With curl built against Schannel and revoked certificate:
curl -v --ssl-no-revoke https://revoked.grc.com -: https://revoked.grc.com
Second connection will reuse the existing connection even though revocation check is no longer requested.
There may be more options that might have the similar issues. These were the most obvious I could see (ones having obvious security impact).
Wrong identity (client certificate) or TLS security options being used for subsequent connections to the same hosts.