nss: prevent NSS from incorrectly re-using a session

Without this workaround, NSS re-uses a session cache entry despite the
server name does not match.  This causes SNI host name to differ from
the actual host name.  Consequently, certain servers (e.g. github.com)
respond by 400 to such requests.

Bug: https://bugzilla.mozilla.org/1202264

diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index a1d40d5950eb0b7d864ac6dc60a936350e184c54..770145dfadf3ec7cab04a963ac8b4d9aa5a2350a 100644 (file)
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -58,6 +58,7 @@ This release includes the following bugfixes:
  o winbuild: run buildconf.bat if necessary
  o buildconf.bat: fix syntax error
  o curl_sspi: fix possibly undefined CRYPT_E_REVOKED [16]
+ o nss: prevent NSS from incorrectly re-using a session [18]
 
 This release includes the following known bugs:
 
@@ -96,3 +97,4 @@ References to bug reports and discussions on issues:
  [15] = http://curl.haxx.se/bug/?i=409
  [16] = http://curl.haxx.se/bug/?i=411
  [17] = http://daniel.haxx.se/blog/2015/09/11/unnecessary-use-of-curl-x/
+ [18] = https://bugzilla.mozilla.org/1202264

diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
index 048273cf2c41b6960a24a11fae8e092d58b144f6..09214a52b6cf7d156914654189b391e0ea0685f3 100644 (file)
--- a/lib/vtls/nss.c
+++ b/lib/vtls/nss.c
@@ -1806,6 +1806,10 @@ static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex)
   if(SSL_SetURL(connssl->handle, conn->host.name) != SECSuccess)
     goto error;
 
+  /* prevent NSS from re-using the session for a different hostname */
+  if(SSL_SetSockPeerID(connssl->handle, conn->host.name) != SECSuccess)
+    goto error;
+
   return CURLE_OK;
 
 error: