cURL TLS 1.3 session ticket proxy host mixup Vulnerability
The Backend Engineering Show with Hussein Nasser - A podcast by Hussein Nasser
Categorie:
Enabled by default, libcurl supports the use of TLS 1.3 session tickets to resume previous TLS sessions to speed up subsequent TLS handshakes. When using a HTTPS proxy and TLS 1.3, libcurl can confuse session tickets arriving from the HTTPS proxy but work as if they arrived from the remote server and then wrongly "short-cut" the host handshake. The reason for this confusion is the modified sequence from TLS 1.2 when the session ids would provided only during the TLS handshake, while in TLS 1.3 it happens post hand-shake and the code was not updated to take that changed behavior into account. 4:00 http connect https://curl.se/docs/CVE-2021-22890.html