March 31, 2021

cURL TLS 1.3 session ticket proxy host mixup Vulnerability

Listen Later

9 minutes

Enabled by default, libcurl supports the use of TLS 1.3 session tickets to resume previous TLS sessions to speed up subsequent TLS handshakes.

When using a HTTPS proxy and TLS 1.3, libcurl can confuse session tickets arriving from the HTTPS proxy but work as if they arrived from the remote server and then wrongly "short-cut" the host handshake. The reason for this confusion is the modified sequence from TLS 1.2 when the session ids would provided only during the TLS handshake, while in TLS 1.3 it happens post hand-shake and the code was not updated to take that changed behavior into account.

4:00 http connect

https://curl.se/docs/CVE-2021-22890.html

...more

View all episodes

View all episodes

Download on the App Store

Download on the App Store

Get it on Google Play

The Backend Engineering Show with Hussein Nasser

By Hussein Nasser

4.9

4040 ratings

March 31, 2021

cURL TLS 1.3 session ticket proxy host mixup Vulnerability

Listen Later

9 minutes

Enabled by default, libcurl supports the use of TLS 1.3 session tickets to resume previous TLS sessions to speed up subsequent TLS handshakes.

When using a HTTPS proxy and TLS 1.3, libcurl can confuse session tickets arriving from the HTTPS proxy but work as if they arrived from the remote server and then wrongly "short-cut" the host handshake. The reason for this confusion is the modified sequence from TLS 1.2 when the session ids would provided only during the TLS handshake, while in TLS 1.3 it happens post hand-shake and the code was not updated to take that changed behavior into account.

4:00 http connect

https://curl.se/docs/CVE-2021-22890.html

...more

More shows like The Backend Engineering Show with Hussein Nasser

Freakonomics Radio by Freakonomics Radio + Stitcher

Freakonomics Radio

32,245 Listeners

Software Engineering Radio - the podcast for professional software developers by team@se-radio.net (SE-Radio Team)

Software Engineering Radio - the podcast for professional software developers

273 Listeners

Risky Business by Patrick Gray

Risky Business

373 Listeners

Science Vs by Spotify Studios

Science Vs

12,165 Listeners

Syntax - Tasty Web Development Treats by Wes Bos & Scott Tolinski - Full Stack JavaScript Web Developers

Syntax - Tasty Web Development Treats

989 Listeners

Darknet Diaries by Jack Rhysider

Darknet Diaries

8,110 Listeners

Practical AI by Practical AI LLC

Practical AI

209 Listeners

Within Reason by Alex J O'Connor

Within Reason

1,658 Listeners

All-In with Chamath, Jason, Sacks & Friedberg by All-In Podcast, LLC

All-In with Chamath, Jason, Sacks & Friedberg

10,227 Listeners

Dwarkesh Podcast by Dwarkesh Patel

Dwarkesh Podcast

548 Listeners

Big Technology Podcast by Alex Kantrowitz

Big Technology Podcast

513 Listeners

Hard Fork by The New York Times

Hard Fork

5,547 Listeners

The AI Daily Brief: Artificial Intelligence News and Analysis by Nathaniel Whittemore

The AI Daily Brief: Artificial Intelligence News and Analysis

659 Listeners

Prof G Markets by Vox Media Podcast Network

Prof G Markets

1,471 Listeners

The Pragmatic Engineer by Gergely Orosz

The Pragmatic Engineer

74 Listeners