
Sign up to save your podcasts
Or


Enabled by default, libcurl supports the use of TLS 1.3 session tickets to resume previous TLS sessions to speed up subsequent TLS handshakes.
When using a HTTPS proxy and TLS 1.3, libcurl can confuse session tickets arriving from the HTTPS proxy but work as if they arrived from the remote server and then wrongly "short-cut" the host handshake. The reason for this confusion is the modified sequence from TLS 1.2 when the session ids would provided only during the TLS handshake, while in TLS 1.3 it happens post hand-shake and the code was not updated to take that changed behavior into account.
4:00 http connect
https://curl.se/docs/CVE-2021-22890.html
By Hussein Nasser4.9
4040 ratings
Enabled by default, libcurl supports the use of TLS 1.3 session tickets to resume previous TLS sessions to speed up subsequent TLS handshakes.
When using a HTTPS proxy and TLS 1.3, libcurl can confuse session tickets arriving from the HTTPS proxy but work as if they arrived from the remote server and then wrongly "short-cut" the host handshake. The reason for this confusion is the modified sequence from TLS 1.2 when the session ids would provided only during the TLS handshake, while in TLS 1.3 it happens post hand-shake and the code was not updated to take that changed behavior into account.
4:00 http connect
https://curl.se/docs/CVE-2021-22890.html

32,100 Listeners

275 Listeners

375 Listeners

12,237 Listeners

982 Listeners

8,051 Listeners

208 Listeners

1,645 Listeners

10,182 Listeners

576 Listeners

508 Listeners

5,530 Listeners

682 Listeners

1,489 Listeners

74 Listeners