March 31, 2021

cURL TLS 1.3 session ticket proxy host mixup Vulnerability

Listen Later

9 minutes

Enabled by default, libcurl supports the use of TLS 1.3 session tickets to resume previous TLS sessions to speed up subsequent TLS handshakes.

When using a HTTPS proxy and TLS 1.3, libcurl can confuse session tickets arriving from the HTTPS proxy but work as if they arrived from the remote server and then wrongly "short-cut" the host handshake. The reason for this confusion is the modified sequence from TLS 1.2 when the session ids would provided only during the TLS handshake, while in TLS 1.3 it happens post hand-shake and the code was not updated to take that changed behavior into account.

4:00 http connect

https://curl.se/docs/CVE-2021-22890.html

...more

View all episodes

View all episodes

Download on the App Store

Download on the App Store

Get it on Google Play

The Backend Engineering Show with Hussein Nasser

By Hussein Nasser

4.9

4040 ratings

March 31, 2021

cURL TLS 1.3 session ticket proxy host mixup Vulnerability

Listen Later

9 minutes

Enabled by default, libcurl supports the use of TLS 1.3 session tickets to resume previous TLS sessions to speed up subsequent TLS handshakes.

When using a HTTPS proxy and TLS 1.3, libcurl can confuse session tickets arriving from the HTTPS proxy but work as if they arrived from the remote server and then wrongly "short-cut" the host handshake. The reason for this confusion is the modified sequence from TLS 1.2 when the session ids would provided only during the TLS handshake, while in TLS 1.3 it happens post hand-shake and the code was not updated to take that changed behavior into account.

4:00 http connect

https://curl.se/docs/CVE-2021-22890.html

...more

More shows like The Backend Engineering Show with Hussein Nasser

Software Engineering Radio by se-radio@computer.org

Software Engineering Radio

273 Listeners

The Changelog: Software Development, Open Source by Changelog Media

The Changelog: Software Development, Open Source

292 Listeners

Software Engineering Daily by Software Engineering Daily

Software Engineering Daily

625 Listeners

The Cloudcast by Massive Studios

The Cloudcast

153 Listeners

Talk Python To Me by Michael Kennedy

Talk Python To Me

585 Listeners

Soft Skills Engineering by Jamison Dance and Dave Smith

Soft Skills Engineering

288 Listeners

Python Bytes by Michael Kennedy and Brian Okken

Python Bytes

214 Listeners

Y Combinator Startup Podcast by Y Combinator

Y Combinator Startup Podcast

236 Listeners

Syntax - Tasty Web Development Treats by Wes Bos & Scott Tolinski - Full Stack JavaScript Web Developers

Syntax - Tasty Web Development Treats

983 Listeners

Practical AI by Practical AI LLC

Practical AI

213 Listeners

The Stack Overflow Podcast by The Stack Overflow Podcast

The Stack Overflow Podcast

63 Listeners

The Real Python Podcast by Real Python

The Real Python Podcast

141 Listeners

Dwarkesh Podcast by Dwarkesh Patel

Dwarkesh Podcast

505 Listeners

Big Technology Podcast by Alex Kantrowitz

Big Technology Podcast

478 Listeners

Oxide and Friends by Oxide Computer Company

Oxide and Friends

60 Listeners