Everand Logo

Welcome to Everand!

  • Discover this podcast and so much more

    Podcasts are free to enjoy without a subscription. We also offer ebooks, audiobooks, and so much more for just $11.99/month.

    cURL TLS 1.3 session ticket proxy host mixup Vulnerability

    cURL TLS 1.3 session ticket proxy host mixup Vulnerability

    FromThe Backend Engineering Show with Hussein Nasser

    Start listeningView podcast show

    cURL TLS 1.3 session ticket proxy host mixup Vulnerability

    FromThe Backend Engineering Show with Hussein Nasser

    ratings:
    Length:
    10 minutes
    Released:
    Mar 31, 2021
    Format:
    Podcast episode

    Description

    Enabled by default, libcurl supports the use of TLS 1.3 session tickets to resume previous TLS sessions to speed up subsequent TLS handshakes.
    When using a HTTPS proxy and TLS 1.3, libcurl can confuse session tickets arriving from the HTTPS proxy but work as if they arrived from the remote server and then wrongly "short-cut" the host handshake. The reason for this confusion is the modified sequence from TLS 1.2 when the session ids would provided only during the TLS handshake, while in TLS 1.3 it happens post hand-shake and the code was not updated to take that changed behavior into account.
    4:00 http connect
    https://curl.se/docs/CVE-2021-22890.html
    Released:
    Mar 31, 2021
    Format:
    Podcast episode

    Titles in the series (100)

    Welcome to the Backend Engineering Show podcast with your host Hussein Nasser. If you like software engineering you’ve come to the right place. I discuss all sorts of software engineering technologies and news with specific focus on the backend. All opinions are my own. Most of my content in the podcast is an audio version of videos I post on my youtube channel here http://www.youtube.com/c/HusseinNasser-software-engineering Buy me a coffee https://www.buymeacoffee.com/hnasr ?‍? Courses I Teach https://husseinnasser.com/courses