httpConnectAgain should require the same X.509 certificate

Open michaelrsweet opened this issue 1 year ago • 1 comments

httpConnectAgain doesn't make sure that the new connection is using the same X.509 certificate as the original connection. The new connection should either have the same certificate or pass strict cupsGetCredentialsTrust tests.

Sep 26 '24 13:09 michaelrsweet

Note: Since the connection address is cached in http_t, exploiting this issue is non-trivial.

Sep 26 '24 13:09 michaelrsweet

[master 2a5a0a228] Re-validate server cert on re-connect (Issue #90)

Oct 12 '24 16:10 michaelrsweet