On Fri, 13 Sep 2019, Sebastian Haglund via curl-library wrote:
While adding public key pinning to a cURL c++ wrapper, I discovered that
setting the wrong public key after using the correct still yields OK result
(expected CURLE_SSL_PINNEDPUBKEYNOTMATCH). It seems to be related to
re-using the curl multi stack after curl_multi_perform().
Ack. The connection reuse logic doesn't seem to compare the
CURLOPT_PINNEDPUBLICKEY arguments so a subsequent connection to the same host
that otherwise matches can be reused even if the pinning now differs.
I'll write up a PR for this and get back.
--
/ daniel.haxx.se | Get the best commercial curl support there is - from me
| Private help, bug fixes, support, ports, new features
| https://www.wolfssl.com/contact/
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
