> > Here's a pull request indicating that the curl team considers TLS > > reuse safe: https://github.com/curl/curl/pull/1917. I believe they > > consider it a vulnerability if you are able to make curl incorrectly > > reuse a TLS session with differing TLS settings. > > Thank you. That would be useful to include in the “References” section > of the RFC. Changing that one even during the vote seems legal to me, > because it does not change the actual proposal.
I've added a reference and a 'Safety' subheading to explicitly call out your concern with CURL_LOCK_DATA_COOKIE, and to note that CURL_LOCK_DATA_CONNECT is safe per that pull request. As you noted, I have not changed the actual proposal, so I hope that this is okay. Thanks, Eric
