cURL TLS 1.3 session ticket proxy host mixup Vulnerability
Enabled by default, libcurl supports the use of TLS 1.3 session tickets to resume previous TLS sessions to speed up subsequent TLS handshakes.
When using a HTTPS proxy and TLS 1.3, libcurl can confuse session tickets arriving from the HTTPS proxy but work as if they arrived from the remote server and then wrongly "short-cut" the host handshake. The reason for this confusion is the modified sequence from TLS 1.2 when the session ids would provided only during the TLS handshake, while in TLS 1.3 it happens post hand-shake and the code was not updated to take that changed behavior into account.
Make sure the proxy/host distinction is done correctly.
A fix for CVE-2021-22890
(The patch URL will change in the final published version of this advisory)
4:00 http connect
https://curl.se/docs/CVE-2021-22890.html
🎙️Listen to the Backend Engineering Podcast
https://husseinnasser.com/podcast
🏭 Backend Engineering Videos
https://backend.husseinnasser.com
💾 Database Engineering Videos
• Database Engineering
🏰 Load Balancing and Proxies Videos
• Proxies
🏛️ Software Archtiecture Videos
• Software Architecture
📩 Messaging Systems
• Message Queues & PubSub Systems
Become a Member
/ @hnasr
Support me on PayPal
https://bit.ly/33ENps4
Stay Awesome,
Hussein
![[FREE] SLIMESITO x BEEZYB TYPE BEAT 2022 -](https://images.videosashka.com/watch/1EoTITwenvE)
