Curl fails to consider some security related options when reusing TLS connections. For example:
CURLOPT_SSL_OPTIONS
CURLOPT_PROXY_SSL_OPTIONS
CURLOPT_CRLFILE
CURLOPT_PROXY_CRLFILE
CURLOPT_TLSAUTH_TYPE
CURLOPT_TLSAUTH_USERNAME
CURLOPT_TLSAUTH_PASSWORD
CURLOPT_PROXY_TLSAUTH_TYPE
CURLOPT_PROXY_TLSAUTH_USERNAME
CURLOPT_PROXY_TLSAUTH_PASSWORD
As a result for example TLS connection with lower security (CURLSSLOPT_ALLOW_BEAST
, CURLSSLOPT_NO_REVOKE
) connection reused when it should no longer be. Also connection that has been authenticated perviously with CURLSSLOPT_AUTO_CLIENT_CERT
might be reused for connections that should not be.
CURLOPT_SSH_PUBLIC_KEYFILE
CURLOPT_SSH_PRIVATE_KEYFILE
If the attacker knows the vulnerable application used SSH key authentication towards specific host with certain username and protocol they can then perform actions to the same host afterwards and abuse the connection reuse.