diff options
Diffstat (limited to 'nixpkgs/pkgs/tools/networking/curl/7.74.0-CVE-2021-22890.patch')
| -rw-r--r-- | nixpkgs/pkgs/tools/networking/curl/7.74.0-CVE-2021-22890.patch | 473 |
1 files changed, 0 insertions, 473 deletions
diff --git a/nixpkgs/pkgs/tools/networking/curl/7.74.0-CVE-2021-22890.patch b/nixpkgs/pkgs/tools/networking/curl/7.74.0-CVE-2021-22890.patch deleted file mode 100644 index 06cc3842e32f..000000000000 --- a/nixpkgs/pkgs/tools/networking/curl/7.74.0-CVE-2021-22890.patch +++ /dev/null @@ -1,473 +0,0 @@ -Based on upstream b09c8ee15771c614c4bf3ddac893cdb12187c844, adapted by ris mostly to -compensate for lack of bbe3aa9f881fa27fe828e3c9a36d6831f254a3ee - -diff --git a/lib/vtls/bearssl.c b/lib/vtls/bearssl.c -index 36c32d8d55be..39fc1a29209c 100644 ---- a/lib/vtls/bearssl.c -+++ b/lib/vtls/bearssl.c -@@ -375,7 +375,8 @@ static CURLcode bearssl_connect_step1(struct Curl_easy *data, - void *session; - - Curl_ssl_sessionid_lock(conn); -- if(!Curl_ssl_getsessionid(conn, &session, NULL, sockindex)) { -+ if(!Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE, -+ &session, NULL, sockindex)) { - br_ssl_engine_set_session_parameters(&backend->ctx.eng, session); - infof(data, "BearSSL: re-using session ID\n"); - } -@@ -571,9 +572,13 @@ static CURLcode bearssl_connect_step3(struct Curl_easy *data, - br_ssl_engine_get_session_parameters(&backend->ctx.eng, session); - Curl_ssl_sessionid_lock(conn); -- incache = !(Curl_ssl_getsessionid(conn, &oldsession, NULL, sockindex)); -+ incache = !(Curl_ssl_getsessionid(conn, -+ SSL_IS_PROXY() ? TRUE : FALSE, -+ &oldsession, NULL, sockindex)); - if(incache) - Curl_ssl_delsessionid(conn, oldsession); -- ret = Curl_ssl_addsessionid(conn, session, 0, sockindex); -+ ret = Curl_ssl_addsessionid(conn, -+ SSL_IS_PROXY() ? TRUE : FALSE, -+ session, 0, sockindex); - Curl_ssl_sessionid_unlock(conn); - if(ret) { - free(session); -diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c -index a75937b4646c..3b0d940a60e1 100644 ---- a/lib/vtls/gtls.c -+++ b/lib/vtls/gtls.c -@@ -727,5 +727,7 @@ gtls_connect_step1(struct Curl_easy *data, - - Curl_ssl_sessionid_lock(conn); -- if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, &ssl_idsize, sockindex)) { -+ if(!Curl_ssl_getsessionid(conn, -+ SSL_IS_PROXY() ? TRUE : FALSE, -+ &ssl_sessionid, &ssl_idsize, sockindex)) { - /* we got a session id, use it! */ - gnutls_session_set_data(session, ssl_sessionid, ssl_idsize); -@@ -1286,8 +1287,9 @@ gtls_connect_step3(struct Curl_easy *data, - gnutls_session_get_data(session, connect_sessionid, &connect_idsize); - - Curl_ssl_sessionid_lock(conn); -- incache = !(Curl_ssl_getsessionid(conn, &ssl_sessionid, NULL, -- sockindex)); -+ incache = !(Curl_ssl_getsessionid(conn, -+ SSL_IS_PROXY() ? TRUE : FALSE, -+ &ssl_sessionid, NULL, sockindex)); - if(incache) { - /* there was one before in the cache, so instead of risking that the - previous one was rejected, we just kill that and store the new */ -@@ -1295,8 +1297,10 @@ gtls_connect_step3(struct Curl_easy *data, - } - - /* store this session id */ -- result = Curl_ssl_addsessionid(conn, connect_sessionid, connect_idsize, -- sockindex); -+ result = Curl_ssl_addsessionid(conn, -+ SSL_IS_PROXY() ? TRUE : FALSE, -+ connect_sessionid, connect_idsize, -+ sockindex); - Curl_ssl_sessionid_unlock(conn); - if(result) { - free(connect_sessionid); -diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c -index 95cd4d99b665..93a7ac1fd87d 100644 ---- a/lib/vtls/mbedtls.c -+++ b/lib/vtls/mbedtls.c -@@ -463,7 +463,9 @@ mbed_connect_step1(struct Curl_easy *data, struct connectdata *conn, - void *old_session = NULL; - - Curl_ssl_sessionid_lock(conn); -- if(!Curl_ssl_getsessionid(conn, &old_session, NULL, sockindex)) { -+ if(!Curl_ssl_getsessionid(conn, -+ SSL_IS_PROXY() ? TRUE : FALSE, -+ &old_session, NULL, sockindex)) { - ret = mbedtls_ssl_set_session(&backend->ssl, old_session); - if(ret) { - Curl_ssl_sessionid_unlock(conn); -@@ -724,6 +726,7 @@ mbed_connect_step3(struct Curl_easy *data, struct connectdata *conn, - int ret; - mbedtls_ssl_session *our_ssl_sessionid; - void *old_ssl_sessionid = NULL; -+ bool isproxy = SSL_IS_PROXY() ? TRUE : FALSE; - - our_ssl_sessionid = malloc(sizeof(mbedtls_ssl_session)); - if(!our_ssl_sessionid) -@@ -742,10 +745,12 @@ mbed_connect_step3(struct Curl_easy *data, struct connectdata *conn, - - /* If there's already a matching session in the cache, delete it */ - Curl_ssl_sessionid_lock(conn); -- if(!Curl_ssl_getsessionid(conn, &old_ssl_sessionid, NULL, sockindex)) -+ if(!Curl_ssl_getsessionid(conn, isproxy, &old_ssl_sessionid, NULL, -+ sockindex)) - Curl_ssl_delsessionid(conn, old_ssl_sessionid); - -- retcode = Curl_ssl_addsessionid(conn, our_ssl_sessionid, 0, sockindex); -+ retcode = Curl_ssl_addsessionid(conn, isproxy, our_ssl_sessionid, -+ 0, sockindex); - Curl_ssl_sessionid_unlock(conn); - if(retcode) { - mbedtls_ssl_session_free(our_ssl_sessionid); -diff --git a/lib/vtls/mesalink.c b/lib/vtls/mesalink.c -index 4f1ab8627f49..5d6a1495d790 100644 ---- a/lib/vtls/mesalink.c -+++ b/lib/vtls/mesalink.c -@@ -261,7 +261,9 @@ mesalink_connect_step1(struct Curl_easy *data, - void *ssl_sessionid = NULL; - - Curl_ssl_sessionid_lock(conn); -- if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, NULL, sockindex)) { -+ if(!Curl_ssl_getsessionid(conn, -+ SSL_IS_PROXY() ? TRUE : FALSE, -+ &ssl_sessionid, NULL, sockindex)) { - /* we got a session id, use it! */ - if(!SSL_set_session(BACKEND->handle, ssl_sessionid)) { - Curl_ssl_sessionid_unlock(conn); -@@ -345,12 +347,14 @@ mesalink_connect_step3(struct connectdata *conn, int sockindex) - bool incache; - SSL_SESSION *our_ssl_sessionid; - void *old_ssl_sessionid = NULL; -+ bool isproxy = SSL_IS_PROXY() ? TRUE : FALSE; - - our_ssl_sessionid = SSL_get_session(BACKEND->handle); - - Curl_ssl_sessionid_lock(conn); - incache = -- !(Curl_ssl_getsessionid(conn, &old_ssl_sessionid, NULL, sockindex)); -+ !(Curl_ssl_getsessionid(conn, isproxy, &old_ssl_sessionid, NULL, -+ sockindex)); - if(incache) { - if(old_ssl_sessionid != our_ssl_sessionid) { - infof(data, "old SSL session ID is stale, removing\n"); -@@ -361,8 +364,9 @@ mesalink_connect_step3(struct connectdata *conn, int sockindex) - } - - if(!incache) { -- result = Curl_ssl_addsessionid( -- conn, our_ssl_sessionid, 0 /* unknown size */, sockindex); -+ result = -+ Curl_ssl_addsessionid(conn, isproxy, our_ssl_sessionid, 0, -+ sockindex); - if(result) { - Curl_ssl_sessionid_unlock(conn); - failf(data, "failed to store ssl session"); -diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c -index 498f8b9d1d08..68b98984b460 100644 ---- a/lib/vtls/openssl.c -+++ b/lib/vtls/openssl.c -@@ -393,12 +393,23 @@ static int ossl_get_ssl_conn_index(void) - */ - static int ossl_get_ssl_sockindex_index(void) - { -- static int ssl_ex_data_sockindex_index = -1; -- if(ssl_ex_data_sockindex_index < 0) { -- ssl_ex_data_sockindex_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, -- NULL); -+ static int sockindex_index = -1; -+ if(sockindex_index < 0) { -+ sockindex_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL); - } -- return ssl_ex_data_sockindex_index; -+ return sockindex_index; -+} -+ -+/* Return an extra data index for proxy boolean. -+ * This index can be used with SSL_get_ex_data() and SSL_set_ex_data(). -+ */ -+static int ossl_get_proxy_index(void) -+{ -+ static int proxy_index = -1; -+ if(proxy_index < 0) { -+ proxy_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL); -+ } -+ return proxy_index; - } - - static int passwd_callback(char *buf, int num, int encrypting, -@@ -1174,6 +1185,7 @@ static int ossl_init(void) - - /* Initialize the extra data indexes */ -- if(ossl_get_ssl_conn_index() < 0 || ossl_get_ssl_sockindex_index() < 0) -+ if(ossl_get_ssl_conn_index() < 0 || -+ ossl_get_ssl_sockindex_index() < 0 || ossl_get_proxy_index() < 0) - return 0; - - return 1; -@@ -2432,8 +2443,10 @@ static int ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid) - curl_socket_t *sockindex_ptr; - int connectdata_idx = ossl_get_ssl_conn_index(); - int sockindex_idx = ossl_get_ssl_sockindex_index(); -+ int proxy_idx = ossl_get_proxy_index(); -+ bool isproxy; - -- if(connectdata_idx < 0 || sockindex_idx < 0) -+ if(connectdata_idx < 0 || sockindex_idx < 0 || proxy_idx < 0) - return 0; - - conn = (struct connectdata*) SSL_get_ex_data(ssl, connectdata_idx); -@@ -2446,13 +2459,18 @@ static int ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid) - sockindex_ptr = (curl_socket_t*) SSL_get_ex_data(ssl, sockindex_idx); - sockindex = (int)(sockindex_ptr - conn->sock); - -+ isproxy = SSL_get_ex_data(ssl, proxy_idx) ? TRUE : FALSE; -+ - if(SSL_SET_OPTION(primary.sessionid)) { - bool incache; - void *old_ssl_sessionid = NULL; - - Curl_ssl_sessionid_lock(conn); -- incache = !(Curl_ssl_getsessionid(conn, &old_ssl_sessionid, NULL, -- sockindex)); -+ if(isproxy) -+ incache = FALSE; -+ else -+ incache = !(Curl_ssl_getsessionid(conn, isproxy, -+ &old_ssl_sessionid, NULL, sockindex)); - if(incache) { - if(old_ssl_sessionid != ssl_sessionid) { - infof(data, "old SSL session ID is stale, removing\n"); -@@ -2462,8 +2480,8 @@ static int ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid) - } - - if(!incache) { -- if(!Curl_ssl_addsessionid(conn, ssl_sessionid, -- 0 /* unknown size */, sockindex)) { -+ if(!Curl_ssl_addsessionid(conn, isproxy, ssl_sessionid, -+ 0 /* unknown size */, sockindex)) { - /* the session has been put into the session cache */ - res = 1; - } -@@ -3193,16 +3211,26 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data, - void *ssl_sessionid = NULL; - int connectdata_idx = ossl_get_ssl_conn_index(); - int sockindex_idx = ossl_get_ssl_sockindex_index(); -+ int proxy_idx = ossl_get_proxy_index(); - -- if(connectdata_idx >= 0 && sockindex_idx >= 0) { -+ if(connectdata_idx >= 0 && sockindex_idx >= 0 && -+ proxy_idx >= 0) { - /* Store the data needed for the "new session" callback. - * The sockindex is stored as a pointer to an array element. */ - SSL_set_ex_data(backend->handle, connectdata_idx, conn); - SSL_set_ex_data(backend->handle, sockindex_idx, conn->sock + sockindex); -+#ifndef CURL_DISABLE_PROXY -+ SSL_set_ex_data(backend->handle, proxy_idx, SSL_IS_PROXY() ? (void *) 1: -+ NULL); -+#else -+ SSL_set_ex_data(backend->handle, proxy_idx, NULL); -+#endif -+ - } - - Curl_ssl_sessionid_lock(conn); -- if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, NULL, sockindex)) { -+ if(!Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE, -+ &ssl_sessionid, NULL, sockindex)) { - /* we got a session id, use it! */ - if(!SSL_set_session(backend->handle, ssl_sessionid)) { - Curl_ssl_sessionid_unlock(conn); -diff --git a/lib/vtls/schannel.c b/lib/vtls/schannel.c -index d7b89d43f892..931bd853eb8e 100644 ---- a/lib/vtls/schannel.c -+++ b/lib/vtls/schannel.c -@@ -496,5 +496,7 @@ schannel_connect_step1(struct Curl_easy *data, struct connectdata *conn, - if(SSL_SET_OPTION(primary.sessionid)) { - Curl_ssl_sessionid_lock(conn); -- if(!Curl_ssl_getsessionid(conn, (void **)&old_cred, NULL, sockindex)) { -+ if(!Curl_ssl_getsessionid(conn, -+ SSL_IS_PROXY() ? TRUE : FALSE, -+ (void **)&old_cred, NULL, sockindex)) { - BACKEND->cred = old_cred; - DEBUGF(infof(data, "schannel: re-using existing credential handle\n")); -@@ -1337,8 +1338,9 @@ schannel_connect_step3(struct Curl_easy *data, struct connectdata *conn, - struct ssl_connect_data *connssl = &conn->ssl[sockindex]; - SECURITY_STATUS sspi_status = SEC_E_OK; - CERT_CONTEXT *ccert_context = NULL; -+ bool isproxy = SSL_IS_PROXY(); - #ifdef DEBUGBUILD -- const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name : -+ const char * const hostname = isproxy ? conn->http_proxy.host.name : - conn->host.name; - #endif - #ifdef HAS_ALPN -@@ -1414,8 +1416,8 @@ schannel_connect_step3(struct Curl_easy *data, struct connectdata *conn, - struct Curl_schannel_cred *old_cred = NULL; - - Curl_ssl_sessionid_lock(conn); -- incache = !(Curl_ssl_getsessionid(conn, (void **)&old_cred, NULL, -- sockindex)); -+ incache = !(Curl_ssl_getsessionid(conn, isproxy, (void **)&old_cred, -+ NULL, sockindex)); - if(incache) { - if(old_cred != BACKEND->cred) { - DEBUGF(infof(data, -@@ -1426,7 +1428,7 @@ schannel_connect_step3(struct Curl_easy *data, struct connectdata *conn, - } - } - if(!incache) { -- result = Curl_ssl_addsessionid(conn, (void *)BACKEND->cred, -+ result = Curl_ssl_addsessionid(conn, isproxy, BACKEND->cred, - sizeof(struct Curl_schannel_cred), - sockindex); - if(result) { -diff --git a/lib/vtls/sectransp.c b/lib/vtls/sectransp.c -index 05b57dfaad91..e69b99b72cd6 100644 ---- a/lib/vtls/sectransp.c -+++ b/lib/vtls/sectransp.c -@@ -1400,10 +1400,12 @@ static CURLcode sectransp_connect_step1(struct Curl_easy *data, - char * const ssl_cert = SSL_SET_OPTION(primary.clientcert); - const struct curl_blob *ssl_cert_blob = SSL_SET_OPTION(primary.cert_blob); - #ifndef CURL_DISABLE_PROXY -- const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name : -+ bool isproxy = SSL_IS_PROXY(); -+ const char * const hostname = isproxy ? conn->http_proxy.host.name : - conn->host.name; - const long int port = SSL_IS_PROXY() ? conn->port : conn->remote_port; - #else -+ const isproxy = FALSE; - const char * const hostname = conn->host.name; - const long int port = conn->remote_port; - #endif -@@ -1613,7 +1615,7 @@ static CURLcode sectransp_connect_step1(struct Curl_easy *data, - #ifdef USE_NGHTTP2 - if(data->state.httpversion >= CURL_HTTP_VERSION_2 - #ifndef CURL_DISABLE_PROXY -- && (!SSL_IS_PROXY() || !conn->bits.tunnel_proxy) -+ && (!isproxy || !conn->bits.tunnel_proxy) - #endif - ) { - CFArrayAppendValue(alpnArr, CFSTR(NGHTTP2_PROTO_VERSION_ID)); -@@ -1953,7 +1955,7 @@ static CURLcode sectransp_connect_step1(struct Curl_easy *data, - size_t ssl_sessionid_len; - - Curl_ssl_sessionid_lock(conn); -- if(!Curl_ssl_getsessionid(conn, (void **)&ssl_sessionid, -+ if(!Curl_ssl_getsessionid(conn, isproxy, (void **)&ssl_sessionid, - &ssl_sessionid_len, sockindex)) { - /* we got a session id, use it! */ - err = SSLSetPeerID(backend->ssl_ctx, ssl_sessionid, ssl_sessionid_len); -@@ -1981,7 +1983,7 @@ static CURLcode sectransp_connect_step1(struct Curl_easy *data, - return CURLE_SSL_CONNECT_ERROR; - } - -- result = Curl_ssl_addsessionid(conn, ssl_sessionid, ssl_sessionid_len, -+ result = Curl_ssl_addsessionid(conn, isproxy, ssl_sessionid, ssl_sessionid_len, - sockindex); - Curl_ssl_sessionid_unlock(conn); - if(result) { -diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c -index 6a0069237fdb..95fd6356285f 100644 ---- a/lib/vtls/vtls.c -+++ b/lib/vtls/vtls.c -@@ -367,5 +367,6 @@ void Curl_ssl_sessionid_unlock(struct Curl_easy *data) - */ - bool Curl_ssl_getsessionid(struct connectdata *conn, -+ const bool isProxy, - void **ssl_sessionid, - size_t *idsize, /* set 0 if unknown */ - int sockindex) -@@ -377,7 +378,6 @@ bool Curl_ssl_getsessionid(struct Curl_easy *data, - bool no_match = TRUE; - - #ifndef CURL_DISABLE_PROXY -- const bool isProxy = CONNECT_PROXY_SSL(); - struct ssl_primary_config * const ssl_config = isProxy ? - &conn->proxy_ssl_config : - &conn->ssl_config; -@@ -389,10 +389,15 @@ bool Curl_ssl_getsessionid(struct Curl_easy *data, - struct ssl_primary_config * const ssl_config = &conn->ssl_config; - const char * const name = conn->host.name; - int port = conn->remote_port; -- (void)sockindex; - #endif -+ (void)sockindex; - *ssl_sessionid = NULL; - -+#ifdef CURL_DISABLE_PROXY -+ if(isProxy) -+ return TRUE; -+#endif -+ - DEBUGASSERT(SSL_SET_OPTION(primary.sessionid)); - - if(!SSL_SET_OPTION(primary.sessionid)) -@@ -480,5 +485,6 @@ void Curl_ssl_delsessionid(struct Curl_easy *data, void *ssl_sessionid) - */ - CURLcode Curl_ssl_addsessionid(struct connectdata *conn, -+ bool isProxy, - void *ssl_sessionid, - size_t idsize, - int sockindex) -@@ -492,7 +498,6 @@ CURLcode Curl_ssl_addsessionid(struct Curl_easy *data, - int conn_to_port; - long *general_age; - #ifndef CURL_DISABLE_PROXY -- const bool isProxy = CONNECT_PROXY_SSL(); - struct ssl_primary_config * const ssl_config = isProxy ? - &conn->proxy_ssl_config : - &conn->ssl_config; -@@ -505,6 +510,7 @@ CURLcode Curl_ssl_addsessionid(struct Curl_easy *data, - const char *hostname = conn->host.name; - (void)sockindex; - #endif -+ (void)sockindex; - DEBUGASSERT(SSL_SET_OPTION(primary.sessionid)); - - clone_host = strdup(hostname); -diff --git a/lib/vtls/vtls.h b/lib/vtls/vtls.h -index 273184f1894a..2b43e7744b19 100644 ---- a/lib/vtls/vtls.h -+++ b/lib/vtls/vtls.h -@@ -235,5 +235,6 @@ void Curl_ssl_sessionid_unlock(struct Curl_easy *data); - */ - bool Curl_ssl_getsessionid(struct connectdata *conn, -+ const bool isproxy, - void **ssl_sessionid, - size_t *idsize, /* set 0 if unknown */ - int sockindex); -@@ -245,5 +246,6 @@ bool Curl_ssl_getsessionid(struct Curl_easy *data, - */ - CURLcode Curl_ssl_addsessionid(struct connectdata *conn, -+ const bool isProxy, - void *ssl_sessionid, - size_t idsize, - int sockindex); -diff --git a/lib/vtls/wolfssl.c b/lib/vtls/wolfssl.c -index 7159ac9d5e64..8fb2ea7acf31 100644 ---- a/lib/vtls/wolfssl.c -+++ b/lib/vtls/wolfssl.c -@@ -516,7 +516,9 @@ wolfssl_connect_step1(struct Curl_easy *data, struct connectdata *conn, - void *ssl_sessionid = NULL; - - Curl_ssl_sessionid_lock(conn); -- if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, NULL, sockindex)) { -+ if(!Curl_ssl_getsessionid(conn, -+ SSL_IS_PROXY() ? TRUE : FALSE, -+ &ssl_sessionid, NULL, sockindex)) { - /* we got a session id, use it! */ - if(!SSL_set_session(backend->handle, ssl_sessionid)) { - char error_buffer[WOLFSSL_MAX_ERROR_SZ]; -@@ -772,10 +774,11 @@ wolfssl_connect_step3(struct Curl_easy *data, struct connectdata *conn, - void *old_ssl_sessionid = NULL; - - our_ssl_sessionid = SSL_get_session(backend->handle); -+ bool isproxy = SSL_IS_PROXY() ? TRUE : FALSE; - - Curl_ssl_sessionid_lock(conn); -- incache = !(Curl_ssl_getsessionid(conn, &old_ssl_sessionid, NULL, -- sockindex)); -+ incache = !(Curl_ssl_getsessionid(conn, isproxy, -+ &old_ssl_sessionid, NULL, sockindex)); - if(incache) { - if(old_ssl_sessionid != our_ssl_sessionid) { - infof(data, "old SSL session ID is stale, removing\n"); -@@ -786,8 +789,8 @@ wolfssl_connect_step3(struct Curl_easy *data, struct connectdata *conn, - } - - if(!incache) { -- result = Curl_ssl_addsessionid(conn, our_ssl_sessionid, -- 0 /* unknown size */, sockindex); -+ result = Curl_ssl_addsessionid(conn, isproxy, our_ssl_sessionid, -+ 0, sockindex); - if(result) { - Curl_ssl_sessionid_unlock(conn); - failf(data, "failed to store ssl session"); |