Pycurl SSL Session ID not working, when provided with SSL keys

Question

By default libcurl (and pycurl) supports ssl connection resuse, meaning for a case of sending subsequent HTTPS requests, the second one will use the SSL session ID and avoid the full handshake. (basically pycurl.SSL_SESSIONID_CACHE is True).

When I testd it as:

import pycurl

c = pycurl.Curl()
c.setopt(c.URL, 'https://myserver:443/X')
c.setopt(c.COOKIEFILE, '')
c.setopt(c.VERBOSE, True)

c.perform()

c.setopt(c.FRESH_CONNECT, 1)
c.setopt(c.URL, 'https://myserver:443/Y')
c.perform()

I can see that pycurl uses the session id for the second connection. However, once I added client key and CA info (for mutual auth), it stops working. Meaning, that the client negotiated a new SSL keys, which is undesirable.

import pycurl

c = pycurl.Curl()
c.setopt(c.URL, 'https://myserver:443/X')
c.setopt(c.COOKIEFILE, '')
c.setopt(c.VERBOSE, True)
c.setopt(pycurl.SSL_VERIFYHOST, 2)

c.setopt(c.SSLCERTTYPE, "PEM")
c.setopt(c.SSLKEYTYPE, "PEM")
client_cert = "ssl_keys/client/client_crt.pem"
ca_cert = "ssl_keys/ca/ca_crt.pem"
client_key = "ssl_keys/client/client_pr.pem"
c.setopt(c.SSLCERT, client_cert)
c.setopt(c.SSLKEY, client_key)
c.setopt(c.CAINFO, ca_cert)

c.perform()
c.setopt(c.SSL_SESSIONID_CACHE, True) # that doesn't matter really
c.setopt(c.FRESH_CONNECT, 1)
c.setopt(c.URL, 'https://myserver:443/Y')
c.perform()

Any ideas?

Answer 1

curl disables "SSL session resumption" when client certificates are used for security purposes. See the TLS session resumption client cert bypass security advisory from August 2016 for specifics.

This feature could be made working even with client certificates but nobody has made the effort of writing the code for that to be done in a safe manner. I considered the use case to be small enough to take the easier route: disabling it for client certs.