CVE 2016-5419
curl and libcurl before 7.50.1 do not prevent TLS session resumption when the client certificate has changed, which allows remote attackers to bypass intended restrictions by resuming a session.
See the
CVE page on Mitre.org
for more details.