invalidate SSL session if there is no valid client certificate

1 files changed, 8 insertions, 0 deletions

diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c
index 8c72659d3..d87f77d54 100644
--- a/src/http/ngx_http_request.c
+++ b/src/http/ngx_http_request.c
@@ -1430,6 +1430,10 @@ ngx_http_process_request(ngx_http_request_t *r)
                 ngx_log_error(NGX_LOG_INFO, c->log, 0,
                               "client SSL certificate verify error: (%l:%s)",
                               rc, X509_verify_cert_error_string(rc));
+
+                ngx_ssl_remove_cached_session(sscf->ssl.ctx,
+                                       (SSL_get0_session(c->ssl->connection)));
+
                 ngx_http_finalize_request(r, NGX_HTTPS_CERT_ERROR);
                 return;
             }
@@ -1439,6 +1443,10 @@ ngx_http_process_request(ngx_http_request_t *r)
             {
                 ngx_log_error(NGX_LOG_INFO, c->log, 0,
                               "client sent no required SSL certificate");
+
+                ngx_ssl_remove_cached_session(sscf->ssl.ctx,
+                                       (SSL_get0_session(c->ssl->connection)));
+
                 ngx_http_finalize_request(r, NGX_HTTPS_NO_CERT);
                 return;
             }