git.kaiwu.me - haproxy.git/commit

author	Christopher Faulet <cfaulet@haproxy.com>
	Fri, 5 Dec 2025 16:35:53 +0000 (17:35 +0100)
committer	Christopher Faulet <cfaulet@haproxy.com>
	Mon, 8 Dec 2025 14:22:01 +0000 (15:22 +0100)
commit	be998b590e4bb7c3f9272ca3574561f1e1294265
tree	9b6dbfdd8149dd91cb8e29aa22451c7b5e155f2a	tree \| snapshot
parent	5702009c8c2e24005026d098ef261574efed80d0	commit \| diff

MEDIUM: ssl/server: No longer store the SNI of cached TLS sessions

Thanks to the previous patch, "BUG/MEDIUM: ssl: Don't reuse TLS session
if the connection's SNI differs", it is no useless to store the SNI of
cached TLS sessions. This SNI is no longer tested and new connections
reusing a session must have the same SNI.

The main change here is for the ssl_sock_set_servername() function. It is no
longer possible to compare the SNI of the reused session with the one of the
new connection. So, the SNI is always set, with no other processing. Mainly,
the session is not destroyed when SNIs don't match. It means the commit
119a4084bf ("BUG/MEDIUM: ssl: for a handshake when server-side SNI changes")
is implicitly reverted.

It is good to note that it is unclear for me when and why the reused session
should be destroyed. Because I'm unable to reproduce any issue fixed by the
commit above.

This patch could be backported as far as 3.0 with the commit above.

include/haproxy/server-t.h		diff \| blob \| history
src/ssl_ckch.c		diff \| blob \| history
src/ssl_sock.c		diff \| blob \| history