From 420b42df1c6404956d1858e3c999e8d9288061a8 Mon Sep 17 00:00:00 2001 From: Olivier Houchard Date: Tue, 9 Dec 2025 16:25:40 +0100 Subject: [PATCH] BUG/MEDIUM: ssl: Don't resume session for check connections Don't attempt to use stored sessions when creating new check connections, as the check SSL parameters might be different from the server's ones. This has not been proven to be a problem yet, but it doesn't mean it can't be, and this should be backported up to 2.8 along with dcce9369129f6ca9b8eed6b451c0e20c226af2e3 if it is. --- src/ssl_sock.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/src/ssl_sock.c b/src/ssl_sock.c index cfe7f7de1..6f3c88d1d 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -4198,7 +4198,8 @@ static int ssl_sess_new_srv_cb(SSL *ssl, SSL_SESSION *sess) * or releasing it. */ - if (!(s->ssl_ctx.options & SRV_SSL_O_NO_REUSE)) { + if (!(conn->flags & CO_FL_SSL_NO_CACHED_INFO) && + !(s->ssl_ctx.options & SRV_SSL_O_NO_REUSE)) { int len; unsigned char *ptr; #ifdef USE_QUIC @@ -5686,6 +5687,12 @@ int ssl_sock_srv_try_reuse_sess(struct ssl_sock_ctx *ctx, struct server *srv) struct connection *conn = ctx->conn; #endif + /* + * Always fail for check connections + */ + if (conn->flags & CO_FL_SSL_NO_CACHED_INFO) + return 0; + HA_RWLOCK_RDLOCK(SSL_SERVER_LOCK, &srv->ssl_ctx.lock); if (srv->ssl_ctx.reused_sess[tid].ptr) { const unsigned char *ptr; -- 2.47.3