BUG/MEDIUM: ssl: Don't resume session for check connections

Don't attempt to use stored sessions when creating new check
connections, as the check SSL parameters might be different from the
server's ones.
This has not been proven to be a problem yet, but it doesn't mean it
can't be, and this should be backported up to 2.8 along with
dcce9369129f6ca9b8eed6b451c0e20c226af2e3 if it is.

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index cfe7f7de195f860d7b8559f5fcacfb4fbc214b1a..6f3c88d1d7338fb43edf983f61853089f50168a1 100644 (file)
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -4198,7 +4198,8 @@ static int ssl_sess_new_srv_cb(SSL *ssl, SSL_SESSION *sess)
         * or releasing it.
         */
 
-       if (!(s->ssl_ctx.options & SRV_SSL_O_NO_REUSE)) {
+       if (!(conn->flags & CO_FL_SSL_NO_CACHED_INFO) &&
+           !(s->ssl_ctx.options & SRV_SSL_O_NO_REUSE)) {
                int len;
                unsigned char *ptr;
 #ifdef USE_QUIC
@@ -5686,6 +5687,12 @@ int ssl_sock_srv_try_reuse_sess(struct ssl_sock_ctx *ctx, struct server *srv)
        struct connection *conn = ctx->conn;
 #endif
 
+       /*
+        * Always fail for check connections
+        */
+       if (conn->flags & CO_FL_SSL_NO_CACHED_INFO)
+               return 0;
+
        HA_RWLOCK_RDLOCK(SSL_SERVER_LOCK, &srv->ssl_ctx.lock);
        if (srv->ssl_ctx.reused_sess[tid].ptr) {
                const unsigned char *ptr;