From: Olivier Houchard <ohouchard@haproxy.com>
Date: Tue, 9 Dec 2025 15:25:40 +0000 (+0100)
Subject: BUG/MEDIUM: ssl: Don't resume session for check connections
X-Git-Tag: v3.4-dev1~6
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=420b42df1c6404956d1858e3c999e8d9288061a8;p=thirdparty%2Fhaproxy.git

BUG/MEDIUM: ssl: Don't resume session for check connections

Don't attempt to use stored sessions when creating new check
connections, as the check SSL parameters might be different from the
server's ones.
This has not been proven to be a problem yet, but it doesn't mean it
can't be, and this should be backported up to 2.8 along with
dcce9369129f6ca9b8eed6b451c0e20c226af2e3 if it is.
---

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index cfe7f7de1..6f3c88d1d 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -4198,7 +4198,8 @@ static int ssl_sess_new_srv_cb(SSL *ssl, SSL_SESSION *sess)
 	 * or releasing it.
 	 */
 
-	if (!(s->ssl_ctx.options & SRV_SSL_O_NO_REUSE)) {
+	if (!(conn->flags & CO_FL_SSL_NO_CACHED_INFO) &&
+	    !(s->ssl_ctx.options & SRV_SSL_O_NO_REUSE)) {
 		int len;
 		unsigned char *ptr;
 #ifdef USE_QUIC
@@ -5686,6 +5687,12 @@ int ssl_sock_srv_try_reuse_sess(struct ssl_sock_ctx *ctx, struct server *srv)
 	struct connection *conn = ctx->conn;
 #endif
 
+	/*
+	 * Always fail for check connections
+	 */
+	if (conn->flags & CO_FL_SSL_NO_CACHED_INFO)
+		return 0;
+
 	HA_RWLOCK_RDLOCK(SSL_SERVER_LOCK, &srv->ssl_ctx.lock);
 	if (srv->ssl_ctx.reused_sess[tid].ptr) {
 		const unsigned char *ptr;