From: Joshua Rogers <MegaManSec@users.noreply.github.com>
Date: Tue, 7 Oct 2025 02:31:18 +0000 (+0800)
Subject: openssl: skip session resumption when verifystatus is set
X-Git-Tag: rc-8_17_0-3~280
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4bfd7a961521e1fd6aab7610e931d82a342781a8;p=thirdparty%2Fcurl.git

openssl: skip session resumption when verifystatus is set

Resumed TLS sessions skip OCSP stapled-response verification.
Force a full handshake so verifystatus() runs.

Closes #18902
---

diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index 039eb51c9a..fb5cc18362 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -3727,6 +3727,7 @@ ossl_init_session_and_alpns(struct ossl_ctx *octx,
                             Curl_ossl_init_session_reuse_cb *sess_reuse_cb)
 {
   struct ssl_config_data *ssl_config = Curl_ssl_cf_get_config(cf, data);
+  struct ssl_primary_config *conn_cfg = Curl_ssl_cf_get_primary_config(cf);
   struct alpn_spec alpns;
   char error_buffer[256];
   CURLcode result;
@@ -3734,7 +3735,7 @@ ossl_init_session_and_alpns(struct ossl_ctx *octx,
   Curl_alpn_copy(&alpns, alpns_requested);
 
   octx->reused_session = FALSE;
-  if(ssl_config->primary.cache_session) {
+  if(ssl_config->primary.cache_session && !conn_cfg->verifystatus) {
     struct Curl_ssl_session *scs = NULL;
 
     result = Curl_ssl_scache_take(cf, data, peer->scache_key, &scs);