From: Christopher Faulet <cfaulet@haproxy.com>
Date: Fri, 5 Dec 2025 15:23:53 +0000 (+0100)
Subject: MINOR: ssl: Compare hashes instead of SNIs when a session is cached
X-Git-Tag: v3.4-dev1~23
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=92f77cb3e6b2532a285643863d6fd26e53f4cc24;p=thirdparty%2Fhaproxy.git

MINOR: ssl: Compare hashes instead of SNIs when a session is cached

This patch relies on the commit "MINOR: ssl: Store hash of the SNI for
cached TLS sessions". We now use the hash of the SNIs instead of the SNIs
themselves to know if we must update the cached SNI or not.
---

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index a6d213f56..d3eabacda 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -4202,6 +4202,7 @@ static int ssl_sess_new_srv_cb(SSL *ssl, SSL_SESSION *sess)
 		int len;
 		unsigned char *ptr;
 		const char *sni;
+		uint64_t sni_hash;
 #ifdef USE_QUIC
 		struct quic_conn *qc = SSL_get_ex_data(ssl, ssl_qc_app_data_index);
 #endif
@@ -4246,20 +4247,13 @@ static int ssl_sess_new_srv_cb(SSL *ssl, SSL_SESSION *sess)
 		else if (s->ssl_ctx.reused_sess[tid].ptr && !old_tid)
 			HA_ATOMIC_CAS(&s->ssl_ctx.last_ssl_sess_tid, &old_tid, tid + 1);
 
-		if (s->ssl_ctx.reused_sess[tid].sni) {
-			/* if the new sni is empty or isn' t the same as the old one */
-			if ((!sni) || strcmp(s->ssl_ctx.reused_sess[tid].sni, sni) != 0) {
-				ha_free(&s->ssl_ctx.reused_sess[tid].sni);
-				s->ssl_ctx.reused_sess[tid].sni_hash = 0;
-				if (sni) {
-					s->ssl_ctx.reused_sess[tid].sni = strdup(sni);
-					s->ssl_ctx.reused_sess[tid].sni_hash = ssl_sock_sni_hash(ist(sni));
-				}
-			}
-		} else if (sni) {
-			/* if there wasn't an old sni but there is a new one */
-			s->ssl_ctx.reused_sess[tid].sni = strdup(sni);
-			s->ssl_ctx.reused_sess[tid].sni_hash = ssl_sock_sni_hash(ist(sni));
+		sni_hash = (sni ? ssl_sock_sni_hash(ist(sni)) : 0);
+		if (s->ssl_ctx.reused_sess[tid].sni_hash != sni_hash) {
+			/* if the new sni hash isn' t the same as the old one */
+			s->ssl_ctx.reused_sess[tid].sni_hash = sni_hash;
+			ha_free(&s->ssl_ctx.reused_sess[tid].sni);
+			if (sni)
+				s->ssl_ctx.reused_sess[tid].sni = strdup(sni);
 		}
 #ifdef USE_QUIC
 		/* The selected ALPN is not stored without SSL session. */