From: Mark Esler <mark@markesler.com>
Date: Sat, 16 May 2026 22:07:15 +0000 (-0700)
Subject: vtls_scache: include signature_algorithms in the SSL peer cache key
X-Git-Tag: rc-8_21_0-1~120
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=8a86fa13f39142407d84531559dcd2230d08c034;p=thirdparty%2Fcurl.git

vtls_scache: include signature_algorithms in the SSL peer cache key

Curl_ssl_peer_key_make() omitted ssl->signature_algorithms, although
match_ssl_primary_config() compares the field. Two handles differing
only in CURLOPT_SSL_SIGNATURE_ALGORITHMS therefore shared a peer key and
could resume each other's sessions across a shared CURLSH SSL session
cache.

Add :SIGALGS-%s next to the other ssl_primary_config fields.

Closes #21651
---

diff --git a/lib/vtls/vtls_scache.c b/lib/vtls/vtls_scache.c
index 9efb8208ea..900a2b90a0 100644
--- a/lib/vtls/vtls_scache.c
+++ b/lib/vtls/vtls_scache.c
@@ -223,6 +223,12 @@ CURLcode Curl_ssl_peer_key_make(struct Curl_cfilter *cf,
     if(r)
       goto out;
   }
+  if(ssl->signature_algorithms) {
+    r = curlx_dyn_addf(&buf, ":SIGALGS-%s",
+                       ssl->signature_algorithms);
+    if(r)
+      goto out;
+  }
   if(ssl->verifypeer) {
     r = cf_ssl_peer_key_add_path(&buf, "CA", ssl->CAfile, &is_local);
     if(r)