url: do not reuse a non-tls starttls connection if new requires TLS

author Daniel Stenberg <daniel@haxx.se>

Tue, 24 Mar 2026 07:35:08 +0000 (08:35 +0100)

committer Daniel Stenberg <daniel@haxx.se>

Wed, 25 Mar 2026 10:23:37 +0000 (11:23 +0100)
author Daniel Stenberg <daniel@haxx.se>
Tue, 24 Mar 2026 07:35:08 +0000 (08:35 +0100)
committer Daniel Stenberg <daniel@haxx.se>
Wed, 25 Mar 2026 10:23:37 +0000 (11:23 +0100)
diff --git a/lib/url.c b/lib/url.c

index 860009a7eb0da2e3633830b5b2c514b45f10d506..cffd10215ef1809bb0b2cc1b0d53582759d4d9ff 100644 (file)
--- a/lib/url.c
+++ b/lib/url.c
@@ -723,7 +723,7 @@ struct url_conn_match {
    BIT(want_proxy_ntlm_http);
    BIT(want_nego_http);
    BIT(want_proxy_nego_http);
-
+  BIT(req_tls); /* require TLS use from a clear-text start */
    BIT(wait_pipe);
    BIT(force_reuse);
    BIT(seen_pending_conn);
@@ -875,6 +875,9 @@ static bool url_match_ssl_use(struct connectdata *conn,
         (get_protocol_family(conn->scheme) != m->needle->scheme->protocol))
        return FALSE;
    }
+  else if(m->req_tls)
+    /* a clear-text STARTTLS protocol with required TLS */
+    return FALSE;
    return TRUE;
  }
  
@@ -1333,6 +1336,7 @@ static bool url_attach_existing(struct Curl_easy *data,
      (needle->scheme->protocol & PROTO_FAMILY_HTTP);
  #endif
  #endif
+  match.req_tls = data->set.use_ssl >= CURLUSESSL_CONTROL;
  
    /* Find a connection in the pool that matches what "data + needle"
     * requires. If a suitable candidate is found, it is attached to "data". */
author	Daniel Stenberg <daniel@haxx.se>
	Tue, 24 Mar 2026 07:35:08 +0000 (08:35 +0100)
committer	Daniel Stenberg <daniel@haxx.se>
	Wed, 25 Mar 2026 10:23:37 +0000 (11:23 +0100)