From 777f62cfb70d44eaa624f99a75666725b593db20 Mon Sep 17 00:00:00 2001 From: Willy Tarreau Date: Mon, 21 Aug 2023 12:04:01 +0200 Subject: [PATCH] MINOR: server/ssl: clear the shared good session index on failure If we fail to set the session using SSL_set_session(), we want to quickly erase our index from the shared one so that any other thread with a valid session replaces it. --- src/ssl_sock.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 679ae2e78..90bc7be91 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -5752,6 +5752,9 @@ static int ssl_sock_init(struct connection *conn, void **xprt_ctx) SSL_SESSION *sess = d2i_SSL_SESSION(NULL, &ptr, srv->ssl_ctx.reused_sess[tid].size); if (sess && !SSL_set_session(ctx->ssl, sess)) { + uint old_tid = HA_ATOMIC_LOAD(&srv->ssl_ctx.last_ssl_sess_tid); // 0=none, >0 = tid + 1 + if (old_tid == tid + 1) + HA_ATOMIC_CAS(&srv->ssl_ctx.last_ssl_sess_tid, &old_tid, 0); // no more valid SSL_SESSION_free(sess); HA_RWLOCK_WRLOCK(SSL_SERVER_LOCK, &srv->ssl_ctx.reused_sess[tid].sess_lock); ha_free(&srv->ssl_ctx.reused_sess[tid].ptr);