From 92f77cb3e6b2532a285643863d6fd26e53f4cc24 Mon Sep 17 00:00:00 2001 From: Christopher Faulet Date: Fri, 5 Dec 2025 16:23:53 +0100 Subject: [PATCH] MINOR: ssl: Compare hashes instead of SNIs when a session is cached This patch relies on the commit "MINOR: ssl: Store hash of the SNI for cached TLS sessions". We now use the hash of the SNIs instead of the SNIs themselves to know if we must update the cached SNI or not. --- src/ssl_sock.c | 22 ++++++++-------------- 1 file changed, 8 insertions(+), 14 deletions(-) diff --git a/src/ssl_sock.c b/src/ssl_sock.c index a6d213f56..d3eabacda 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -4202,6 +4202,7 @@ static int ssl_sess_new_srv_cb(SSL *ssl, SSL_SESSION *sess) int len; unsigned char *ptr; const char *sni; + uint64_t sni_hash; #ifdef USE_QUIC struct quic_conn *qc = SSL_get_ex_data(ssl, ssl_qc_app_data_index); #endif @@ -4246,20 +4247,13 @@ static int ssl_sess_new_srv_cb(SSL *ssl, SSL_SESSION *sess) else if (s->ssl_ctx.reused_sess[tid].ptr && !old_tid) HA_ATOMIC_CAS(&s->ssl_ctx.last_ssl_sess_tid, &old_tid, tid + 1); - if (s->ssl_ctx.reused_sess[tid].sni) { - /* if the new sni is empty or isn' t the same as the old one */ - if ((!sni) || strcmp(s->ssl_ctx.reused_sess[tid].sni, sni) != 0) { - ha_free(&s->ssl_ctx.reused_sess[tid].sni); - s->ssl_ctx.reused_sess[tid].sni_hash = 0; - if (sni) { - s->ssl_ctx.reused_sess[tid].sni = strdup(sni); - s->ssl_ctx.reused_sess[tid].sni_hash = ssl_sock_sni_hash(ist(sni)); - } - } - } else if (sni) { - /* if there wasn't an old sni but there is a new one */ - s->ssl_ctx.reused_sess[tid].sni = strdup(sni); - s->ssl_ctx.reused_sess[tid].sni_hash = ssl_sock_sni_hash(ist(sni)); + sni_hash = (sni ? ssl_sock_sni_hash(ist(sni)) : 0); + if (s->ssl_ctx.reused_sess[tid].sni_hash != sni_hash) { + /* if the new sni hash isn' t the same as the old one */ + s->ssl_ctx.reused_sess[tid].sni_hash = sni_hash; + ha_free(&s->ssl_ctx.reused_sess[tid].sni); + if (sni) + s->ssl_ctx.reused_sess[tid].sni = strdup(sni); } #ifdef USE_QUIC /* The selected ALPN is not stored without SSL session. */