From e0de0a6b326ac17624c597a63c3b3c5a35faab54 Mon Sep 17 00:00:00 2001
From: William Lallemand <wlallemand@haproxy.org>
Date: Wed, 3 Feb 2021 18:51:01 +0100
Subject: [PATCH] MINOR: ssl/cli: flush the server session cache upon 'commit
 ssl cert'

Flush the SSL session cache when updating a certificate which is used on a
server line. This prevent connections to be established with a cached
session which was using the previous SSL_CTX.

This patch also replace the ha_barrier with a thread_isolate() since there
are more operations to do. The reg-test was also updated to remove the
'no-ssl-reuse' keyword which is now uneeded.
---
 reg-tests/ssl/set_ssl_server_cert.vtc |  2 +-
 src/ssl_ckch.c                        | 11 ++++++++++-
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/reg-tests/ssl/set_ssl_server_cert.vtc b/reg-tests/ssl/set_ssl_server_cert.vtc
index 412e9f05bd..ccf78873b3 100644
--- a/reg-tests/ssl/set_ssl_server_cert.vtc
+++ b/reg-tests/ssl/set_ssl_server_cert.vtc
@@ -34,7 +34,7 @@ haproxy h1 -conf {
     listen clear-lst
         bind "fd@${clearlst}"
         retries 0 # 2nd SSL connection must fail so skip the retry
-        server s1 "${tmpdir}/ssl.sock" ssl verify none crt ${testdir}/client1.pem no-ssl-reuse
+        server s1 "${tmpdir}/ssl.sock" ssl verify none crt ${testdir}/client1.pem
 
     listen ssl-lst
         # crt: certificate of the server
diff --git a/src/ssl_ckch.c b/src/ssl_ckch.c
index e8a20c38d3..6932526355 100644
--- a/src/ssl_ckch.c
+++ b/src/ssl_ckch.c
@@ -1399,17 +1399,26 @@ static int cli_io_handler_commit_cert(struct appctx *appctx)
 				list_for_each_entry_safe(ckchi, ckchis, &new_ckchs->ckch_inst, by_ckchs) {
 					/* The bind_conf will be null on server ckch_instances. */
 					if (ckchi->is_server_instance) {
+						int i;
+
 						/* The certificate update on the server side (backend)
 						 * can be done by rewritting a single pointer so no
 						 * locks are needed here. */
 						/* free the server current SSL_CTX */
 						SSL_CTX_free(ckchi->server->ssl_ctx.ctx);
 						/* Actual ssl context update */
+						thread_isolate();
 						SSL_CTX_up_ref(ckchi->ctx);
 						ckchi->server->ssl_ctx.ctx = ckchi->ctx;
-						__ha_barrier_store();
 						ckchi->server->ssl_ctx.inst = ckchi;
 
+						/* flush the session cache of the server */
+						for (i = 0; i < global.nbthread; i++) {
+							free(ckchi->server->ssl_ctx.reused_sess[i].ptr);
+							ckchi->server->ssl_ctx.reused_sess[i].ptr = NULL;
+						}
+						thread_release();
+
 					} else {
 						HA_RWLOCK_WRLOCK(SNI_LOCK, &ckchi->bind_conf->sni_lock);
 						ssl_sock_load_cert_sni(ckchi, ckchi->bind_conf);