RepoMirrors
/
haproxy
mirror of http://git.haproxy.org/git/haproxy.git/
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
haproxy/include
History
William Lallemand e18d4e8286 BUG/MEDIUM: ssl: backend TLS resumption with sni and TLSv1.3 
When establishing an outboud connection, haproxy checks if the cached
TLS session has the same SNI as the connection we are trying to
resume.

This test was done by calling SSL_get_servername() which in TLSv1.2
returned the SNI. With TLSv1.3 this is not the case anymore and this
function returns NULL, which invalidates any outboud connection we are
trying to resume if it uses the sni keyword on its server line.

This patch fixes the problem by storing the SNI in the "reused_sess"
structure beside the session itself.

The ssl_sock_set_servername() now has a RWLOCK because this session
cache entry could be accessed by the CLI when trying to update a
certificate on the backend.

This fix must be backported in every maintained version, however the
RWLOCK only exists since version 2.4.
 		2021-11-19 03:58:30 +01:00
..
haproxy BUG/MEDIUM: ssl: backend TLS resumption with sni and TLSv1.3 2021-11-19 03:58:30 +01:00
import REORG: ebtree: split structures into their own file ebtree-t.h 2021-10-07 01:41:14 +02:00