MINOR: ssl/cli: flush the server session cache upon 'commit ssl cert'
Flush the SSL session cache when updating a certificate which is used on a
server line. This prevent connections to be established with a cached
session which was using the previous SSL_CTX.
This patch also replace the ha_barrier with a thread_isolate() since there
are more operations to do. The reg-test was also updated to remove the
'no-ssl-reuse' keyword which is now uneeded.
diff --git a/reg-tests/ssl/set_ssl_server_cert.vtc b/reg-tests/ssl/set_ssl_server_cert.vtc
index 412e9f0..ccf7887 100644
--- a/reg-tests/ssl/set_ssl_server_cert.vtc
+++ b/reg-tests/ssl/set_ssl_server_cert.vtc
@@ -34,7 +34,7 @@
listen clear-lst
bind "fd@${clearlst}"
retries 0 # 2nd SSL connection must fail so skip the retry
- server s1 "${tmpdir}/ssl.sock" ssl verify none crt ${testdir}/client1.pem no-ssl-reuse
+ server s1 "${tmpdir}/ssl.sock" ssl verify none crt ${testdir}/client1.pem
listen ssl-lst
# crt: certificate of the server
diff --git a/src/ssl_ckch.c b/src/ssl_ckch.c
index e8a20c3..6932526 100644
--- a/src/ssl_ckch.c
+++ b/src/ssl_ckch.c
@@ -1399,17 +1399,26 @@
list_for_each_entry_safe(ckchi, ckchis, &new_ckchs->ckch_inst, by_ckchs) {
/* The bind_conf will be null on server ckch_instances. */
if (ckchi->is_server_instance) {
+ int i;
+
/* The certificate update on the server side (backend)
* can be done by rewritting a single pointer so no
* locks are needed here. */
/* free the server current SSL_CTX */
SSL_CTX_free(ckchi->server->ssl_ctx.ctx);
/* Actual ssl context update */
+ thread_isolate();
SSL_CTX_up_ref(ckchi->ctx);
ckchi->server->ssl_ctx.ctx = ckchi->ctx;
- __ha_barrier_store();
ckchi->server->ssl_ctx.inst = ckchi;
+ /* flush the session cache of the server */
+ for (i = 0; i < global.nbthread; i++) {
+ free(ckchi->server->ssl_ctx.reused_sess[i].ptr);
+ ckchi->server->ssl_ctx.reused_sess[i].ptr = NULL;
+ }
+ thread_release();
+
} else {
HA_RWLOCK_WRLOCK(SNI_LOCK, &ckchi->bind_conf->sni_lock);
ssl_sock_load_cert_sni(ckchi, ckchi->bind_conf);