MINOR: ssl/cli: flush the server session cache upon 'commit ssl cert'

Flush the SSL session cache when updating a certificate which is used on a
server line. This prevent connections to be established with a cached
session which was using the previous SSL_CTX.

This patch also replace the ha_barrier with a thread_isolate() since there
are more operations to do. The reg-test was also updated to remove the
'no-ssl-reuse' keyword which is now uneeded.

diff --git a/reg-tests/ssl/set_ssl_server_cert.vtc b/reg-tests/ssl/set_ssl_server_cert.vtc
index 412e9f0..ccf7887 100644 (file)
--- a/reg-tests/ssl/set_ssl_server_cert.vtc
+++ b/reg-tests/ssl/set_ssl_server_cert.vtc
@@ -34,7 +34,7 @@ haproxy h1 -conf {
     listen clear-lst
         bind "fd@${clearlst}"
         retries 0 # 2nd SSL connection must fail so skip the retry
-        server s1 "${tmpdir}/ssl.sock" ssl verify none crt ${testdir}/client1.pem no-ssl-reuse
+        server s1 "${tmpdir}/ssl.sock" ssl verify none crt ${testdir}/client1.pem
 
     listen ssl-lst
         # crt: certificate of the server

diff --git a/src/ssl_ckch.c b/src/ssl_ckch.c
index e8a20c3..6932526 100644 (file)
--- a/src/ssl_ckch.c
+++ b/src/ssl_ckch.c
@@ -1399,17 +1399,26 @@ static int cli_io_handler_commit_cert(struct appctx *appctx)
                                list_for_each_entry_safe(ckchi, ckchis, &new_ckchs->ckch_inst, by_ckchs) {
                                        /* The bind_conf will be null on server ckch_instances. */
                                        if (ckchi->is_server_instance) {
+                                               int i;
+
                                                /* The certificate update on the server side (backend)
                                                 * can be done by rewritting a single pointer so no
                                                 * locks are needed here. */
                                                /* free the server current SSL_CTX */
                                                SSL_CTX_free(ckchi->server->ssl_ctx.ctx);
                                                /* Actual ssl context update */
+                                               thread_isolate();
                                                SSL_CTX_up_ref(ckchi->ctx);
                                                ckchi->server->ssl_ctx.ctx = ckchi->ctx;
-                                               __ha_barrier_store();
                                                ckchi->server->ssl_ctx.inst = ckchi;
 
+                                               /* flush the session cache of the server */
+                                               for (i = 0; i < global.nbthread; i++) {
+                                                       free(ckchi->server->ssl_ctx.reused_sess[i].ptr);
+                                                       ckchi->server->ssl_ctx.reused_sess[i].ptr = NULL;
+                                               }
+                                               thread_release();
+
                                        } else {
                                                HA_RWLOCK_WRLOCK(SNI_LOCK, &ckchi->bind_conf->sni_lock);
                                                ssl_sock_load_cert_sni(ckchi, ckchi->bind_conf);