openssl: when verifystatus fails, remove session id from cache

To prevent that it gets used in a subsequent transfer that skips the verifystatus check since that check can't be done when the session id is reused. Reported-by: Hiroki Kurosawa Closes #12760
curl · Jan 23, 2024 · c28e947 · c28e947
1 parent 3f08d80
commit c28e947
Showing 1 changed file with 14 additions and 0 deletions.
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
@@ -4351,6 +4351,20 @@ static CURLcode servercert(struct Curl_cfilter *cf,
     /* don't do this after Session ID reuse */
     result = verifystatus(cf, data);
     if(result) {
+      /* when verifystatus failed, remove the session id from the cache again
+         if present */
+      if(!Curl_ssl_cf_is_proxy(cf)) {
+        void *old_ssl_sessionid = NULL;
+        bool incache;
+        Curl_ssl_sessionid_lock(data);
+        incache = !(Curl_ssl_getsessionid(cf, data, &old_ssl_sessionid, NULL));
+        if(incache) {
+          infof(data, "Remove session ID again from cache");
+          Curl_ssl_delsessionid(data, old_ssl_sessionid);
+        }
+        Curl_ssl_sessionid_unlock(data);
+      }
+
       X509_free(backend->server_cert);
       backend->server_cert = NULL;
       return result;