From c28e9478cb2548848eca9b765d0d409bfb18668c Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 22 Jan 2024 23:54:08 +0100
Subject: [PATCH] openssl: when verifystatus fails, remove session id from
 cache

To prevent that it gets used in a subsequent transfer that skips the
verifystatus check since that check can't be done when the session id is
reused.

Reported-by: Hiroki Kurosawa
Closes #12760
---
 lib/vtls/openssl.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index 0e36dc6aa7..8d6087022b 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -4351,6 +4351,20 @@ static CURLcode servercert(struct Curl_cfilter *cf,
     /* don't do this after Session ID reuse */
     result = verifystatus(cf, data);
     if(result) {
+      /* when verifystatus failed, remove the session id from the cache again
+         if present */
+      if(!Curl_ssl_cf_is_proxy(cf)) {
+        void *old_ssl_sessionid = NULL;
+        bool incache;
+        Curl_ssl_sessionid_lock(data);
+        incache = !(Curl_ssl_getsessionid(cf, data, &old_ssl_sessionid, NULL));
+        if(incache) {
+          infof(data, "Remove session ID again from cache");
+          Curl_ssl_delsessionid(data, old_ssl_sessionid);
+        }
+        Curl_ssl_sessionid_unlock(data);
+      }
+
       X509_free(backend->server_cert);
       backend->server_cert = NULL;
       return result;