apache · duke8253 · Feb 25, 2021 · Feb 24, 2021 · maskit · Feb 25, 2021
diff --git a/iocore/net/P_SSLUtils.h b/iocore/net/P_SSLUtils.h
@@ -144,6 +144,10 @@ void setTLSValidProtocols(SSL *ssl, unsigned long proto_mask, unsigned long max_
 // Used as part of the lookup key into the origin server session cache
 std::string get_sni_addr(SSL *ssl);
 
+// Helper functions to retrieve server verify policy and properties from a SSL object
+// Used as part of the lookup key into the origin server session cache
+std::string get_verify_str(SSL *ssl);
+
 namespace ssl
 {
 namespace detail

diff --git a/iocore/net/SSLClientUtils.cc b/iocore/net/SSLClientUtils.cc
@@ -161,11 +161,8 @@ ssl_new_session_callback(SSL *ssl, SSL_SESSION *sess)
 {
   std::string sni_addr = get_sni_addr(ssl);
   if (!sni_addr.empty()) {
-    SSL_CTX *ctx = SSL_get_SSL_CTX(ssl);
-    std::stringstream ctx_ss;
-    ctx_ss << static_cast<const void *>(ctx);
     std::string lookup_key;
-    ts::bwprint(lookup_key, "{}:{}", sni_addr.c_str(), ctx_ss.str().c_str());
+    ts::bwprint(lookup_key, "{}:{}:{}", sni_addr.c_str(), SSL_get_SSL_CTX(ssl), get_verify_str(ssl));
     origin_sess_cache->insert_session(lookup_key, sess);
     return 1;
   } else {

diff --git a/iocore/net/SSLUtils.cc b/iocore/net/SSLUtils.cc
@@ -1997,11 +1997,8 @@ SSLConnect(SSL *ssl)
   if (!sess && SSLConfigParams::origin_session_cache == 1 && SSLConfigParams::origin_session_cache_size > 0) {
     std::string sni_addr = get_sni_addr(ssl);
     if (!sni_addr.empty()) {
-      SSL_CTX *ctx = SSL_get_SSL_CTX(ssl);
-      std::stringstream ctx_ss;
-      ctx_ss << static_cast<const void *>(ctx);
       std::string lookup_key;
-      ts::bwprint(lookup_key, "{}:{}", sni_addr.c_str(), ctx_ss.str().c_str());
+      ts::bwprint(lookup_key, "{}:{}:{}", sni_addr.c_str(), SSL_get_SSL_CTX(ssl), get_verify_str(ssl));
 
       Debug("ssl.origin_session_cache", "origin session cache lookup key = %s", lookup_key.c_str());
 
@@ -2065,6 +2062,54 @@ get_sni_addr(SSL *ssl)
   return sni_addr;
 }
 
+std::string
+get_verify_str(SSL *ssl)
+{
+  std::string verify_str;
+
+  SSLNetVConnection *netvc = SSLNetVCAccess(ssl);
+  if (netvc != nullptr) {
+    std::string policy_str;
+    switch (netvc->options.verifyServerPolicy) {
+    case YamlSNIConfig::Policy::DISABLED:
+      policy_str.assign("DISABLED");
+      break;
+    case YamlSNIConfig::Policy::PERMISSIVE:
+      policy_str.assign("PERMISSIVE");
+      break;
+    case YamlSNIConfig::Policy::ENFORCED:
+      policy_str.assign("ENFORCED");
+      break;
+    case YamlSNIConfig::Policy::UNSET:
+      policy_str.assign("UNSET");
+      break;
+    }
+
+    std::string property_str;
+    switch (netvc->options.verifyServerProperties) {
+    case YamlSNIConfig::Property::NONE:
+      property_str.assign("NONE");
+      break;
+    case YamlSNIConfig::Property::SIGNATURE_MASK:
+      property_str.assign("SIGNATURE_MASK");
+      break;
+    case YamlSNIConfig::Property::NAME_MASK:
+      property_str.assign("NAME_MASK");
+      break;
+    case YamlSNIConfig::Property::ALL_MASK:
+      property_str.assign("ALL_MASK");
+      break;
+    case YamlSNIConfig::Property::UNSET:
+      property_str.assign("UNSET");
+      break;
+    }
+
+    ts::bwprint(verify_str, "{}:{}", policy_str.c_str(), property_str.c_str());
+  }
+
+  return verify_str;
+}
+
 /**
  * Process the config to pull out the list of file names, and process the certs to get the list
  * of subject and sni names.  Thanks to dual cert configurations, there may be mulitple files of each type.