shreemaan-abhishek opened a new pull request, #13587: URL: https://github.com/apache/apisix/pull/13587
### Description When an HTTPS/GRPCS upstream sets its client certificate via `tls.client_cert_id` (referencing an SSL object) rather than an inline `tls.client_cert`, the keepalive connection pool name did not include any cert identifier. The pool name only appended `tls.client_cert` (the inline PEM). For upstreams referencing certs by id, that field is empty, so two upstreams pointing at the same backend host/port/SNI but using different `client_cert_id`s collapsed into the same pool and could reuse each other's already-established TLS connections. This change appends `tls.client_cert_id` to the pool name when an inline cert is not present, so connections established with different referenced client certs are kept in separate pools. A regression test in `t/node/upstream-keepalive-pool.t` sets up two upstreams to the same backend with different `client_cert_id`s and asserts their connections are not shared (it fails before this change and passes after). #### Which issue(s) this PR fixes: Fixes # ### Checklist - [x] I have explained the need for this PR and the problem it solves - [x] I have explained the changes or the new features added to this PR - [x] I have added tests corresponding to this change - [ ] I have updated the documentation to reflect this change - [x] I have verified that this change is backward compatible (If not, please discuss on the [APISIX mailing list](https://github.com/apache/apisix/tree/master#community) first) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
