shreemaan-abhishek opened a new pull request, #13587:
URL: https://github.com/apache/apisix/pull/13587

   ### Description
   
   When an HTTPS/GRPCS upstream sets its client certificate via 
`tls.client_cert_id` (referencing an SSL object) rather than an inline 
`tls.client_cert`, the keepalive connection pool name did not include any cert 
identifier.
   
   The pool name only appended `tls.client_cert` (the inline PEM). For 
upstreams referencing certs by id, that field is empty, so two upstreams 
pointing at the same backend host/port/SNI but using different 
`client_cert_id`s collapsed into the same pool and could reuse each other's 
already-established TLS connections.
   
   This change appends `tls.client_cert_id` to the pool name when an inline 
cert is not present, so connections established with different referenced 
client certs are kept in separate pools.
   
   A regression test in `t/node/upstream-keepalive-pool.t` sets up two 
upstreams to the same backend with different `client_cert_id`s and asserts 
their connections are not shared (it fails before this change and passes after).
   
   #### Which issue(s) this PR fixes:
   Fixes #
   
   ### Checklist
   
   - [x] I have explained the need for this PR and the problem it solves
   - [x] I have explained the changes or the new features added to this PR
   - [x] I have added tests corresponding to this change
   - [ ] I have updated the documentation to reflect this change
   - [x] I have verified that this change is backward compatible (If not, 
please discuss on the [APISIX mailing 
list](https://github.com/apache/apisix/tree/master#community) first)


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to