Skip to content

Define a bounded capacity for the internal SNI to SslContext cache.#6102

Merged
vietj merged 1 commit into
5.0from
unbounded-sni-cache-growth-5.0
May 5, 2026
Merged

Define a bounded capacity for the internal SNI to SslContext cache.#6102
vietj merged 1 commit into
5.0from
unbounded-sni-cache-growth-5.0

Conversation

@vietj
Copy link
Copy Markdown
Member

@vietj vietj commented May 5, 2026
edited
Loading

Motivation:

The SNI to SslContext cache does not define a max size, this cache can be filled by TLS client when server SNI is enabled.

Client can trigger to load multiple times the same SslContext for a given certificate with arbitrary SNI names when the server uses certificates with a wildcard CN.

Changes:

Introduce a max size based on LRU policy for the cache with a reasonnable default.

@vietj
Define a bounded capacity for the internal SNI to SslContext cache.
cde2517 
Motivation:

The SNI to SslContext cache does not define a max size, this cache can be filled by TLS client when server SNI is enabled.

Client can trigger to load multiple times the same SslContext for a given certificate with arbitrary SNI names when the server uses certificates with a wildcard CN.

Changes:

Introduce a max size based on LRU policy for the cache with a reasonnable default.
@vietj vietj force-pushed the unbounded-sni-cache-growth-5.0 branch from 01991e3 to cde2517 Compare May 5, 2026 06:28
@vietj vietj added this to the 5.0.12 milestone May 5, 2026
@vietj vietj self-assigned this May 5, 2026
@vietj vietj added the bug label May 5, 2026
@vietj vietj merged commit c64a707 into 5.0 May 5, 2026
7 checks passed
@vietj vietj deleted the unbounded-sni-cache-growth-5.0 branch May 5, 2026 06:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@vietj vietj

Labels

bug

Projects

None yet

Milestone

5.0.12

Development

Successfully merging this pull request may close these issues.

1 participant

@vietj