url: do not reuse a non-tls starttls connection if new requires TLS

Reported-by: Arkadi Vainbrand Closes #21082
2026-04-11 12:01:42 +08:00 · 2026-03-24 08:35:08 +01:00 · 2026-03-24 08:35:08 +01:00 · 507e7be573
commit 507e7be573
parent 62d77b12fc
1 changed files with 5 additions and 1 deletions
--- a/lib/url.c
+++ b/lib/url.c
@ -723,7 +723,7 @@ struct url_conn_match {
  BIT(want_proxy_ntlm_http);
  BIT(want_nego_http);
  BIT(want_proxy_nego_http);
-
+  BIT(req_tls); /* require TLS use from a clear-text start */
  BIT(wait_pipe);
  BIT(force_reuse);
  BIT(seen_pending_conn);
@ -875,6 +875,9 @@ static bool url_match_ssl_use(struct connectdata *conn,
       (get_protocol_family(conn->scheme) != m->needle->scheme->protocol))
      return FALSE;
  }
+  else if(m->req_tls)
+    /* a clear-text STARTTLS protocol with required TLS */
+    return FALSE;
  return TRUE;
 }

@ -1333,6 +1336,7 @@ static bool url_attach_existing(struct Curl_easy *data,
    (needle->scheme->protocol & PROTO_FAMILY_HTTP);
 #endif
 #endif
+  match.req_tls = data->set.use_ssl >= CURLUSESSL_CONTROL;

  /* Find a connection in the pool that matches what "data + needle"
   * requires. If a suitable candidate is found, it is attached to "data". */