From 56a308e88171bb797d13d50953b83262cd8289cd Mon Sep 17 00:00:00 2001
From: Radek Zikmund <r.zikmund.rz@gmail.com>
Date: Mon, 29 Apr 2024 17:24:16 +0200
Subject: [PATCH] Disable OpenSSL internal SSL_SESSION cache for clients

---
 .../libs/System.Security.Cryptography.Native/pal_ssl.c   | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/src/native/libs/System.Security.Cryptography.Native/pal_ssl.c b/src/native/libs/System.Security.Cryptography.Native/pal_ssl.c
index e6bd41143c165..7e5f00822717e 100644
--- a/src/native/libs/System.Security.Cryptography.Native/pal_ssl.c
+++ b/src/native/libs/System.Security.Cryptography.Native/pal_ssl.c
@@ -673,7 +673,14 @@ int CryptoNative_SslCtxSetCaching(SSL_CTX* ctx, int mode, int cacheSize, int con
     // void shim functions don't lead to exceptions, so skip the unconditional error clearing.
 
     // We never reuse same CTX for both client and server
-    SSL_CTX_ctrl(ctx, SSL_CTRL_SET_SESS_CACHE_MODE,  mode ? SSL_SESS_CACHE_BOTH : SSL_SESS_CACHE_OFF, NULL);
+    int modeFlags = SSL_SESS_CACHE_BOTH;
+    if (newSessionCb && removeSessionCb)
+    {
+        // sessions are completely controlled externally (from .NET), disable internal cache
+        modeFlags |= SSL_SESS_CACHE_NO_INTERNAL_STORE;
+    }
+
+    SSL_CTX_ctrl(ctx, SSL_CTRL_SET_SESS_CACHE_MODE,  mode ? modeFlags : SSL_SESS_CACHE_OFF, NULL);
     if (mode == 0)
     {
         SSL_CTX_set_options(ctx, SSL_OP_NO_TICKET);