Bugfix: prevent race condition from simultaneous TLS handshakes (#4011)

Barakmor1 · web-flow · commit f74d141928ad · 2026-02-10T12:59:05.000Z
Multiple TLS handshakes could occur at the same time, causing a race condition.
Use a cloned TLS config instead of the global config.

Signed-off-by: bmordeha &lt;bmordeha@redhat.com&gt;
diff --git a/pkg/internal/tlssecprofile/tls_security_profile.go b/pkg/internal/tlssecprofile/tls_security_profile.go
@@ -67,9 +67,10 @@ func MutateTLSConfig(cfg *tls.Config) {
 	// please be aware that the APIServer is using http keepalive so this is going to
 	// be executed only after a while for fresh connections and not on existing ones
 	cfg.GetConfigForClient = func(_ *tls.ClientHelloInfo) (*tls.Config, error) {
-		cfg.CipherSuites, cfg.MinVersion = GetCipherSuitesAndMinTLSVersionInGolangFormat(getHyperConvergedProfile())
+		config := cfg.Clone()
+		config.CipherSuites, config.MinVersion = GetCipherSuitesAndMinTLSVersionInGolangFormat(getHyperConvergedProfile())
 
-		return cfg, nil
+		return config, nil
 	}
 }
 

Original file line number	Diff line number	Diff line change
`@@ -67,9 +67,10 @@ func MutateTLSConfig(cfg *tls.Config) {`
`67`	`67`	`// please be aware that the APIServer is using http keepalive so this is going to`
`68`	`68`	`// be executed only after a while for fresh connections and not on existing ones`
`69`	`69`	`cfg.GetConfigForClient = func(_ tls.ClientHelloInfo) (tls.Config, error) {`
`70`		`- cfg.CipherSuites, cfg.MinVersion = GetCipherSuitesAndMinTLSVersionInGolangFormat(getHyperConvergedProfile())`
	`70`	`+ config := cfg.Clone()`
	`71`	`+ config.CipherSuites, config.MinVersion = GetCipherSuitesAndMinTLSVersionInGolangFormat(getHyperConvergedProfile())`
`71`	`72`
`72`		`- return cfg, nil`
	`73`	`+ return config, nil`
`73`	`74`	`}`
`74`	`75`	`}`
`75`	`76`