From 507e7be573b0a76fca597b75ff7cb27a66e7d865 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Tue, 24 Mar 2026 08:35:08 +0100
Subject: [PATCH] url: do not reuse a non-tls starttls connection if new
 requires TLS

Reported-by: Arkadi Vainbrand

Closes #21082
---
 lib/url.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

Index: curl-8.14.1/lib/url.c
===================================================================
--- curl-8.14.1.orig/lib/url.c
+++ curl-8.14.1/lib/url.c
@@ -806,7 +806,7 @@ struct url_conn_match {
   BIT(want_proxy_ntlm_http);
   BIT(want_nego_http);
   BIT(want_proxy_nego_http);
-
+  BIT(req_tls); /* require TLS use from a clear-text start */
   BIT(wait_pipe);
   BIT(force_reuse);
   BIT(seen_pending_conn);
@@ -957,6 +957,9 @@ static bool url_match_ssl_use(struct con
     if(get_protocol_family(conn->handler) != m->needle->handler->protocol)
       return FALSE;
   }
+  else if(m->req_tls)
+    /* a clear-text STARTTLS protocol with required TLS */
+    return FALSE;
   return TRUE;
 }
 
@@ -1419,6 +1422,7 @@ ConnectionExists(struct Curl_easy *data,
     (needle->handler->protocol & PROTO_FAMILY_HTTP);
 #endif
 #endif
+  match.req_tls = data->set.use_ssl >= CURLUSESSL_CONTROL;
 
   /* Find a connection in the pool that matches what "data + needle"
    * requires. If a suitable candidate is found, it is attached to "data". */