commit 30ba96df349ace825749a57490defeb50001a550
Author: Emeric Brun <ebrun@haproxy.com>
Date:   Wed Oct 10 14:51:02 2018 +0200

    BUG/MEDIUM: Cur/CumSslConns counters not threadsafe.
    
    CurSslConns inc/dec operations are not threadsafe. The unsigned CurSslConns
    counter can wrap to a negative value. So we could notice connection rejects
    because of MaxSslConns limit artificially exceeded.
    
    CumSslConns inc operation are also not threadsafe so we could miss
    some connections and show inconsistenties values compared to CumConns.
    
    This fix should be backported to v1.8.
    
    (cherry picked from commit 7ad43e7928c9a61b40332e4d5e9a7ccc33e6b65b)
    Signed-off-by: Willy Tarreau <w@1wt.eu>

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 2da0df68..6eed8022 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -491,7 +491,7 @@ static void ssl_async_fd_free(int fd)
 
 	/* Now we can safely call SSL_free, no more pending job in engines */
 	SSL_free(ssl);
-	sslconns--;
+	HA_ATOMIC_SUB(&sslconns, 1);
 	HA_ATOMIC_SUB(&jobs, 1);
 }
 /*
@@ -5011,8 +5011,8 @@ static int ssl_sock_init(struct connection *conn)
 		/* leave init state and start handshake */
 		conn->flags |= CO_FL_SSL_WAIT_HS | CO_FL_WAIT_L6_CONN;
 
-		sslconns++;
-		totalsslconns++;
+		HA_ATOMIC_ADD(&sslconns, 1);
+		HA_ATOMIC_ADD(&totalsslconns, 1);
 		return 0;
 	}
 	else if (objt_listener(conn->target)) {
@@ -5062,8 +5062,8 @@ static int ssl_sock_init(struct connection *conn)
 		conn->flags |= CO_FL_EARLY_SSL_HS;
 #endif
 
-		sslconns++;
-		totalsslconns++;
+		HA_ATOMIC_ADD(&sslconns, 1);
+		HA_ATOMIC_ADD(&totalsslconns, 1);
 		return 0;
 	}
 	/* don't know how to handle such a target */
@@ -5713,7 +5713,7 @@ static void ssl_sock_close(struct connection *conn) {
 #endif
 		SSL_free(conn->xprt_ctx);
 		conn->xprt_ctx = NULL;
-		sslconns--;
+		HA_ATOMIC_SUB(&sslconns, 1);
 	}
 }