From 4a6ecae8024025fdb704ec1298b453771d426586 Mon Sep 17 00:00:00 2001
From: Forrest Marshall <forrest@goteleport.com>
Date: Wed, 1 May 2024 12:07:15 -0700
Subject: [PATCH] fix racy use of tls configs

---
 lib/auth/middleware.go | 2 +-
 lib/service/service.go | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/auth/middleware.go b/lib/auth/middleware.go
index aac56e78c3f4e..0d0e99e980140 100644
--- a/lib/auth/middleware.go
+++ b/lib/auth/middleware.go
@@ -216,7 +216,7 @@ func NewTLSServer(ctx context.Context, cfg TLSServerConfig) (*TLSServer, error)
 	}
 
 	server.clientTLSConfigGenerator, err = NewClientTLSConfigGenerator(ClientTLSConfigGeneratorConfig{
-		TLS:                  server.cfg.TLS,
+		TLS:                  server.cfg.TLS.Clone(),
 		ClusterName:          localClusterName.GetClusterName(),
 		PermitRemoteClusters: true,
 		AccessPoint:          server.cfg.AccessPoint,
diff --git a/lib/service/service.go b/lib/service/service.go
index 89232054b905b..e90506cd5abf3 100644
--- a/lib/service/service.go
+++ b/lib/service/service.go
@@ -4383,7 +4383,7 @@ func (process *TeleportProcess) initProxyEndpoint(conn *Connector) error {
 
 	// clientTLSConfigGenerator pre-generates specialized per-cluster client TLS config values
 	clientTLSConfigGenerator, err := auth.NewClientTLSConfigGenerator(auth.ClientTLSConfigGeneratorConfig{
-		TLS:                  tlscfg,
+		TLS:                  tlscfg.Clone(),
 		ClusterName:          clusterName,
 		PermitRemoteClusters: true,
 		AccessPoint:          accessPoint,