Revert "BUG/MEDIUM: server/ssl: Unset the SNI for new server connections if none is set"

This reverts commit de29000e602bda55d32c266252ef63824e838ac0. The fix was in fact invalid. First it is not supprted by WolfSSL to call SSL_set_tlsext_host_name with a hostname to NULL. Then, it is not specified as supported by other SSL libraries. But, by reviewing the root cause of this bug, it appears there is an issue with the reuse of TLS sesisons. It must not be performed if the SNI does not match. A TLS session created with a SNI must not be reused with another SNI. The side effects are not clear but functionnaly speaking, it is invalid. So, for now, the commit above was reverted because it is invalid and it crashes with WolfSSL. Then the init of the SSL connection must be reworked to get the SNI earlier, to be able to reuse or not an existing TLS session.
2025-11-29 23:01:03 +01:00 · 2025-11-26 11:05:14 +01:00 · 2025-11-26 11:05:14 +01:00 · 7d9cc28f92
commit 7d9cc28f92
parent d506c03aa0
2 changed files with 7 additions and 17 deletions
--- a/src/backend.c
+++ b/src/backend.c
@ -2156,22 +2156,14 @@ int connect_server(struct stream *s)

 #ifdef USE_OPENSSL
 	/* Set socket SNI unless connection is reused. */
-	if (conn_is_ssl(srv_conn) && !(s->flags & SF_SRV_REUSED)) {
-		int sni_set = 0;
+	if (conn_is_ssl(srv_conn) && srv && srv->ssl_ctx.sni && !(s->flags & SF_SRV_REUSED)) {
+		struct sample *sni_smp = NULL;

-		if (srv && srv->ssl_ctx.sni) {
-			struct sample *sni_smp = NULL;
-
-			sni_smp = sample_fetch_as_type(s->be, s->sess, s,
-						       SMP_OPT_DIR_REQ | SMP_OPT_FINAL,
-						       srv->ssl_ctx.sni, SMP_T_STR);
-			if (smp_make_safe(sni_smp)) {
-				ssl_sock_set_servername(srv_conn, sni_smp->data.u.str.area);
-				sni_set = 1;
-			}
-		}
-		if (!sni_set)
-			ssl_sock_set_servername(srv_conn, NULL);
+		sni_smp = sample_fetch_as_type(s->be, s->sess, s,
+		                               SMP_OPT_DIR_REQ | SMP_OPT_FINAL,
+		                               srv->ssl_ctx.sni, SMP_T_STR);
+		if (smp_make_safe(sni_smp))
+			ssl_sock_set_servername(srv_conn, sni_smp->data.u.str.area);
 	}
 #endif /* USE_OPENSSL */

--- a/src/tcpcheck.c
+++ b/src/tcpcheck.c
@ -1509,8 +1509,6 @@ enum tcpcheck_eval_ret tcpcheck_eval_connect(struct check *check, struct tcpchec
 			ssl_sock_set_servername(conn, s->check.sni);
 		else if (auto_sni)
 			ssl_sock_set_servername(conn, b_orig(auto_sni));
-		else
-			ssl_sock_set_servername(conn, NULL);

 		if (connect->alpn)
 			ssl_sock_set_alpn(conn, (unsigned char *)connect->alpn, connect->alpn_len);