From 7d9cc28f928f12f18685cd900c06026cf20edd66 Mon Sep 17 00:00:00 2001 From: Christopher Faulet Date: Wed, 26 Nov 2025 11:05:14 +0100 Subject: [PATCH] Revert "BUG/MEDIUM: server/ssl: Unset the SNI for new server connections if none is set" This reverts commit de29000e602bda55d32c266252ef63824e838ac0. The fix was in fact invalid. First it is not supprted by WolfSSL to call SSL_set_tlsext_host_name with a hostname to NULL. Then, it is not specified as supported by other SSL libraries. But, by reviewing the root cause of this bug, it appears there is an issue with the reuse of TLS sesisons. It must not be performed if the SNI does not match. A TLS session created with a SNI must not be reused with another SNI. The side effects are not clear but functionnaly speaking, it is invalid. So, for now, the commit above was reverted because it is invalid and it crashes with WolfSSL. Then the init of the SSL connection must be reworked to get the SNI earlier, to be able to reuse or not an existing TLS session. --- src/backend.c | 22 +++++++--------------- src/tcpcheck.c | 2 -- 2 files changed, 7 insertions(+), 17 deletions(-) diff --git a/src/backend.c b/src/backend.c index 45dab68df..0170547b2 100644 --- a/src/backend.c +++ b/src/backend.c @@ -2156,22 +2156,14 @@ int connect_server(struct stream *s) #ifdef USE_OPENSSL /* Set socket SNI unless connection is reused. */ - if (conn_is_ssl(srv_conn) && !(s->flags & SF_SRV_REUSED)) { - int sni_set = 0; + if (conn_is_ssl(srv_conn) && srv && srv->ssl_ctx.sni && !(s->flags & SF_SRV_REUSED)) { + struct sample *sni_smp = NULL; - if (srv && srv->ssl_ctx.sni) { - struct sample *sni_smp = NULL; - - sni_smp = sample_fetch_as_type(s->be, s->sess, s, - SMP_OPT_DIR_REQ | SMP_OPT_FINAL, - srv->ssl_ctx.sni, SMP_T_STR); - if (smp_make_safe(sni_smp)) { - ssl_sock_set_servername(srv_conn, sni_smp->data.u.str.area); - sni_set = 1; - } - } - if (!sni_set) - ssl_sock_set_servername(srv_conn, NULL); + sni_smp = sample_fetch_as_type(s->be, s->sess, s, + SMP_OPT_DIR_REQ | SMP_OPT_FINAL, + srv->ssl_ctx.sni, SMP_T_STR); + if (smp_make_safe(sni_smp)) + ssl_sock_set_servername(srv_conn, sni_smp->data.u.str.area); } #endif /* USE_OPENSSL */ diff --git a/src/tcpcheck.c b/src/tcpcheck.c index 88a54d148..815a84099 100644 --- a/src/tcpcheck.c +++ b/src/tcpcheck.c @@ -1509,8 +1509,6 @@ enum tcpcheck_eval_ret tcpcheck_eval_connect(struct check *check, struct tcpchec ssl_sock_set_servername(conn, s->check.sni); else if (auto_sni) ssl_sock_set_servername(conn, b_orig(auto_sni)); - else - ssl_sock_set_servername(conn, NULL); if (connect->alpn) ssl_sock_set_alpn(conn, (unsigned char *)connect->alpn, connect->alpn_len);