mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-11-30 15:21:04 +01:00
Code Issues Projects Releases Wiki Activity

Revert "BUG/MEDIUM: server/ssl: Unset the SNI for new server connections if none is set"

Browse Source 
This reverts commit de29000e602bda55d32c266252ef63824e838ac0.

The fix was in fact invalid. First it is not supprted by WolfSSL to call
SSL_set_tlsext_host_name with a hostname to NULL. Then, it is not specified
as supported by other SSL libraries.

But, by reviewing the root cause of this bug, it appears there is an issue
with the reuse of TLS sesisons. It must not be performed if the SNI does not
match. A TLS session created with a SNI must not be reused with another
SNI. The side effects are not clear but functionnaly speaking, it is
invalid.

So, for now, the commit above was reverted because it is invalid and it
crashes with WolfSSL. Then the init of the SSL connection must be reworked
to get the SNI earlier, to be able to reuse or not an existing TLS
session.
This commit is contained in:
Christopher Faulet 2025-11-26 11:05:14 +01:00
parent d506c03aa0
commit 7d9cc28f92
2 changed files with 7 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
src/backend.c
View File

@ -2156,22 +2156,14 @@ int connect_server(struct stream *s)
#ifdef USE_OPENSSL #ifdef USE_OPENSSL
/* Set socket SNI unless connection is reused. */ /* Set socket SNI unless connection is reused. */
if (conn_is_ssl(srv_conn) && !(s->flags & SF_SRV_REUSED)) { if (conn_is_ssl(srv_conn) && srv && srv->ssl_ctx.sni && !(s->flags & SF_SRV_REUSED)) {
int sni_set = 0; struct sample *sni_smp = NULL;
if (srv && srv->ssl_ctx.sni) { sni_smp = sample_fetch_as_type(s->be, s->sess, s,
struct sample *sni_smp = NULL; SMP_OPT_DIR_REQ | SMP_OPT_FINAL,
srv->ssl_ctx.sni, SMP_T_STR);
sni_smp = sample_fetch_as_type(s->be, s->sess, s, if (smp_make_safe(sni_smp))
SMP_OPT_DIR_REQ | SMP_OPT_FINAL, ssl_sock_set_servername(srv_conn, sni_smp->data.u.str.area);
srv->ssl_ctx.sni, SMP_T_STR);
if (smp_make_safe(sni_smp)) {
ssl_sock_set_servername(srv_conn, sni_smp->data.u.str.area);
sni_set = 1;
}
}
if (!sni_set)
ssl_sock_set_servername(srv_conn, NULL);
} }
#endif /* USE_OPENSSL */ #endif /* USE_OPENSSL */

2
src/tcpcheck.c
View File

@ -1509,8 +1509,6 @@ enum tcpcheck_eval_ret tcpcheck_eval_connect(struct check *check, struct tcpchec
ssl_sock_set_servername(conn, s->check.sni); ssl_sock_set_servername(conn, s->check.sni);
else if (auto_sni) else if (auto_sni)
ssl_sock_set_servername(conn, b_orig(auto_sni)); ssl_sock_set_servername(conn, b_orig(auto_sni));
else
ssl_sock_set_servername(conn, NULL);
if (connect->alpn) if (connect->alpn)
ssl_sock_set_alpn(conn, (unsigned char *)connect->alpn, connect->alpn_len); ssl_sock_set_alpn(conn, (unsigned char *)connect->alpn, connect->alpn_len);