From d82a6d93e2a00088c7e6c1200adce6fad7677854 Mon Sep 17 00:00:00 2001 From: Amaury Denoyelle Date: Fri, 3 Nov 2023 11:03:49 +0100 Subject: [PATCH] BUG/MINOR: proto_reverse_connect: support SNI on active connect SNI may be specify on a server line for connecting to the remote host. This requires to manually set it on the connection via ssl_sock_set_servername(). This step was missing when a server line was used for active reverse HTTP. Fix this by adding the missing ssl_sock_set_servername() invocation inside new_reverse_conn(). Note that for the moment, no session is instantiated to carry active reverse connection. A direct consequence of this is that SNI sample retrieval may crash depending if it depends on session parameters. This should be fixed by a later commit. In the meantime, this patch is sufficient to support simple SNI value such as constant expressions. No need to backport. --- src/proto_reverse_connect.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/src/proto_reverse_connect.c b/src/proto_reverse_connect.c index e02620476..39bb22aeb 100644 --- a/src/proto_reverse_connect.c +++ b/src/proto_reverse_connect.c @@ -10,8 +10,10 @@ #include #include #include +#include #include #include +#include #include #include @@ -74,6 +76,18 @@ static struct connection *new_reverse_conn(struct listener *l, struct server *sr if (conn->ctrl->connect(conn, 0) != SF_ERR_NONE) goto err; +#ifdef USE_OPENSSL + if (srv->ssl_ctx.sni) { + struct sample *sni_smp = NULL; + /* TODO remove NULL session which can cause crash depending on the SNI sample expr used. */ + sni_smp = sample_fetch_as_type(srv->proxy, NULL, NULL, + SMP_OPT_DIR_REQ | SMP_OPT_FINAL, + srv->ssl_ctx.sni, SMP_T_STR); + if (smp_make_safe(sni_smp)) + ssl_sock_set_servername(conn, sni_smp->data.u.str.area); + } +#endif /* USE_OPENSSL */ + if (conn_xprt_start(conn) < 0) goto err;