From eb3d4eb59f6d33897bb160a3b8638479042c3512 Mon Sep 17 00:00:00 2001 From: Christopher Faulet Date: Wed, 3 Sep 2025 16:48:11 +0200 Subject: [PATCH] OPTIM: tcpcheck: Don't set SNI and ALPN for non-ssl connections There is no reason to set the SNI and ALPN for non-ssl connections. It is not really an issue because ssl_sock_set_servername() and ssl_sock_set_alpn() functions will do nothing. But it is cleaner this way and this could avoid bugs in future. No backport needed, because there is no bug. --- src/tcpcheck.c | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/src/tcpcheck.c b/src/tcpcheck.c index beec75e73..a9dffeae0 100644 --- a/src/tcpcheck.c +++ b/src/tcpcheck.c @@ -1426,15 +1426,17 @@ enum tcpcheck_eval_ret tcpcheck_eval_connect(struct check *check, struct tcpchec conn->ctx = check->sc; #ifdef USE_OPENSSL - if (connect->sni) - ssl_sock_set_servername(conn, connect->sni); - else if ((connect->options & TCPCHK_OPT_DEFAULT_CONNECT) && s && s->check.sni) - ssl_sock_set_servername(conn, s->check.sni); + if (conn_is_ssl(conn)) { + if (connect->sni) + ssl_sock_set_servername(conn, connect->sni); + else if ((connect->options & TCPCHK_OPT_DEFAULT_CONNECT) && s && s->check.sni) + ssl_sock_set_servername(conn, s->check.sni); - if (connect->alpn) - ssl_sock_set_alpn(conn, (unsigned char *)connect->alpn, connect->alpn_len); - else if ((connect->options & TCPCHK_OPT_DEFAULT_CONNECT) && s && s->check.alpn_str) - ssl_sock_set_alpn(conn, (unsigned char *)s->check.alpn_str, s->check.alpn_len); + if (connect->alpn) + ssl_sock_set_alpn(conn, (unsigned char *)connect->alpn, connect->alpn_len); + else if ((connect->options & TCPCHK_OPT_DEFAULT_CONNECT) && s && s->check.alpn_str) + ssl_sock_set_alpn(conn, (unsigned char *)s->check.alpn_str, s->check.alpn_len); + } #endif if (conn_ctrl_ready(conn) && (connect->options & TCPCHK_OPT_LINGER) && !(conn->flags & CO_FL_FDLESS)) {