From ef07d3511a00e162575d335ed0b6cae6df50842c Mon Sep 17 00:00:00 2001
From: Christopher Faulet <cfaulet@haproxy.com>
Date: Wed, 3 Sep 2025 16:47:00 +0200
Subject: [PATCH] OPTIM: proto_rhttp: Don't set SNI for non-ssl connections

There is no reason to set the SNI for non-ssl connections. It is not really
an issue because ssl_sock_set_servername() function will do nothing. But
there is no reason to uselessly evaluate an expression.

No backport needed, because there is no bug.
---
 src/proto_rhttp.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/proto_rhttp.c b/src/proto_rhttp.c
index 362d674da..f94b4a67e 100644
--- a/src/proto_rhttp.c
+++ b/src/proto_rhttp.c
@@ -98,7 +98,7 @@ static struct connection *new_reverse_conn(struct listener *l, struct server *sr
 		goto err;
 
 #ifdef USE_OPENSSL
-	if (srv->ssl_ctx.sni) {
+	if (conn_is_ssl(conn) && srv->ssl_ctx.sni) {
 		struct sample *sni_smp = NULL;
 		/* TODO remove NULL session which can cause crash depending on the SNI sample expr used. */
 		sni_smp = sample_fetch_as_type(srv->proxy, sess, NULL,