BUG/MEDIUM: checks: fix ALPN inheritance from server

If no specific check settings are defined on a server line, it is
expected that these checks will be performed with the same parameters as
normal connections on the same server.

ALPN must be carefully taken into account for checks. Most notably, MUX
initialization is delayed so that it is performed only after SSL
handshake.

Prior to this patch, MUX init delay was only performed if ALPN was
defined via check settings. Thus, with the following settings, checks
would be performed on HTTP/1.1 without consulting ALPN negotiation
result from the server :

  server s1 127.0.0.1:443 ssl crt <...> alpn h2 check

This bug may result in checks reporting failure, for example in case of
a server answering HTTP/2 to ALPN negotiation to the configuration
above. Besides, there is incoherency between normal and check
connections, which is not what the documentation specifies.

This patch fixes this code. Now server parameters are also taken into
account. This ensures that checks and normal connections by default
use the same connection method.

This must be backported up to 2.4.

diff --git a/src/tcpcheck.c b/src/tcpcheck.c
index b4b032ef0424a6add0239e0d3aeef519a918e110..ce82ea5071dbc563b95e2f493eccfea377c39a92 100644 (file)
--- a/src/tcpcheck.c
+++ b/src/tcpcheck.c
@@ -1512,7 +1512,7 @@ enum tcpcheck_eval_ret tcpcheck_eval_connect(struct check *check, struct tcpchec
         */
        if (!s || ((connect->options & TCPCHK_OPT_DEFAULT_CONNECT) && check->mux_proto) ||
            connect->mux_proto ||
-           (!conn_is_ssl(conn) || (!connect->alpn && !check->alpn_str))) {
+           (!conn_is_ssl(conn) || (!connect->alpn && !check->alpn_str && !s->ssl_ctx.alpn_str))) {
                const struct mux_ops *mux_ops;
 
                TRACE_DEVEL("try to install mux now", CHK_EV_TCPCHK_CONN, check);