From: Christopher Faulet <cfaulet@haproxy.com>
Date: Wed, 3 Sep 2025 14:44:15 +0000 (+0200)
Subject: OPTIM: backend: Don't set SNI for non-ssl connections
X-Git-Tag: v3.3-dev9~214
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=52866349a1c5de450c519d558d2fa8bc97d8607b;p=thirdparty%2Fhaproxy.git

OPTIM: backend: Don't set SNI for non-ssl connections

There is no reason to set the SNI for non-ssl connections. It is not really
an issue because ssl_sock_set_servername() function will do nothing. But
there is no reason to uselessly evaluate an expression.

No backport needed, because there is no bug.
---

diff --git a/src/backend.c b/src/backend.c
index aa5052936..00c85a401 100644
--- a/src/backend.c
+++ b/src/backend.c
@@ -2107,7 +2107,7 @@ int connect_server(struct stream *s)
 
 #ifdef USE_OPENSSL
 	/* Set socket SNI unless connection is reused. */
-	if (srv && srv->ssl_ctx.sni && !(s->flags & SF_SRV_REUSED)) {
+	if (conn_is_ssl(srv_conn) && srv && srv->ssl_ctx.sni && !(s->flags & SF_SRV_REUSED)) {
 		struct sample *sni_smp = NULL;
 
 		sni_smp = sample_fetch_as_type(s->be, s->sess, s,