From: Willy Tarreau <w@1wt.eu>
Date: Thu, 23 Dec 2021 10:12:13 +0000 (+0100)
Subject: DEBUG: ssl: make sure we never change a servername on established connections
X-Git-Tag: v2.6-dev1~233
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=77bfa66124e8532a4ecbe5025657574bb43b7160;p=thirdparty%2Fhaproxy.git

DEBUG: ssl: make sure we never change a servername on established connections

Since this case was already met previously with commit 655dec81b
("BUG/MINOR: backend: do not set sni on connection reuse"), let's make
sure that we don't change reused connection settings. This could be
generalized to most settings that are only in effect before the handshake
in fact (like set_alpn and a few other ones).
---

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 57cb7c7f32..1fa7374db0 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -6604,6 +6604,10 @@ void ssl_sock_set_servername(struct connection *conn, const char *hostname)
 
 	if (!conn_is_ssl(conn))
 		return;
+
+	BUG_ON(!(conn->flags & CO_FL_WAIT_L6_CONN));
+	BUG_ON(!(conn->flags & CO_FL_SSL_WAIT_HS));
+
 	ctx = conn->xprt_ctx;
 	s = __objt_server(conn->target);