From 56d7cd4ac17bca7f343a0f024373f296da8b07cf Mon Sep 17 00:00:00 2001 From: Christopher Faulet Date: Wed, 3 Sep 2025 16:50:47 +0200 Subject: [PATCH] BUG/MINOR: tcpcheck: Don't use sni as pool-conn-name for non-SSL connections When we try to ruse connection to perform an healtcheck, the SNI, from the tcpcheck connection or the healthcheck itself, must not be used as connection name for non-SSL connections. This patch must be backported to 3.2. --- src/tcpcheck.c | 21 +++++++++++++++++---- 1 file changed, 17 insertions(+), 4 deletions(-) diff --git a/src/tcpcheck.c b/src/tcpcheck.c index f7ac537fb..240d24d86 100644 --- a/src/tcpcheck.c +++ b/src/tcpcheck.c @@ -1221,6 +1221,17 @@ static inline int tcpcheck_use_nondefault_connect(const struct check *check, (connect->options & TCPCHK_MASK_OPTS_CONNECT); } +/* Returns true if the connect rule uses SSL. */ +static inline int tcpcheck_connect_use_ssl(const struct check *check, + const struct tcpcheck_connect *connect) +{ + if (connect->options & TCPCHK_OPT_SSL) + return 1; + if (connect->options & TCPCHK_OPT_DEFAULT_CONNECT) + return (check->xprt == xprt_get(XPRT_SSL)); + return 0; +} + /* Evaluates a TCPCHK_ACT_CONNECT rule. Returns TCPCHK_EVAL_WAIT to wait the * connection establishment, TCPCHK_EVAL_CONTINUE to evaluate the next rule or * TCPCHK_EVAL_STOP if an error occurred. @@ -1274,10 +1285,12 @@ enum tcpcheck_eval_ret tcpcheck_eval_connect(struct check *check, struct tcpchec if (check->pool_conn_name) pool_conn_name = ist(check->pool_conn_name); - else if (connect->sni) - pool_conn_name = ist(connect->sni); - else if ((connect->options & TCPCHK_OPT_DEFAULT_CONNECT) && check->sni) - pool_conn_name = ist(check->sni); + else if (tcpcheck_connect_use_ssl(check, connect)) { + if (connect->sni) + pool_conn_name = ist(connect->sni); + else if ((connect->options & TCPCHK_OPT_DEFAULT_CONNECT) && check->sni) + pool_conn_name = ist(check->sni); + } hash = be_calculate_conn_hash(s, NULL, check->sess, NULL, NULL, pool_conn_name); conn_err = be_reuse_connection(hash, check->sess, s->proxy, s, -- 2.47.3