git.ipfire.org Git - thirdparty/haproxy.git/commit

author	Christopher Faulet <cfaulet@haproxy.com>
	Wed, 26 Nov 2025 10:05:14 +0000 (11:05 +0100)
committer	Christopher Faulet <cfaulet@haproxy.com>
	Wed, 26 Nov 2025 11:05:43 +0000 (12:05 +0100)
commit	7d9cc28f928f12f18685cd900c06026cf20edd66
tree	6dca4b5bd58ea789a738e1f83e68e8e1206e1f87	tree \| snapshot
parent	d506c03aa0f41e4918c73e9bebcb59a01ba18e7e	commit \| diff

Revert "BUG/MEDIUM: server/ssl: Unset the SNI for new server connections if none is set"

This reverts commit de29000e602bda55d32c266252ef63824e838ac0.

The fix was in fact invalid. First it is not supprted by WolfSSL to call
SSL_set_tlsext_host_name with a hostname to NULL. Then, it is not specified
as supported by other SSL libraries.

But, by reviewing the root cause of this bug, it appears there is an issue
with the reuse of TLS sesisons. It must not be performed if the SNI does not
match. A TLS session created with a SNI must not be reused with another
SNI. The side effects are not clear but functionnaly speaking, it is
invalid.

So, for now, the commit above was reverted because it is invalid and it
crashes with WolfSSL. Then the init of the SSL connection must be reworked
to get the SNI earlier, to be able to reuse or not an existing TLS
session.

src/backend.c		diff \| blob \| blame \| history
src/tcpcheck.c		diff \| blob \| blame \| history