BUG/MEDIUM: server/ssl: Unset the SNI for new server connections if none is set

author Christopher Faulet <cfaulet@haproxy.com>

Mon, 24 Nov 2025 13:41:54 +0000 (14:41 +0100)

committer Christopher Faulet <cfaulet@haproxy.com>

Tue, 25 Nov 2025 15:32:46 +0000 (16:32 +0100)
author Christopher Faulet <cfaulet@haproxy.com>
Mon, 24 Nov 2025 13:41:54 +0000 (14:41 +0100)
committer Christopher Faulet <cfaulet@haproxy.com>
Tue, 25 Nov 2025 15:32:46 +0000 (16:32 +0100)
diff --git a/src/backend.c b/src/backend.c

index 0170547b29274620444471a63937a63102269372..45dab68df69c05b6c59e03e8309c9f4a6c7b11d6 100644 (file)
--- a/src/backend.c
+++ b/src/backend.c
@@ -2156,14 +2156,22 @@ int connect_server(struct stream *s)
  
  #ifdef USE_OPENSSL
         /* Set socket SNI unless connection is reused. */
-       if (conn_is_ssl(srv_conn) && srv && srv->ssl_ctx.sni && !(s->flags & SF_SRV_REUSED)) {
-               struct sample *sni_smp = NULL;
-
-               sni_smp = sample_fetch_as_type(s->be, s->sess, s,
-                                              SMP_OPT_DIR_REQ | SMP_OPT_FINAL,
-                                              srv->ssl_ctx.sni, SMP_T_STR);
-               if (smp_make_safe(sni_smp))
-                       ssl_sock_set_servername(srv_conn, sni_smp->data.u.str.area);
+       if (conn_is_ssl(srv_conn) && !(s->flags & SF_SRV_REUSED)) {
+               int sni_set = 0;
+
+               if (srv && srv->ssl_ctx.sni) {
+                       struct sample *sni_smp = NULL;
+
+                       sni_smp = sample_fetch_as_type(s->be, s->sess, s,
+                                                      SMP_OPT_DIR_REQ | SMP_OPT_FINAL,
+                                                      srv->ssl_ctx.sni, SMP_T_STR);
+                       if (smp_make_safe(sni_smp)) {
+                               ssl_sock_set_servername(srv_conn, sni_smp->data.u.str.area);
+                               sni_set = 1;
+                       }
+               }
+               if (!sni_set)
+                       ssl_sock_set_servername(srv_conn, NULL);
         }
  #endif /* USE_OPENSSL */
  
diff --git a/src/tcpcheck.c b/src/tcpcheck.c

index 815a84099c80f38f9dddff50a8b2b7f6c97199d7..88a54d1486f5a2ed3be198e8aecebff2c12b4905 100644 (file)
--- a/src/tcpcheck.c
+++ b/src/tcpcheck.c
@@ -1509,6 +1509,8 @@ enum tcpcheck_eval_ret tcpcheck_eval_connect(struct check *check, struct tcpchec
                         ssl_sock_set_servername(conn, s->check.sni);
                 else if (auto_sni)
                         ssl_sock_set_servername(conn, b_orig(auto_sni));
+               else
+                       ssl_sock_set_servername(conn, NULL);
  
                 if (connect->alpn)
                         ssl_sock_set_alpn(conn, (unsigned char *)connect->alpn, connect->alpn_len);
author	Christopher Faulet <cfaulet@haproxy.com>
	Mon, 24 Nov 2025 13:41:54 +0000 (14:41 +0100)
committer	Christopher Faulet <cfaulet@haproxy.com>
	Tue, 25 Nov 2025 15:32:46 +0000 (16:32 +0100)
src/backend.c		patch \| blob \| blame \| history
src/tcpcheck.c		patch \| blob \| blame \| history