From: Amaury Denoyelle <adenoyelle@haproxy.com>
Date: Mon, 24 Nov 2025 10:30:19 +0000 (+0100)
Subject: BUG/MEDIUM: server: do not use default SNI if manually set
X-Git-Tag: v3.3.0~23
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2829165f61e0e2f0c4217d7f1a763a336b842eaf;p=thirdparty%2Fhaproxy.git

BUG/MEDIUM: server: do not use default SNI if manually set

A new server feature "sni-auto" has been introduced recently. The
objective is to automatically set the SNI value to the host header if no
SNI is explicitely set.

  668916c1a2fc2180028ae051aa805bb71c7b690b
  MEDIUM: server/ssl: Base the SNI value to the HTTP host header by default

There is an issue with it : server SNI is currently always overwritten,
even if explicitely set in the configuration file. Adjust
check_config_validity() to ensure the default value is only used if
<sni_expr> is NULL.

This issue was detected as a memory leak on <sni_expr> was reported when
SNI is explicitely set on a server line.

This patch is related to github feature request #3081.

No need to backport, unless the above patch is.
---

diff --git a/src/cfgparse.c b/src/cfgparse.c
index 4a0fec8f6..8c365e916 100644
--- a/src/cfgparse.c
+++ b/src/cfgparse.c
@@ -3851,10 +3851,11 @@ out_uri_auth_compat:
 			}
 
 			if (newsrv->use_ssl == 1 || ((newsrv->flags & SRV_F_DEFSRV_USE_SSL) && newsrv->use_ssl != 1)) {
-				/* In HTTP only, if the SNI not set and we can realy on the host
+				/* In HTTP only, if the SNI is not set and we can rely on the host
 				 * header value, fill the sni expression accordingly
 				 */
-				if (newsrv->proxy->mode == PR_MODE_HTTP && !(newsrv->ssl_ctx.options & SRV_SSL_O_NO_AUTO_SNI)) {
+				if (!newsrv->sni_expr && newsrv->proxy->mode == PR_MODE_HTTP &&
+				    !(newsrv->ssl_ctx.options & SRV_SSL_O_NO_AUTO_SNI)) {
 					newsrv->sni_expr = strdup("req.hdr(host),field(1,:)");
 
 					err = NULL;