From: Olivier Houchard <ohouchard@haproxy.com>
Date: Fri, 28 Jun 2019 12:10:33 +0000 (+0200)
Subject: BUG/MEDIUM: ssl: Don't attempt to set alpn if we're not using SSL.
X-Git-Tag: v2.1-dev1~50
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e488ea865a433d93efcb14c0c602918070c6b208;p=thirdparty%2Fhaproxy.git

BUG/MEDIUM: ssl: Don't attempt to set alpn if we're not using SSL.

Checks use ssl_sock_set_alpn() to set the ALPN if check-alpn is used, however
check-alpn failed to check if the connection was indeed using SSL, and thus,
would crash if check-alpn was used on a non-SSL connection. Fix this by
making sure the connection uses SSL before attempting to set the ALPN.

This should be backported to 2.0 and 1.9.
---

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 05240063bf..c9fffbec6c 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -6411,6 +6411,9 @@ void ssl_sock_set_alpn(struct connection *conn, const unsigned char *alpn, int l
 #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
 	struct ssl_sock_ctx *ctx = conn->xprt_ctx;
 
+	if (!ssl_sock_is_ssl(conn))
+		return;
+
 	SSL_set_alpn_protos(ctx->ssl, alpn, len);
 #endif
 }