From be4e1220c23fd45096e94006beac3b16453470ab Mon Sep 17 00:00:00 2001 From: Olivier Houchard Date: Tue, 9 Dec 2025 16:17:08 +0100 Subject: [PATCH] BUG/MEDIUM: ssl: Don't store the ALPN for check connections When establishing check connections, do not store the negociated ALPN into the server's path_param if the connection is a check connection, as it may use different SSL parameters than the regular connections. To do so, only store them if the CO_FL_SSL_NO_CACHED_INFO is not set. Otherwise, the check ALPN may be stored, and the wrong mux can be used for regular connections, which will end up generating 502s. This should fix Github issue #3207 This should be backported to 3.3. --- src/ssl_sock.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 1bc35d3ff..cfe7f7de1 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -4247,7 +4247,8 @@ static int ssl_sess_new_srv_cb(SSL *ssl, SSL_SESSION *sess) #ifdef USE_QUIC /* The selected ALPN is not stored without SSL session. */ if (qc && (s->ssl_ctx.options & SRV_SSL_O_EARLY_DATA) && - s->ssl_ctx.reused_sess[tid].ptr) { + s->ssl_ctx.reused_sess[tid].ptr && + !(conn->flags & CO_FL_SSL_NO_CACHED_INFO)) { const char *alpn = NULL; int len; @@ -6867,8 +6868,14 @@ struct task *ssl_sock_io_cb(struct task *t, void *context, unsigned int state) * next connections, we'll know the ALPN * already, and immediately know which mux * to use, in case we want to use 0RTT. + * + * We do not want it to do it for check connections, + * though, as they may use different SSL settings, + * so don't do it if the CO_FL_SSL_NO_CACHE_INFO flag + * is set. */ - if (!(conn->flags & CO_FL_ERROR) && conn_is_back(conn)) { + if (!(conn->flags & (CO_FL_ERROR | CO_FL_SSL_NO_CACHED_INFO)) && + conn_is_back(conn)) { struct server *srv; const char *alpn; int len; -- 2.47.3