From dcce9369129f6ca9b8eed6b451c0e20c226af2e3 Mon Sep 17 00:00:00 2001 From: Olivier Houchard Date: Tue, 9 Dec 2025 16:10:24 +0100 Subject: [PATCH] MINOR: connections: Add a new CO_FL_SSL_NO_CACHED_INFO flag Add a new flag to connections, CO_FL_SSL_NO_CACHED_INFO, and set it for checks. It lets the ssl layer know that he should not use cached informations, such as the ALPN as stored in the server, or cached sessions. This wlil be used for checks, as checks may target different servers, or used a different SSL configuration, so we can't assume the stored informations are correct. This should be backported to 3.3, and may be backported up to 2.8 if the attempts to do session resume by checks is proven to be a problem. --- include/haproxy/connection-t.h | 5 +++-- src/tcpcheck.c | 2 ++ 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/include/haproxy/connection-t.h b/include/haproxy/connection-t.h index b727c3a56..2435733c1 100644 --- a/include/haproxy/connection-t.h +++ b/include/haproxy/connection-t.h @@ -145,6 +145,7 @@ enum { CO_FL_WAIT_ROOM = 0x00000800, /* data sink is full */ CO_FL_WANT_SPLICING = 0x00001000, /* we wish to use splicing on the connection when possible */ + CO_FL_SSL_NO_CACHED_INFO = 0x00002000, /* Don't use any cached information when creating a new SSL connection */ /* unused: 0x00002000 */ CO_FL_EARLY_SSL_HS = 0x00004000, /* We have early data pending, don't start SSL handshake yet */ @@ -212,13 +213,13 @@ static forceinline char *conn_show_flags(char *buf, size_t len, const char *deli /* flags */ _(CO_FL_SAFE_LIST, _(CO_FL_IDLE_LIST, _(CO_FL_CTRL_READY, _(CO_FL_REVERSED, _(CO_FL_ACT_REVERSING, _(CO_FL_OPT_MARK, _(CO_FL_OPT_TOS, - _(CO_FL_XPRT_READY, _(CO_FL_WANT_DRAIN, _(CO_FL_WAIT_ROOM, _(CO_FL_EARLY_SSL_HS, + _(CO_FL_XPRT_READY, _(CO_FL_WANT_DRAIN, _(CO_FL_WAIT_ROOM, _(CO_FL_SSL_NO_CACHED_INFO, _(CO_FL_EARLY_SSL_HS, _(CO_FL_EARLY_DATA, _(CO_FL_SOCKS4_SEND, _(CO_FL_SOCKS4_RECV, _(CO_FL_SOCK_RD_SH, _(CO_FL_SOCK_WR_SH, _(CO_FL_ERROR, _(CO_FL_FDLESS, _(CO_FL_WAIT_L4_CONN, _(CO_FL_WAIT_L6_CONN, _(CO_FL_SEND_PROXY, _(CO_FL_ACCEPT_PROXY, _(CO_FL_ACCEPT_CIP, _(CO_FL_SSL_WAIT_HS, _(CO_FL_PRIVATE, _(CO_FL_RCVD_PROXY, _(CO_FL_SESS_IDLE, _(CO_FL_XPRT_TRACKED - )))))))))))))))))))))))))))); + ))))))))))))))))))))))))))))); /* epilogue */ _(~0U); return buf; diff --git a/src/tcpcheck.c b/src/tcpcheck.c index 97b909ea6..28cdd94f2 100644 --- a/src/tcpcheck.c +++ b/src/tcpcheck.c @@ -1394,6 +1394,8 @@ enum tcpcheck_eval_ret tcpcheck_eval_connect(struct check *check, struct tcpchec status = SF_ERR_RESOURCE; goto fail_check; } + + conn->flags |= CO_FL_SSL_NO_CACHED_INFO; conn->ctx = check->sc; conn_set_owner(conn, check->sess, NULL); -- 2.47.3