BUG/MEDIUM: ssl: Don't store the ALPN for check connections

When establishing check connections, do not store the negociated ALPN into the server's path_param if the connection is a check connection, as it may use different SSL parameters than the regular connections. To do so, only store them if the CO_FL_SSL_NO_CACHED_INFO is not set. Otherwise, the check ALPN may be stored, and the wrong mux can be used for regular connections, which will end up generating 502s. This should fix Github issue #3207 This should be backported to 3.3.
2026-02-03 20:39:41 -05:00 · 2025-12-09 16:17:08 +01:00 · 2025-12-09 16:17:08 +01:00 · be4e1220c2
commit be4e1220c2
parent dcce936912
1 changed files with 9 additions and 2 deletions
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@ -4247,7 +4247,8 @@ static int ssl_sess_new_srv_cb(SSL *ssl, SSL_SESSION *sess)
 #ifdef USE_QUIC
 		/* The selected ALPN is not stored without SSL session. */
 		if (qc && (s->ssl_ctx.options & SRV_SSL_O_EARLY_DATA) &&
-		    s->ssl_ctx.reused_sess[tid].ptr) {
+		    s->ssl_ctx.reused_sess[tid].ptr &&
+		    !(conn->flags & CO_FL_SSL_NO_CACHED_INFO)) {
 			const char *alpn = NULL;
 			int len;

@ -6867,8 +6868,14 @@ struct task *ssl_sock_io_cb(struct task *t, void *context, unsigned int state)
 			 * next connections, we'll know the ALPN
 			 * already, and immediately know which mux
 			 * to use, in case we want to use 0RTT.
+			 *
+			 * We do not want it to do it for check connections,
+			 * though, as they may use different SSL settings,
+			 * so don't do it if the CO_FL_SSL_NO_CACHE_INFO flag
+			 * is set.
 			 */
-			if (!(conn->flags & CO_FL_ERROR) && conn_is_back(conn)) {
+			if (!(conn->flags & (CO_FL_ERROR | CO_FL_SSL_NO_CACHED_INFO)) &&
+			    conn_is_back(conn)) {
 				struct server *srv;
 				const char *alpn;
 				int len;