commit 9130a9605d10a0c155bbc7e808770318606ede35
author Olivier Houchard <ohouchard@haproxy.com> Tue Oct 17 17:33:43 2017 +0200
committer Willy Tarreau <w@1wt.eu> Tue Oct 17 18:10:24 2017 +0200
tree be0c664f494ef8b2f65b008340f443569711031e
parent f8eb8d56a79359a99d4076d3af9fdaaa070b680a

MINOR: checks: Add a new keyword to specify a SNI when doing SSL checks.

Add a new keyword, "check-sni", to be able to specify the SNI to be used when
doing health checks over SSL.

src/checks.c

diff --git a/src/checks.c b/src/checks.c
index c02935c..413365b 100644
--- a/src/checks.c
+++ b/src/checks.c
@@ -60,6 +60,10 @@
 #include <proto/dns.h>
 #include <proto/proto_udp.h>
 
+#ifdef USE_OPENSSL
+#include <proto/ssl_sock.h>
+#endif /* USE_OPENSSL */
+
 static int httpchk_expect(struct server *s, int done);
 static int tcpcheck_get_step_id(struct check *);
 static char * tcpcheck_get_step_comment(struct check *, int);
@@ -1597,6 +1601,10 @@
 	ret = SF_ERR_INTERNAL;
 	if (proto && proto->connect)
 		ret = proto->connect(conn, check->type, quickack ? 2 : 0);
+#ifdef USE_OPENSSL
+	if (s->check.sni)
+		ssl_sock_set_servername(conn, s->check.sni);
+#endif
 	if (s->check.send_proxy && !(check->state & CHK_ST_AGENT)) {
 		conn->send_proxy_ofs = 1;
 		conn->flags |= CO_FL_SEND_PROXY;

src/ssl_sock.c

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 774a5a6..1d00b42 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -7075,6 +7075,24 @@
 	return 0;
 }
 
+/* parse the "check-sni" server keyword */
+static int srv_parse_check_sni(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
+{
+	if (!*args[*cur_arg + 1]) {
+		if (err)
+			memprintf(err, "'%s' : missing SNI", args[*cur_arg]);
+		return ERR_ALERT | ERR_FATAL;
+	}
+
+	newsrv->check.sni = strdup(args[*cur_arg + 1]);
+	if (!newsrv->check.sni) {
+		memprintf(err, "'%s' : failed to allocate memory", args[*cur_arg]);
+		return ERR_ALERT | ERR_FATAL;
+	}
+	return 0;
+
+}
+
 /* parse the "check-ssl" server keyword */
 static int srv_parse_check_ssl(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
 {
@@ -8031,6 +8049,7 @@
  */
 static struct srv_kw_list srv_kws = { "SSL", { }, {
 	{ "ca-file",                 srv_parse_ca_file,            1, 1 }, /* set CAfile to process verify server cert */
+	{ "check-sni",               srv_parse_check_sni,          1, 1 }, /* set SNI */
 	{ "check-ssl",               srv_parse_check_ssl,          0, 1 }, /* enable SSL for health checks */
 	{ "ciphers",                 srv_parse_ciphers,            1, 1 }, /* select the cipher suite */
 	{ "crl-file",                srv_parse_crl_file,           1, 1 }, /* set certificate revocation list file use on server cert verify */