BUG/MEDIUM: ssl: Don't attempt to set alpn if we're not using SSL. Checks use ssl_sock_set_alpn() to set the ALPN if check-alpn is used, however check-alpn failed to check if the connection was indeed using SSL, and thus, would crash if check-alpn was used on a non-SSL connection. Fix this by making sure the connection uses SSL before attempting to set the ALPN. This should be backported to 2.0 and 1.9.

commit: e488ea865a433d93efcb14c0c602918070c6b208 [log] [tgz]
author: Olivier Houchard <ohouchard@haproxy.com> Fri Jun 28 14:10:33 2019 +0200
committer: Olivier Houchard <cognet@ci0.org> Fri Jun 28 14:12:28 2019 +0200
tree: bd6678efdd8605510827a11c45beda1e3edd317c
parent: d87d3fab25b3795a74ace2cf2ee16d4516e7a9c0 [diff]
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 0524006..c9fffbe 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c

@@ -6411,6 +6411,9 @@
 #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
 	struct ssl_sock_ctx *ctx = conn->xprt_ctx;
 
+	if (!ssl_sock_is_ssl(conn))
+		return;
+
 	SSL_set_alpn_protos(ctx->ssl, alpn, len);
 #endif
 }
commit	e488ea865a433d93efcb14c0c602918070c6b208	[log] [tgz]
author	Olivier Houchard <ohouchard@haproxy.com>	Fri Jun 28 14:10:33 2019 +0200
committer	Olivier Houchard <cognet@ci0.org>	Fri Jun 28 14:12:28 2019 +0200
tree	bd6678efdd8605510827a11c45beda1e3edd317c
parent	d87d3fab25b3795a74ace2cf2ee16d4516e7a9c0 [diff]