From dc857216b170245d0be388deaad0c2a8a73e290d Mon Sep 17 00:00:00 2001
From: Willy Tarreau <w@1wt.eu>
Date: Thu, 23 Dec 2021 11:12:13 +0100
Subject: [PATCH] DEBUG: ssl: make sure we never change a servername on
 established connections

Since this case was already met previously with commit 655dec81b
("BUG/MINOR: backend: do not set sni on connection reuse"), let's make
sure that we don't change reused connection settings. This could be
generalized to most settings that are only in effect before the handshake
in fact (like set_alpn and a few other ones).

(cherry picked from commit 77bfa66124e8532a4ecbe5025657574bb43b7160)
[wt: it's not enabled in default builds thus is safe to backport; it may
 help sort out certain future bug reports in field]
Signed-off-by: Willy Tarreau <w@1wt.eu>
---
 src/ssl_sock.c |    4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index f000df7..c8f79b6 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -6581,6 +6581,10 @@ void ssl_sock_set_servername(struct connection *conn, const char *hostname)
 
 	if (!conn_is_ssl(conn))
 		return;
+
+	BUG_ON(!(conn->flags & CO_FL_WAIT_L6_CONN));
+	BUG_ON(!(conn->flags & CO_FL_SSL_WAIT_HS));
+
 	ctx = conn->xprt_ctx;
 	s = __objt_server(conn->target);
 
-- 
1.7.10.4