From 53a26cfc46a1ee0c5eff0c2d172e17f0fcb39791 Mon Sep 17 00:00:00 2001
From: Amaury Denoyelle <adenoyelle@haproxy.com>
Date: Tue, 9 Sep 2025 15:34:25 +0200
Subject: [PATCH] BUG/MEDIUM: checks: fix ALPN inheritance from server

If no specific check settings are defined on a server line, it is
expected that these checks will be performed with the same parameters as
normal connections on the same server.

ALPN must be carefully taken into account for checks. Most notably, MUX
initialization is delayed so that it is performed only after SSL
handshake.

Prior to this patch, MUX init delay was only performed if ALPN was
defined via check settings. Thus, with the following settings, checks
would be performed on HTTP/1.1 without consulting ALPN negotiation
result from the server :

  server s1 127.0.0.1:443 ssl crt <...> alpn h2 check

This bug may result in checks reporting failure, for example in case of
a server answering HTTP/2 to ALPN negotiation to the configuration
above. Besides, there is incoherency between normal and check
connections, which is not what the documentation specifies.

This patch fixes this code. Now server parameters are also taken into
account. This ensures that checks and normal connections by default
use the same connection method.

This must be backported up to 2.4.

(cherry picked from commit c6d33c09fc2c60fe0ffb54464a550e1b7bd69c4c)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
(cherry picked from commit 1d606e7e8c9789b8a0f9212eae6573cafb21ff82)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
(cherry picked from commit 5cf8f3e7d070eb258cf15b77a307acc02927746b)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
---
 src/tcpcheck.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/tcpcheck.c b/src/tcpcheck.c
index 45608f0..068f932 100644
--- a/src/tcpcheck.c
+++ b/src/tcpcheck.c
@@ -1231,7 +1231,7 @@ enum tcpcheck_eval_ret tcpcheck_eval_connect(struct check *check, struct tcpchec
 	 */
 	if (!s || ((connect->options & TCPCHK_OPT_DEFAULT_CONNECT) && check->mux_proto) ||
 	    connect->mux_proto ||
-	    (!conn_is_ssl(conn) || (!connect->alpn && !check->alpn_str))) {
+	    (!conn_is_ssl(conn) || (!connect->alpn && !check->alpn_str && !s->ssl_ctx.alpn_str))) {
 		const struct mux_ops *mux_ops;
 
 		TRACE_DEVEL("try to install mux now", CHK_EV_TCPCHK_CONN, check);
-- 
1.7.10.4