From f7ade295c8cf4f2f385f20700ba4a4f3fdd1779b Mon Sep 17 00:00:00 2001
From: Amaury Denoyelle <adenoyelle@haproxy.com>
Date: Tue, 9 Sep 2025 14:27:24 +0200
Subject: [PATCH] OPTIM: check: do not delay MUX for ALPN if SSL not active

To ensure ALPN is properly applied on checks, MUX initialization is
delayed so that it is created on SSL handshake completion. However, this
does not check if SSL is really active for the connection.

This patch adjusts the condition so that MUX init is not delayed if SSL
is not active for the check connection. A similar process is already
conducted for normal connections via connect_server().

This must be backported up to 2.4. Despite not being a bug, it must be
backported for the following patch which fixes check ALPN inheritance
from server settings.

(cherry picked from commit fee3bd48b414c88f7e5abc37775f944aa94c808b)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
(cherry picked from commit 5fcadcb9755b7fc8b28638cbfd5696e72841a316)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
(cherry picked from commit 92264762e5e3caf6a8030c874e9ea57998cc841e)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
---
 src/tcpcheck.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/tcpcheck.c b/src/tcpcheck.c
index 967c1df..45608f0 100644
--- a/src/tcpcheck.c
+++ b/src/tcpcheck.c
@@ -1230,7 +1230,8 @@ enum tcpcheck_eval_ret tcpcheck_eval_connect(struct check *check, struct tcpchec
 	 * is no alpn.
 	 */
 	if (!s || ((connect->options & TCPCHK_OPT_DEFAULT_CONNECT) && check->mux_proto) ||
-	    connect->mux_proto || (!connect->alpn && !check->alpn_str)) {
+	    connect->mux_proto ||
+	    (!conn_is_ssl(conn) || (!connect->alpn && !check->alpn_str))) {
 		const struct mux_ops *mux_ops;
 
 		TRACE_DEVEL("try to install mux now", CHK_EV_TCPCHK_CONN, check);
-- 
1.7.10.4