From 07edaed1918a6433126b4d4d61b7f7b0e9324b30 Mon Sep 17 00:00:00 2001
From: Olivier Houchard <ohouchard@haproxy.com>
Date: Tue, 24 Mar 2026 15:51:34 +0100
Subject: [PATCH] BUG/MEDIUM: check: Don't reuse the server xprt if we should
 not

Don't assume the check will reuse the server's xprt. It may not be true
if some settings such as the ALPN has been set, and it differs from the
server's one. If the server is QUIC, and we want to use TCP for checks,
we certainly don't want to reuse its XPRT.
---
 src/check.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/src/check.c b/src/check.c
index 45ada607c..0c1bdd25b 100644
--- a/src/check.c
+++ b/src/check.c
@@ -1813,7 +1813,15 @@ int init_srv_check(struct server *srv)
 		 * specified.
 		 */
 		if (!srv->check.port && !is_addr(&srv->check.addr)) {
-			if (!srv->check.use_ssl && srv->use_ssl != -1)
+			/*
+			 * If any setting is set for the check, then we can't
+			 * assume we'll use the same XPRT as the server, the
+			 * server may be QUIC, but we want a TCP check.
+			 */
+			if (!srv->check.use_ssl && srv->use_ssl != -1 &&
+			    !srv->check.via_socks4 && !srv->check.send_proxy &&
+			    (!srv->check.alpn_len || (srv->check.alpn_len == srv->ssl_ctx.alpn_len && !strncmp(srv->check.alpn_str, srv->ssl_ctx.alpn_str, srv->check.alpn_len))) &&
+			    (!srv->check.mux_proto || srv->check.mux_proto != srv->mux_proto))
 				srv->check.xprt = srv->xprt;
 			else if (srv->check.use_ssl == 1)
 				srv->check.xprt = xprt_get(XPRT_SSL);
-- 
2.47.3