BUG/MINOR: quic: allow-0rtt warning must only be emitted with quic bind

When built with USE_QUIC_OPENSSL_COMPAT, a warning is emitted when using
allow-0rtt. However this warning is emitted for every allow-0rtt
keywords on the bind line which is confusing, it must only be done in
case the bind is a quic one. Also this does not handle the case where
the allow-0rtt keyword is in the crt-list.

This patch moves the warning to ssl_quic_initial_ctx() in order to emit
the warning in every useful cases.

diff --git a/src/cfgparse-ssl.c b/src/cfgparse-ssl.c
index 72caeb36459e45f8482cfbb4199f802c01dcf4d1..08fcd1cd4ec265fe022f199bb32616d0d690bf48 100644 (file)
--- a/src/cfgparse-ssl.c
+++ b/src/cfgparse-ssl.c
@@ -1089,13 +1089,8 @@ static int ssl_bind_parse_allow_0rtt(char **args, int cur_arg, struct proxy *px,
 
 static int bind_parse_allow_0rtt(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
 {
-#ifdef USE_QUIC_OPENSSL_COMPAT
-       memprintf(err, "'%s' : 0-RTT is not supported in limited QUIC compatibility mode, ignored.", args[cur_arg]);
-       return ERR_WARN;
-#else
        conf->ssl_conf.early_data = 1;
        return 0;
-#endif
 }
 
 /* parse the "npn" bind keyword */

diff --git a/src/quic_ssl.c b/src/quic_ssl.c
index d017d8b03a94306c67dcbfa729d5e96542100a88..98067f67baa158854ba5a60bb7844f3e5a5a8f13 100644 (file)
--- a/src/quic_ssl.c
+++ b/src/quic_ssl.c
@@ -1,5 +1,6 @@
 #include <haproxy/errors.h>
 #include <haproxy/ncbuf.h>
+#include <haproxy/proxy.h>
 #include <haproxy/quic_conn.h>
 #include <haproxy/quic_sock.h>
 #include <haproxy/quic_ssl.h>
@@ -400,9 +401,12 @@ int ssl_quic_initial_ctx(struct bind_conf *bind_conf)
 #  if defined(SSL_OP_NO_ANTI_REPLAY)
        if (bind_conf->ssl_conf.early_data) {
                SSL_CTX_set_options(ctx, SSL_OP_NO_ANTI_REPLAY);
-#ifndef USE_QUIC_OPENSSL_COMPAT
+#   ifdef USE_QUIC_OPENSSL_COMPAT
+               ha_warning("Binding [%s:%d] for %s %s: 0-RTT is not supported in limited QUIC compatibility mode, ignored.\n",
+                          bind_conf->file, bind_conf->line, proxy_type_str(bind_conf->frontend), bind_conf->frontend->id);
+#   else
                SSL_CTX_set_max_early_data(ctx, 0xffffffff);
-#endif
+#   endif /* ! USE_QUIC_OPENSSL_COMPAT */
        }
 #  endif /* !SSL_OP_NO_ANTI_REPLAY */
        SSL_CTX_set_client_hello_cb(ctx, ssl_sock_switchctx_cbk, NULL);