Build option USE_QUIC_OPENSSL_COMPAT=1 must be set to activate QUIC
support for OpenSSL prior to version 3.5.2. This compiles an internal
compatibility layer, which must be then activated at runtime with global
option limited-quic.
Starting from OpenSSL version 3.5.2, a proper QUIC TLS API is now
exposed. Thus, the compatibility layer is unneeded. However it can still
be compiled against newer OpenSSL releases and activated at runtime,
mostly for test purpose.
As this compatibility layer has some limitations, (no support for QUIC
0-RTT), it's important that users notice this situation and disable it
if possible. Thus, this patch adds a notice warning when
USE_QUIC_OPENSSL_COMPAT=1 is set when building against OpenSSL 3.5.2 and
above. This should be sufficient for users and packagers to understand
that this option is not necessary anymore.
Note that USE_QUIC_OPENSSL_COMPAT=1 is incompatible with others TLS
library which exposed a QUIC API based on original BoringSSL patches
set. A build error will prevent the compatibility layer to be built.
limited-quic option is thus silently ignored.
#include <haproxy/listener-t.h>
#include <haproxy/quic_openssl_compat-t.h>
+/* Warn about native support in OpenSSL. */
+#if (OPENSSL_VERSION_NUMBER >= 0x30500020L)
+# pragma message "QUIC OpenSSL compat layer is unnecessary starting from OpenSSL 3.5.2 and newer."
+#endif
+
#define QUIC_OPENSSL_COMPAT_SSL_TP_EXT 0x39
/* Used by keylog */
projects / thirdparty / haproxy.git / commitdiff
