From: Frédéric Lécaille <flecaille@haproxy.com>
Date: Thu, 17 Aug 2023 08:53:34 +0000 (+0200)
Subject: MINOR: quic+openssl_compat: Emit an alert for "allow-0rtt" option
X-Git-Tag: v2.9-dev4~40
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2677dc1c32f1b337fb5b946665a1621eb27dede7;p=thirdparty%2Fhaproxy.git

MINOR: quic+openssl_compat: Emit an alert for "allow-0rtt" option

QUIC 0-RTT is not supported when haproxy is linked against an TLS stack with
limited QUIC support (OpenSSL).

Modify the "allow-0rtt" option callback to make it emit a warning if set on
a QUIC listener "bind" line.
---

diff --git a/src/cfgparse-ssl.c b/src/cfgparse-ssl.c
index 08fcd1cd4e..72caeb3645 100644
--- a/src/cfgparse-ssl.c
+++ b/src/cfgparse-ssl.c
@@ -1089,8 +1089,13 @@ static int ssl_bind_parse_allow_0rtt(char **args, int cur_arg, struct proxy *px,
 
 static int bind_parse_allow_0rtt(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
 {
+#ifdef USE_QUIC_OPENSSL_COMPAT
+	memprintf(err, "'%s' : 0-RTT is not supported in limited QUIC compatibility mode, ignored.", args[cur_arg]);
+	return ERR_WARN;
+#else
 	conf->ssl_conf.early_data = 1;
 	return 0;
+#endif
 }
 
 /* parse the "npn" bind keyword */