From: Willy Tarreau <w@1wt.eu>
Date: Fri, 20 May 2022 16:16:52 +0000 (+0200)
Subject: MINOR: listener: automatically enable SSL if a QUIC transport is found
X-Git-Tag: v2.6-dev11~5
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=287f32fd012fcc60b38f654b4b9a3bf7b4dfa078;p=thirdparty%2Fhaproxy.git

MINOR: listener: automatically enable SSL if a QUIC transport is found

When a bind line is configured without the "ssl" keyword, a warning is
emitted and a crash happens at runtime:

   bind quic4@:4449 crt rsa+dh2048.pem alpn h3 allow-0rtt

   [WARNING]  (17867) : config : Proxy 'decrypt': A certificate was specified but SSL was not enabled on bind 'quic4@:4449' at [quic-mini.cfg:24] (use 'ssl').

Let's automatically turn SSL on when QUIC is detected, as it doesn't
exist without SSL anyway. It solves the runtime issue, and also makes
sure it is not possible to accidentally configure a quic listener with
no certificate since the error is detected via the SSL checks.

A warning is emitted in this case, to encourage the user to fix the
configuration so that it remains reviewable.
---

diff --git a/src/listener.c b/src/listener.c
index 929c2387aa..53039bb60d 100644
--- a/src/listener.c
+++ b/src/listener.c
@@ -1648,6 +1648,11 @@ int bind_parse_args_list(struct bind_conf *bind_conf, char **args, int cur_arg,
 	if ((bind_conf->options & (BC_O_USE_SOCK_DGRAM|BC_O_USE_XPRT_STREAM)) == (BC_O_USE_SOCK_DGRAM|BC_O_USE_XPRT_STREAM)) {
 #ifdef USE_QUIC
 		bind_conf->xprt = xprt_get(XPRT_QUIC);
+		if (!(bind_conf->options & BC_O_USE_SSL)) {
+			bind_conf->options |= BC_O_USE_SSL;
+			ha_warning("parsing [%s:%d] : '%s %s' in section '%s' : QUIC protocol detected, enabling ssl. Use 'ssl' to shut this warning.\n",
+				 file, linenum, args[0], args[1], section);
+		}
 		quic_transport_params_init(&bind_conf->quic_params, 1);
 #else
 		ha_alert("parsing [%s:%d] : '%s %s' in section '%s' : QUIC protocol selected but support not compiled in (check build options).\n",