From: Frédéric Lécaille <flecaille@haproxy.com>
Date: Thu, 1 Jul 2021 15:09:05 +0000 (+0200)
Subject: MINOR: quic: Prefer x25519 as ECDH preferred parametes.
X-Git-Tag: v2.5-dev8~112
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4b1fddcfcfcd87efa5f97fecb8669766433d3318;p=thirdparty%2Fhaproxy.git

MINOR: quic: Prefer x25519 as ECDH preferred parametes.

This make at least our listeners answer to ngtcp2 clients without
HelloRetryRequest message. It seems the server choses the first
group in the group list ordered by preference and set by
SSL_CTX_set1_curves_list() which match the client ones.
---

diff --git a/src/xprt_quic.c b/src/xprt_quic.c
index a3013fdd96..783772a9bb 100644
--- a/src/xprt_quic.c
+++ b/src/xprt_quic.c
@@ -942,7 +942,7 @@ int ssl_quic_initial_ctx(struct bind_conf *bind_conf)
 		"TLS_CHACHA20_POLY1305_SHA256:"
 		"TLS_AES_128_CCM_SHA256";
 #endif
-	const char *groups = "P-256:X25519:P-384:P-521";
+	const char *groups = "X25519:P-256:P-384:P-521";
 	long options =
 		(SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS) |
 		SSL_OP_SINGLE_ECDH_USE |