From: Olivier Houchard <cognet@ci0.org>
Date: Mon, 6 May 2019 13:18:27 +0000 (+0200)
Subject: BUG/MEDIUM: ssl: Don't attempt to use early data with libressl.
X-Git-Tag: v2.0-dev3~113
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4cd2af4e5d785c42d2924492df987a7cd5832e23;p=thirdparty%2Fhaproxy.git

BUG/MEDIUM: ssl: Don't attempt to use early data with libressl.

Libressl doesn't yet provide early data, so don't put the CO_FL_EARLY_SSL_HS
on the connection if we're building with libressl, or the handshake will
never be done.
---

diff --git a/src/backend.c b/src/backend.c
index ae704decf7..5807a2e96a 100644
--- a/src/backend.c
+++ b/src/backend.c
@@ -1582,7 +1582,9 @@ int connect_server(struct stream *s)
 	}
 
 
-#ifdef USE_OPENSSL
+#if USE_OPENSSL && (defined(OPENSSL_IS_BORINGSSL) || \
+    ((OPENSSL_VERSION_NUMBER >= 0x10101000L) && !defined(LIBRESSL_VERSION_NUMBER)))
+
 	if (!reuse && cli_conn && srv &&
 	    (srv->ssl_ctx.options & SRV_SSL_O_EARLY_DATA) &&
 	    /* Only attempt to use early data if either the client sent
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index e11ddb53cf..cf1b860f76 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -5336,7 +5336,8 @@ static int ssl_sock_init(struct connection *conn, void **xprt_ctx)
 
 		/* leave init state and start handshake */
 		conn->flags |= CO_FL_SSL_WAIT_HS | CO_FL_WAIT_L6_CONN;
-#if OPENSSL_VERSION_NUMBER >= 0x10101000L || defined(OPENSSL_IS_BORINGSSL)
+#if (OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)) || \
+    defined(OPENSSL_IS_BORINGSSL)
 		conn->flags |= CO_FL_EARLY_SSL_HS;
 #endif