From: Frederic Lecaille Date: Wed, 2 Jul 2025 15:56:03 +0000 (+0200) Subject: MINOR: quic: Prevent QUIC backend use with the OpenSSL QUIC compatibility module... X-Git-Tag: v3.3-dev3~30 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5a87f4673a2263a0b724bfbedee7d9fe85c609ec;p=thirdparty%2Fhaproxy.git MINOR: quic: Prevent QUIC backend use with the OpenSSL QUIC compatibility module (USE_OPENSS_COMPAT) Make the server line parsing fail when a QUIC backend is configured if haproxy is built to use the OpenSSL stack compatibility module. This latter does not support the QUIC client part. --- diff --git a/include/haproxy/openssl-compat.h b/include/haproxy/openssl-compat.h index 917258d9a..97a1b7e88 100644 --- a/include/haproxy/openssl-compat.h +++ b/include/haproxy/openssl-compat.h @@ -47,6 +47,7 @@ #ifdef USE_QUIC_OPENSSL_COMPAT #include #else +#define HAVE_OPENSSL_QUIC_CLIENT_SUPPORT #if defined(OSSL_FUNC_SSL_QUIC_TLS_CRYPTO_SEND) /* This macro is defined by the new OpenSSL 3.5.0 QUIC TLS API and it is not * defined by quictls. diff --git a/src/server.c b/src/server.c index c5d29a30a..c2597091a 100644 --- a/src/server.c +++ b/src/server.c @@ -3610,6 +3610,7 @@ static int _srv_parse_init(struct server **srv, char **args, int *cur_arg, } #ifdef USE_QUIC +#ifdef HAVE_OPENSSL_QUIC_CLIENT_SUPPORT if (srv_is_quic(newsrv)) { if (!experimental_directives_allowed) { ha_alert("QUIC is experimental for server '%s'," @@ -3622,6 +3623,14 @@ static int _srv_parse_init(struct server **srv, char **args, int *cur_arg, newsrv->xprt = xprt_get(XPRT_QUIC); quic_transport_params_init(&newsrv->quic_params, 0); } +#else + if (srv_is_quic(newsrv)) { + ha_alert("The SSL stack does not provide a support for QUIC server '%s'", + newsrv->id); + err_code |= ERR_ALERT | ERR_FATAL; + goto out; + } +#endif #endif if (!port1 || !port2) {