From: William Lallemand Date: Mon, 29 Jan 2024 17:36:31 +0000 (+0100) Subject: MEDIUM: ssl/quic: always compile the ssl_conf.early_data test X-Git-Tag: v3.0-dev3~138 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5c4519934708bfe6a26b9ad0cc93a8c5c87df112;p=thirdparty%2Fhaproxy.git MEDIUM: ssl/quic: always compile the ssl_conf.early_data test Always compile the test of the early_data variable in "ssl_quic_initial_ctx", this way we can emit a warning about its support or not. The test was moved in a more simple preprocessor check which only checks the new HAVE_SSL_0RTT_QUIC constant. Could be backported to 2.9 with the 2 previous commits. However AWS-LC must be excluded of HAVE_SSL_0RTT_QUIC in this version. --- diff --git a/src/quic_ssl.c b/src/quic_ssl.c index 485499a099..08c119f3e7 100644 --- a/src/quic_ssl.c +++ b/src/quic_ssl.c @@ -447,19 +447,18 @@ int ssl_quic_initial_ctx(struct bind_conf *bind_conf) SSL_CTX_set_min_proto_version(ctx, TLS1_3_VERSION); SSL_CTX_set_max_proto_version(ctx, TLS1_3_VERSION); -#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME -# if defined(HAVE_SSL_CLIENT_HELLO_CB) -# if defined(SSL_OP_NO_ANTI_REPLAY) if (bind_conf->ssl_conf.early_data) { - SSL_CTX_set_options(ctx, SSL_OP_NO_ANTI_REPLAY); -# if defined(USE_QUIC_OPENSSL_COMPAT) || defined(OPENSSL_IS_AWSLC) - ha_warning("Binding [%s:%d] for %s %s: 0-RTT is not supported in limited QUIC compatibility mode, ignored.\n", +#if !defined(HAVE_SSL_0RTT_QUIC) + ha_warning("Binding [%s:%d] for %s %s: 0-RTT with QUIC is not supported by this SSL library, ignored.\n", bind_conf->file, bind_conf->line, proxy_type_str(bind_conf->frontend), bind_conf->frontend->id); -# else +#else + SSL_CTX_set_options(ctx, SSL_OP_NO_ANTI_REPLAY); SSL_CTX_set_max_early_data(ctx, 0xffffffff); -# endif /* ! USE_QUIC_OPENSSL_COMPAT */ +#endif /* ! HAVE_SSL_0RTT_QUIC */ } -# endif /* !SSL_OP_NO_ANTI_REPLAY */ + +#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME +# if defined(HAVE_SSL_CLIENT_HELLO_CB) SSL_CTX_set_client_hello_cb(ctx, ssl_sock_switchctx_cbk, NULL); SSL_CTX_set_tlsext_servername_callback(ctx, ssl_sock_switchctx_err_cbk); # else /* ! HAVE_SSL_CLIENT_HELLO_CB */