From: Olivier Houchard Date: Wed, 22 Nov 2017 16:38:37 +0000 (+0100) Subject: BUG/MINOR: ssl: Always start the handshake if we can't send early data. X-Git-Tag: v1.8.0~62 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=777e4b98a3252f89615d528f686087a9ab22d169;p=thirdparty%2Fhaproxy.git BUG/MINOR: ssl: Always start the handshake if we can't send early data. The current code only tries to do the handshake in case we can't send early data if we're acting as a client, which is wrong, it has to be done on the server side too, or we end up in an infinite loop. --- diff --git a/src/ssl_sock.c b/src/ssl_sock.c index d1977960cc..b8793fce66 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -5514,10 +5514,8 @@ static int ssl_sock_from_buf(struct connection *conn, struct buffer *buf, int fl if (try + conn->tmp_early_data > max_early) { try -= (try + conn->tmp_early_data) - max_early; if (try <= 0) { - if (objt_server(conn->target)) { - conn->flags &= ~CO_FL_EARLY_SSL_HS; - conn->flags |= CO_FL_SSL_WAIT_HS | CO_FL_WAIT_L6_CONN; - } + conn->flags &= ~CO_FL_EARLY_SSL_HS; + conn->flags |= CO_FL_SSL_WAIT_HS | CO_FL_WAIT_L6_CONN; break; } }