From: Frederic Lecaille <flecaille@haproxy.com>
Date: Fri, 4 Jul 2025 14:38:06 +0000 (+0200)
Subject: MINOR: quic-be: TLS version restriction to 1.3
X-Git-Tag: v3.3-dev3~27
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e76f1ad171950c7a890d9810ab32988cb1fbf503;p=thirdparty%2Fhaproxy.git

MINOR: quic-be: TLS version restriction to 1.3

This patch skips the TLS version settings. They have as a side effect to add
all the TLS version extensions to the ClientHello message (TLS 1.0 to TLS 1.3).
QUIC supports only TLS 1.3.
---

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index a13e13f32..c77c82d97 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -4492,6 +4492,10 @@ static int ssl_sock_prepare_srv_ssl_ctx(const struct server *srv, SSL_CTX *ctx)
 #endif
 	X509_STORE *store = SSL_CTX_get_cert_store(ctx);
 
+	/* QUIC supports only TLS 1.3. Skip these TLS versions settings. */
+	if (srv_is_quic(srv))
+		goto options;
+
 	if (conf_ssl_methods->flags && (conf_ssl_methods->min || conf_ssl_methods->max))
 		ha_warning("no-sslv3/no-tlsv1x are ignored for this server. "
 			   "Use only 'ssl-min-ver' and 'ssl-max-ver' to fix.\n");
@@ -4549,6 +4553,7 @@ static int ssl_sock_prepare_srv_ssl_ctx(const struct server *srv, SSL_CTX *ctx)
         methodVersions[max].ctx_set_version(ctx, SET_MAX);
 #endif
 
+ options:
 	if (srv->ssl_ctx.options & SRV_SSL_O_NO_TLS_TICKETS)
 		options |= SSL_OP_NO_TICKET;