BUG/MEDIUM: quic: keylog callback not called (USE_OPENSSL_COMPAT)

This bug impacts only the QUIC OpenSSL compatibility module (USE_QUIC_OPENSSL_COMPAT)
and it was introduced by this commit:

    BUG/MINOR: quic: Wrong keylog callback setting.

quic_tls_compat_keylog_callback() callback was no more set when the SSL keylog was
enabled by tune.ssl.keylog setting. This is the callback which sets the TLS secrets
into haproxy.

Set it again when the SSL keylog is not enabled by configuration.

Thank you to @Greg57070 for having reported this issue in GH #2412.

Must be backported as far as 2.8.

diff --git a/src/quic_openssl_compat.c b/src/quic_openssl_compat.c
index 2a8f83dc4f3bb3e3dc11c06a4150a11786e44d24..d914ac4d0dc0751cb98d9e031261932ec744a352 100644 (file)
--- a/src/quic_openssl_compat.c
+++ b/src/quic_openssl_compat.c
@@ -61,6 +61,12 @@ int quic_tls_compat_init(struct bind_conf *bind_conf, SSL_CTX *ctx)
        if (bind_conf->xprt != xprt_get(XPRT_QUIC))
                return 1;
 
+       /* This callback is already registered if the TLS keylog is activated for
+        * traffic decryption analysis.
+        */
+       if (!global_ssl.keylog)
+               SSL_CTX_set_keylog_callback(ctx, quic_tls_compat_keylog_callback);
+
        if (SSL_CTX_has_client_custom_ext(ctx, QUIC_OPENSSL_COMPAT_SSL_TP_EXT))
                return 1;