MINOR: ssl_sock: Early data disabled during SSL_CTX switching (aws-lc)

This patch impacts only haproxy when built against aws-lc TLS stack (OPENSSL_IS_AWSLC).

During the SSL_CTX switching from ssl_sock_switchctx_cbk() callback,
ssl_sock_switchctx_set() is called. This latter calls SSL_set_SSL_CTX()
whose aims is to change the SSL_CTX attached o an SSL object (TLS session).
But the aws-lc (or boringssl) implementation of this function copy
the "early data enabled" setting value (boolean) coming with the SSL_CTX object
into the SSL object. So, if not set in the SSL_CTX object this setting disabled
the one which has been set by configuration into the SSL object
(see qc_set_quic_early_data_enabled(), it calls SSL_set_early_data_enabled()
with an SSL object as parameter).

Fix this enabling the "early data enabled" setting into the SSL_CTX before
setting this latter into the SSL object.

This patch is required to make QUIC 0-RTT work with haproxy built against
aws-lc.

Note that, this patch should also help in early data support for TCP connections.

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index c5603d25e090a806076b8852415db18ba4239c5b..cd200283e9014dfda7409e83f9acb761244ccfa3 100644 (file)
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -2448,6 +2448,14 @@ sni_lookup:
                return SSL_TLSEXT_ERR_ALERT_FATAL;
        }
 
+#if defined(OPENSSL_IS_AWSLC)
+       /* Note that ssl_sock_switchctx_set() calls SSL_set_SSL_CTX() which propagates the
+        * "early data enabled" setting from the SSL_CTX object to the SSL objects.
+        * So enable early data for this SSL_CTX context if configured.
+        */
+       if (s->ssl_conf.early_data)
+               SSL_CTX_set_early_data_enabled(container_of(node, struct sni_ctx, name)->ctx, 1);
+#endif
        /* switch ctx */
        ssl_sock_switchctx_set(ssl, container_of(node, struct sni_ctx, name)->ctx);
        HA_RWLOCK_RDUNLOCK(SNI_LOCK, &s->sni_lock);