From: Frederic Lecaille <flecaille@haproxy.com>
Date: Mon, 1 Dec 2025 15:42:52 +0000 (+0100)
Subject: BUG/MINOR: quic-be: missing connection stream closure upon TLS alert to send
X-Git-Tag: v3.4-dev1~47
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3f5e73e83f9bd1f2caf95dc2ccb61e44fabe5d48;p=thirdparty%2Fhaproxy.git

BUG/MINOR: quic-be: missing connection stream closure upon TLS alert to send

This is the same issue as the one fixed by this commit:
   BUG/MINOR: quic-be: handshake errors without connection stream closure
But this time this is when the client has to send an alert to the server.
The fix consists in creating the mux after having set the handshake connection
error flag and error_code.

This bug was revealed by ssl/set_ssl_cafile.vtc reg test.

Depends on this commit:
     MINOR: quic: avoid code duplication in TLS alert callback

Must be backported to 3.3
---

diff --git a/src/quic_ssl.c b/src/quic_ssl.c
index 155e9e8ec..c1fcfe23b 100644
--- a/src/quic_ssl.c
+++ b/src/quic_ssl.c
@@ -171,6 +171,15 @@ static int ha_quic_send_alert(SSL *ssl, enum ssl_encryption_level_t level, uint8
 	TRACE_PROTO("Received TLS alert", QUIC_EV_CONN_SSLALERT, qc, &alert, &level);
 
 	quic_set_tls_alert(qc, alert);
+	if (qc->conn) {
+		ssl_sock_handle_hs_error(qc->conn);
+		if (objt_server(qc->conn->target) && !qc->conn->mux) {
+			/* This has as side effect to close the connection stream */
+			if (conn_create_mux(qc->conn, NULL) >= 0)
+				qc->conn->mux->wake(qc->conn);
+		}
+	}
+
 	TRACE_LEAVE(QUIC_EV_CONN_SSLALERT, qc);
 	return 1;
 }