From: Frederic Lecaille <flecaille@haproxy.com>
Date: Wed, 2 Jul 2025 12:54:41 +0000 (+0200)
Subject: BUG/MINOR: quic: Missing TLS 1.3 QUIC cipher suites and groups inits (OpenSSL 3.5... 
X-Git-Tag: v3.3-dev3~32
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6aebca7f2cc443fb917b495def86b56f15dfcd63;p=thirdparty%2Fhaproxy.git

BUG/MINOR: quic: Missing TLS 1.3 QUIC cipher suites and groups inits (OpenSSL 3.5 QUIC API)

This bug impacts both QUIC backends and frontends with OpenSSL 3.5 as QUIC API.

The connections to a haproxy QUIC listener from a haproxy QUIC backend could not
work at all without HelloRetryRequest TLS messages emitted by the backend
asking the QUIC client to restart the handshake followed by TLS alerts:

    conn. @(nil) OpenSSL error[0xa000098] read_state_machine: excessive message size

Furthermore, the Initial CRYPTO data sent by the client were big (about two 1252 bytes
packets) (ClientHello TLS message). After analyzing the packets a key_share extension
with <unknown> as value was long (more that 1Ko). This extension is in relation with
the groups but does not belong to the groups supported by QUIC.

That said such connections could work with ngtcp2 as backend built against the same
OSSL TLS stack API but with a HelloRetryRequest.

ngtcp2 always set the QUIC default cipher suites and group, for all the stacks it
supports as implemented by this patch.

So this patch configures both QUIC backend and frontend cipher suites and groups
calling SSL_CTX_set_ciphersuites() and SSL_CTX_set1_groups_list() with the correct
argument, except for SSL_CTX_set1_groups_list() which fails with QUIC TLS for
a unknown reason at this time.

The call to SSL_CTX_set_options() is useless from ssl_quic_initial_ctx() for the QUIC
clients. One relies on ssl_sock_prepare_srv_ssl_ctx() to set them for now on.

This patch is effective for all the supported stacks without impact for AWS-LC,
and QUIC TLS and fixes the connections for haproxy QUIC frontend and backends
when builts against OpenSSL 3.5 QUIC API).

A new define HAVE_OPENSSL_QUICTLS has been added to openssl-compat.h to distinguish
the QUIC TLS stack.

Must be backported to 3.2.
---

diff --git a/include/haproxy/openssl-compat.h b/include/haproxy/openssl-compat.h
index 114b52f60..917258d9a 100644
--- a/include/haproxy/openssl-compat.h
+++ b/include/haproxy/openssl-compat.h
@@ -63,6 +63,9 @@ enum ssl_encryption_level_t {
 	ssl_encryption_application
 };
 
+#else
+/* QUIC TLS API */
+#define HAVE_OPENSSL_QUICTLS
 #endif
 #endif /* USE_QUIC_OPENSSL_COMPAT */
 
diff --git a/src/quic_ssl.c b/src/quic_ssl.c
index fe1b5bc12..3cb762753 100644
--- a/src/quic_ssl.c
+++ b/src/quic_ssl.c
@@ -11,6 +11,14 @@
 #include <haproxy/trace.h>
 
 DECLARE_POOL(pool_head_quic_ssl_sock_ctx, "quic_ssl_sock_ctx", sizeof(struct ssl_sock_ctx));
+const char *quic_ciphers = "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"
+                           ":TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_CCM_SHA256";
+#ifdef HAVE_OPENSSL_QUIC
+const char *quic_groups = "X25519:P-256:P-384:P-521:X25519MLKEM768";
+#else
+const char *quic_groups = "X25519:P-256:P-384:P-521";
+#endif
+
 
 /* Set the encoded version of the transport parameter into the TLS
  * stack depending on <ver> QUIC version and <server> boolean which must
@@ -732,6 +740,26 @@ int ssl_quic_initial_ctx(struct bind_conf *bind_conf)
 	SSL_CTX_set_mode(ctx, SSL_MODE_RELEASE_BUFFERS);
 	SSL_CTX_set_min_proto_version(ctx, TLS1_3_VERSION);
 	SSL_CTX_set_max_proto_version(ctx, TLS1_3_VERSION);
+	if (SSL_CTX_set_ciphersuites(ctx, quic_ciphers) != 1) {
+		ha_warning("Binding [%s:%d] for %s %s: default QUIC cipher"
+		           " suites setting failed.\n",
+		           bind_conf->file, bind_conf->line,
+		           proxy_type_str(bind_conf->frontend),
+		           bind_conf->frontend->id);
+		cfgerr++;
+	}
+
+#ifndef HAVE_OPENSSL_QUICTLS
+	/* TODO: this should also work with QUICTLS */
+	if (SSL_CTX_set1_groups_list(ctx, quic_groups) != 1) {
+		ha_warning("Binding [%s:%d] for %s %s: default QUIC cipher"
+		           " groups setting failed.\n",
+		           bind_conf->file, bind_conf->line,
+		           proxy_type_str(bind_conf->frontend),
+		           bind_conf->frontend->id);
+		cfgerr++;
+	}
+#endif
 
 	if (bind_conf->ssl_conf.early_data) {
 #if !defined(HAVE_SSL_0RTT_QUIC)
@@ -771,19 +799,19 @@ int ssl_quic_initial_ctx(struct bind_conf *bind_conf)
 SSL_CTX *ssl_quic_srv_new_ssl_ctx(void)
 {
 	SSL_CTX *ctx = NULL;
-	/* XXX TODO: check this: XXX */
-	long options =
-		(SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS) |
-		SSL_OP_SINGLE_ECDH_USE |
-		SSL_OP_CIPHER_SERVER_PREFERENCE;
 
 	ctx = SSL_CTX_new(TLS_client_method());
 	if (!ctx)
 		goto err;
 
-	SSL_CTX_set_options(ctx, options);
 	SSL_CTX_set_min_proto_version(ctx, TLS1_3_VERSION);
 	SSL_CTX_set_max_proto_version(ctx, TLS1_3_VERSION);
+	if (SSL_CTX_set_ciphersuites(ctx, quic_ciphers) != 1)
+		goto err;
+
+	if (SSL_CTX_set1_groups_list(ctx, quic_groups) != 1)
+		goto err;
+
 #ifdef USE_QUIC_OPENSSL_COMPAT
 	if (!quic_tls_compat_init(NULL, ctx))
 		goto err;