From: Amaury Denoyelle <adenoyelle@haproxy.com>
Date: Thu, 12 Jun 2025 14:16:43 +0000 (+0200)
Subject: MINOR: server: reject QUIC servers without explicit SSL
X-Git-Tag: v3.3-dev2~60
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=830affc17d65688fce1e7015bb88d133b8b9be32;p=thirdparty%2Fhaproxy.git

MINOR: server: reject QUIC servers without explicit SSL

Report an error during server configuration if QUIC is used by SSL is
not activiated via 'ssl' keyword. This is done in _srv_parse_finalize(),
which is both used by static and dynamic servers.

Note that contrary to listeners, an error is reported instead of a
warning, and SSL is not automatically activated if missing. This is
mainly due to the complex server configuration : _srv_parse_finalize()
is ideal to affect every servers, including dynamic entries. However, it
is executed after server SSL context allocation performed via
<prepare_srv> XPRT operation. A proper fix would be to move SSL ctx
alloc in _srv_parse_finalize(), but this may have unknown impact. Thus,
for now a simpler solution has been chosen.
---

diff --git a/src/server.c b/src/server.c
index 39d798ec4..45b079e9d 100644
--- a/src/server.c
+++ b/src/server.c
@@ -3836,6 +3836,15 @@ static int _srv_parse_finalize(char **args, int cur_arg,
 		}
 	}
 
+#ifdef USE_QUIC
+	if (srv_is_quic(srv)) {
+		if (!srv->use_ssl) {
+			ha_alert("QUIC protocol detected without explicit SSL requirement. Use 'ssl' to fix this.\n");
+			return ERR_ALERT | ERR_FATAL;
+		}
+	}
+#endif
+
 	srv_lb_commit_status(srv);
 
 	return 0;