From: Frédéric Lécaille Date: Thu, 21 Dec 2023 13:14:22 +0000 (+0100) Subject: BUG/MINOR: quic: Wrong keylog callback setting. X-Git-Tag: v3.0-dev1~39 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b26f6fb0cb358ef1df15e21151906e4c2e9f4364;p=thirdparty%2Fhaproxy.git BUG/MINOR: quic: Wrong keylog callback setting. This bug impacts only the QUIC OpenSSL compatibility module (USE_QUIC_OPENSSL_COMPAT). To make this module works, quic_tls_compat_keylog_callback() function must be set as keylog callback, or at least be called by another keylog callback. This is what SSL_CTX_keylog() was supposed to do. In addition to export the TLS secrets via sample fetches this latter also calls quic_tls_compat_keylog_callback() when compiled with USE_QUIC_OPENSSL_COMPAT defined. Before this patch, SSL_CTX_keylog() was replaced by quic_tls_compat_keylog_callback() and the TLS secret were no more exported by sample fetches. Must be backported to 2.8. --- diff --git a/src/quic_openssl_compat.c b/src/quic_openssl_compat.c index 3760bbcf2c..efd9b15008 100644 --- a/src/quic_openssl_compat.c +++ b/src/quic_openssl_compat.c @@ -61,7 +61,6 @@ int quic_tls_compat_init(struct bind_conf *bind_conf, SSL_CTX *ctx) if (bind_conf->xprt != xprt_get(XPRT_QUIC)) return 1; - SSL_CTX_set_keylog_callback(ctx, quic_tls_compat_keylog_callback); if (SSL_CTX_has_client_custom_ext(ctx, QUIC_OPENSSL_COMPAT_SSL_TP_EXT)) return 1;