From: Olivier Houchard Date: Tue, 25 Nov 2025 10:02:21 +0000 (+0100) Subject: DOC: ssl: Document the restrictions on 0RTT. X-Git-Tag: v3.3.0~21 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f867068dc7a8be2ea860c44e967b1a4e6bba1193;p=thirdparty%2Fhaproxy.git DOC: ssl: Document the restrictions on 0RTT. Document that with QUIC, 0RTT only works with OpenSSL >= 3.5.2 and AWS-LC, and for TLS/TCP, it only works with OpenSSL, and frontends require that an ALPN be sent by the client to use the early data before the handshake. --- diff --git a/doc/configuration.txt b/doc/configuration.txt index 8cf61ee6d..422eaf6be 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -16513,6 +16513,10 @@ allow-0rtt you should only allow if for requests that are safe to replay, i.e. requests that are idempotent. You can use the "wait-for-handshake" action for any request that wouldn't be safe with early data. + With QUIC, 0rtt is supported with OpenSSL >= 3.5.2 and AWS-LC. With TCP/TLS, + 0rtt is only supported with OpenSSL, and requires that the client sends an + ALPN, otherwise the early data won't be considered before the handshake + happens. alpn This enables the TLS ALPN extension and advertises the specified protocol @@ -17741,6 +17745,8 @@ allow-0rtt Allow sending early data to the server when using TLS 1.3. Note that early data will be sent only if the client used early data, or if the backend uses "retry-on" with the "0rtt-rejected" keyword. + With QUIC, 0rtt is supported with OpenSSL >= 3.5.2 and AWS-LC. With TCP/TLS, + 0rtt is only supported with OpenSSL. alpn May be used in the following contexts: tcp, http