From: Frederic Lecaille <flecaille@haproxy.com>
Date: Mon, 7 Jul 2025 10:01:22 +0000 (+0200)
Subject: BUG/MEDIUM: quic: SSL/TCP handshake failures with OpenSSL 3.5
X-Git-Tag: v3.3-dev3~34
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fb0324eb09cf00a65048a05fbcfbfb89bcdc6e25;p=thirdparty%2Fhaproxy.git

BUG/MEDIUM: quic: SSL/TCP handshake failures with OpenSSL 3.5

This bug arrived with this commit:

    MINOR: quic: OpenSSL 3.5 internal QUIC custom extension for transport parameters reset

To make QUIC connection succeed with OpenSSL 3.5 API, a call to quic_ssl_set_tls_cbs()
was needed from several callback which call SSL_set_SSL_CTX(). This has as side effect
to set the QUIC callbacks used by the OpenSSL 3.5 API.

But quic_ssl_set_tls_cbs() was also called for TCP sessions leading the SSL stack
to run QUIC code, if the QUIC support is enabled.

To fix this, simply ignore the TCP connections inspecting the <ssl_qc_app_data_index>
index value which is NULL for such connections.

Must be backported to 3.2.
---

diff --git a/src/quic_ssl.c b/src/quic_ssl.c
index 9ae5d8159..fe1b5bc12 100644
--- a/src/quic_ssl.c
+++ b/src/quic_ssl.c
@@ -1095,6 +1095,12 @@ int qc_ssl_provide_all_quic_data(struct quic_conn *qc, struct ssl_sock_ctx *ctx)
 /* Simple helper to set the specifig OpenSSL/quictls QUIC API callbacks */
 int quic_ssl_set_tls_cbs(SSL *ssl)
 {
+	struct quic_conn *qc = SSL_get_ex_data(ssl, ssl_qc_app_data_index);
+
+	/* Ignore the TCP connections */
+	if (!qc)
+		return 1;
+
 #ifdef HAVE_OPENSSL_QUIC
 	return SSL_set_quic_tls_cbs(ssl, ha_quic_dispatch, NULL);
 #else