From: Frederic Lecaille Date: Tue, 23 Jan 2024 13:45:25 +0000 (+0100) Subject: MINOR: ssl_sock: Early data disabled during SSL_CTX switching (aws-lc) X-Git-Tag: v3.0-dev2~25 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fcc8255;p=thirdparty%2Fhaproxy.git MINOR: ssl_sock: Early data disabled during SSL_CTX switching (aws-lc) This patch impacts only haproxy when built against aws-lc TLS stack (OPENSSL_IS_AWSLC). During the SSL_CTX switching from ssl_sock_switchctx_cbk() callback, ssl_sock_switchctx_set() is called. This latter calls SSL_set_SSL_CTX() whose aims is to change the SSL_CTX attached o an SSL object (TLS session). But the aws-lc (or boringssl) implementation of this function copy the "early data enabled" setting value (boolean) coming with the SSL_CTX object into the SSL object. So, if not set in the SSL_CTX object this setting disabled the one which has been set by configuration into the SSL object (see qc_set_quic_early_data_enabled(), it calls SSL_set_early_data_enabled() with an SSL object as parameter). Fix this enabling the "early data enabled" setting into the SSL_CTX before setting this latter into the SSL object. This patch is required to make QUIC 0-RTT work with haproxy built against aws-lc. Note that, this patch should also help in early data support for TCP connections. --- diff --git a/src/ssl_sock.c b/src/ssl_sock.c index c5603d25e0..cd200283e9 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -2448,6 +2448,14 @@ sni_lookup: return SSL_TLSEXT_ERR_ALERT_FATAL; } +#if defined(OPENSSL_IS_AWSLC) + /* Note that ssl_sock_switchctx_set() calls SSL_set_SSL_CTX() which propagates the + * "early data enabled" setting from the SSL_CTX object to the SSL objects. + * So enable early data for this SSL_CTX context if configured. + */ + if (s->ssl_conf.early_data) + SSL_CTX_set_early_data_enabled(container_of(node, struct sni_ctx, name)->ctx, 1); +#endif /* switch ctx */ ssl_sock_switchctx_set(ssl, container_of(node, struct sni_ctx, name)->ctx); HA_RWLOCK_RDUNLOCK(SNI_LOCK, &s->sni_lock);