git.ipfire.org Git - thirdparty/haproxy.git/commit

author	Olivier Houchard <ohouchard@haproxy.com>
	Fri, 22 Sep 2017 16:26:28 +0000 (18:26 +0200)
committer	Willy Tarreau <w@1wt.eu>
	Fri, 27 Oct 2017 08:54:05 +0000 (10:54 +0200)
commit	c2aae74f010f97a3415542fe649198a5d3be1ea8
tree	3da55551a2471c785ca82fae336a32c3dc4967bf	tree
parent	253c62b257c137e7da5c273f42bc5d6eacd31d2c	commit \| diff

MEDIUM: ssl: Handle early data with OpenSSL 1.1.1

When compiled with Openssl >= 1.1.1, before attempting to do the handshake,
try to read any early data. If any early data is present, then we'll create
the session, read the data, and handle the request before we're doing the
handshake.

For this, we add a new connection flag, CO_FL_EARLY_SSL_HS, which is not
part of the CO_FL_HANDSHAKE set, allowing to proceed with a session even
before an SSL handshake is completed.

As early data do have security implication, we let the origin server know
the request comes from early data by adding the "Early-Data" header, as
specified in this draft from the HTTP working group :

https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-replay

doc/configuration.txt		diff \| blob \| blame \| history
include/proto/connection.h		diff \| blob \| blame \| history
include/types/connection.h		diff \| blob \| blame \| history
include/types/listener.h		diff \| blob \| blame \| history
src/proto_http.c		diff \| blob \| blame \| history
src/proto_tcp.c		diff \| blob \| blame \| history
src/session.c		diff \| blob \| blame \| history
src/ssl_sock.c		diff \| blob \| blame \| history