MAJOR: proxy: enable abortonclose by default on TLS listeners

In the continuity of https://github.com/orgs/haproxy/discussions/3146,
we must also enable abortonclose by default for TLS listeners so as not
to needlessly compute TLS handshakes on dead connections. The change is
very small (just set the default value to 1 in the TLS code when neither
the option nor its opposite were set).

It may possibly cause some TLS handshakes to start failing with 3.3 in
certain legacy environments (e.g. TLS health-checks performed using only
a client hello and closing afterwards), and in this case it is sufficient
to disable the option using "no option abortonclose" in either the
affected frontend or the "defaults" section it derives from.

diff --git a/doc/configuration.txt b/doc/configuration.txt
index 632268f94a7d5382be5cbec4b9d9bd12f6f63397..754e4395c123e06e568d3e9f83f040c45866ed4c 100644 (file)
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -9083,6 +9083,7 @@ no option abortonclose
       likely that some users will give up, and it's pointless to waste CPU
       cycles on their handshakes. Given the CPU cost of TLS handshakes, it is
       recommended to leave this option enabled on internet-facing frontends.
+      This is the default for incoming TLS connections.
 
     - when present in a backend, it will cause half-closed connections to try
       to abort a request that was not yet sent to a server (i.e. when it's
@@ -9096,7 +9097,10 @@ no option abortonclose
   and HTTP services, and to disable it for pure TCP ones as well as unexposed
   legacy environments. It is enabled by default in HTTP backends, and may be
   forcefully disabled by prepending the "no" keyword before it, either in the
-  backend section itself, or in the "defaults" section it inherits from.
+  backend section itself, or in the "defaults" section it inherits from. It is
+  also enabled by default for TLS listeners and may be forcefully disabled as
+  well by specifying "no option abortonclose" in the frontend or in the
+  "defaults" section it inherits from.
 
   If this option has been enabled in a "defaults" section, it can be disabled
   in a specific instance by prepending the "no" keyword before it.

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 6fa65952fb826c3c1909ed966a20a1a43ad5f85b..d997775cc58e3fb12fde9a7f2372f9dff85ca7ad 100644 (file)
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -385,7 +385,7 @@ static int ha_ssl_read(BIO *h, char *buf, int size)
 
        if (ctx->conn->flags & CO_FL_SSL_WAIT_HS &&
            !conn_is_back(ctx->conn) &&
-           proxy_abrt_close(((struct session *)ctx->conn->owner)->fe))
+           proxy_abrt_close_def(((struct session *)ctx->conn->owner)->fe, 1))
                detect_shutr = 1;
        else
                detect_shutr = 0;