MINOR: quic-be: enable the use of 0-RTT

This patch allows the use of 0-RTT feature on QUIC server lines with "allow-0rtt"
option. In fact 0-RTT is really enabled only if ssl_sock_srv_try_reuse_sess()
successfully manages to reuse the SSL session and the chosen application protocol
from previous connections.

Note that, at this time, 0-RTT works only with quictls and aws-lc as TLS stack.

(0-RTT does not work at all (even for QUIC frontends) with libressl).

diff --git a/include/haproxy/openssl-compat.h b/include/haproxy/openssl-compat.h
index 8ff7872cebf5f1711e78145e2160c7b560258102..fcd1ca24799539dd3154c6cb25d9c517f6611ae9 100644 (file)
--- a/include/haproxy/openssl-compat.h
+++ b/include/haproxy/openssl-compat.h
@@ -77,7 +77,8 @@ enum ssl_encryption_level_t {
 
 #if defined(OPENSSL_IS_AWSLC)
 #define OPENSSL_NO_DH
-#define SSL_CTX_set1_sigalgs_list SSL_CTX_set1_sigalgs_list
+#define SSL_CTX_set1_sigalgs_list       SSL_CTX_set1_sigalgs_list
+#define SSL_set_quic_early_data_enabled SSL_set_early_data_enabled
 #endif
 
 

diff --git a/src/quic_ssl.c b/src/quic_ssl.c
index 5d53e4e5cd6655b744b4d7daf63657d4be228615..75353f01411652cc358f2009e003a68164679001 100644 (file)
--- a/src/quic_ssl.c
+++ b/src/quic_ssl.c
@@ -1318,7 +1318,23 @@ int qc_alloc_ssl_sock_ctx(struct quic_conn *qc, struct connection *conn)
                if (!qc_ssl_set_quic_transport_params(ctx->ssl, qc, quic_version_1, 0))
                        goto err;
 
-               ssl_sock_srv_try_reuse_sess(ctx, srv);
+               if (!(srv->ssl_ctx.options & SRV_SSL_O_EARLY_DATA))
+                   ssl_sock_srv_try_reuse_sess(ctx, srv);
+#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) && defined(HAVE_SSL_0RTT_QUIC)
+               else {
+                       /* Enable early data only if the SSL session, transport parameters
+                        * and application protocol could be reused. This insures the mux is
+                        * correctly selected.
+                        */
+                       if (ssl_sock_srv_try_reuse_sess(ctx, srv))
+                               SSL_set_quic_early_data_enabled(ctx->ssl, 1);
+                       else {
+                               /* No error here. 0-RTT will not be enabled. */
+                               TRACE_PROTO("Could not reuse any ALPN", QUIC_EV_CONN_NEW, qc);
+                       }
+               }
+#endif
+
                SSL_set_connect_state(ctx->ssl);
        }