BUG/MINOR: quic-be: backend SSL session reuse fix (OpenSSL 3.5)

This bug impacts only the QUIC backends when haproxy is compiled against
OpenSSL 3.5 with QUIC API(HAVE_OPENSSL_QUIC).

The QUIC clients could not reuse their SSL session because the TLS tickets
received from the servers could not be provided to the TLS stack. This should
be done when the stack calls ha_quic_ossl_crypto_recv_rcd()
(OSSL_FUNC_SSL_QUIC_TLS_CRYPTO_RECV_RCD callback).

According to OpenSSL team, an SSL_read() call must be done after the handshake
completion. It seems the correct location is at the same level as for
SSL_process_quic_post_handshake() for quictls.

Thank you to @mattcaswell, @Sashan and @vdukhovni for having helped in solving
this issue.

Must be backported to 3.1

diff --git a/src/quic_ssl.c b/src/quic_ssl.c
index 22f0d04ab12504add826d58c2f38980f9c00a9de..45915773bdf10616955e6db84d56a715c94d03e7 100644 (file)
--- a/src/quic_ssl.c
+++ b/src/quic_ssl.c
@@ -1072,6 +1072,13 @@ int qc_ssl_do_hanshake(struct quic_conn *qc, struct ssl_sock_ctx *ctx)
 
                TRACE_STATE("SSL post handshake succeeded", QUIC_EV_CONN_IO_CB, qc, &state);
        }
+#else
+       else {
+               /* Poke to SSL state engine to give TLS record layer chance to handle
+                * session tickets.
+                */
+               SSL_read(ctx->ssl, NULL, 0);
+       }
 #endif
 
  out: