MINOR: quic-be: enable the use of 0-RTT

This patch allows the use of 0-RTT feature on QUIC server lines with "allow-0rtt"
option. In fact 0-RTT is really enabled only if ssl_sock_srv_try_reuse_sess()
successfully manages to reuse the SSL session and the chosen application protocol
from previous connections.

Note that, at this time, 0-RTT works only with quictls and aws-lc as TLS stack.

(0-RTT does not work at all (even for QUIC frontends) with libressl).

diff --git a/include/haproxy/openssl-compat.h b/include/haproxy/openssl-compat.h
index ffced37cdbbcb9760b1c0e6923815deb84cd906c..bd0da049126abb15a8269c07b8195e3a1e4cdcd5 100644 (file)
--- a/include/haproxy/openssl-compat.h
+++ b/include/haproxy/openssl-compat.h
@@ -77,7 +77,8 @@ enum ssl_encryption_level_t {
 
 #if defined(OPENSSL_IS_AWSLC)
 #define OPENSSL_NO_DH
-#define SSL_CTX_set1_sigalgs_list SSL_CTX_set1_sigalgs_list
+#define SSL_CTX_set1_sigalgs_list       SSL_CTX_set1_sigalgs_list
+#define SSL_set_quic_early_data_enabled SSL_set_early_data_enabled
 #endif
 
 

diff --git a/src/quic_ssl.c b/src/quic_ssl.c
index d4b414917406506ddf9b4b4414b311f3b131d14c..2914197e9e3452ea04fade128dacfcd3394ad81a 100644 (file)
--- a/src/quic_ssl.c
+++ b/src/quic_ssl.c
@@ -1301,7 +1301,23 @@ int qc_alloc_ssl_sock_ctx(struct quic_conn *qc, struct connection *conn)
                if (!qc_ssl_set_quic_transport_params(ctx->ssl, qc, quic_version_1, 0))
                        goto err;
 
-               ssl_sock_srv_try_reuse_sess(ctx, srv);
+               if (!(srv->ssl_ctx.options & SRV_SSL_O_EARLY_DATA))
+                   ssl_sock_srv_try_reuse_sess(ctx, srv);
+#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) && defined(HAVE_SSL_0RTT_QUIC)
+               else {
+                       /* Enable early data only if the SSL session, transport parameters
+                        * and application protocol could be reused. This insures the mux is
+                        * correctly selected.
+                        */
+                       if (ssl_sock_srv_try_reuse_sess(ctx, srv))
+                               SSL_set_quic_early_data_enabled(ctx->ssl, 1);
+                       else {
+                               /* No error here. 0-RTT will not be enabled. */
+                               TRACE_PROTO("Could not reuse any ALPN", QUIC_EV_CONN_NEW, qc);
+                       }
+               }
+#endif
+
                SSL_set_connect_state(ctx->ssl);
        }