From: Frederic Lecaille Date: Sat, 2 Aug 2025 08:46:09 +0000 (+0200) Subject: MINOR: quic-be: enable the use of 0-RTT X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=01af822b2398ad125c0e56502aa127836336c713;p=thirdparty%2Fhaproxy.git MINOR: quic-be: enable the use of 0-RTT This patch allows the use of 0-RTT feature on QUIC server lines with "allow-0rtt" option. In fact 0-RTT is really enabled only if ssl_sock_srv_try_reuse_sess() successfully manages to reuse the SSL session and the chosen application protocol from previous connections. Note that, at this time, 0-RTT works only with quictls and aws-lc as TLS stack. (0-RTT does not work at all (even for QUIC frontends) with libressl). --- diff --git a/include/haproxy/openssl-compat.h b/include/haproxy/openssl-compat.h index 8ff7872ce..fcd1ca247 100644 --- a/include/haproxy/openssl-compat.h +++ b/include/haproxy/openssl-compat.h @@ -77,7 +77,8 @@ enum ssl_encryption_level_t { #if defined(OPENSSL_IS_AWSLC) #define OPENSSL_NO_DH -#define SSL_CTX_set1_sigalgs_list SSL_CTX_set1_sigalgs_list +#define SSL_CTX_set1_sigalgs_list SSL_CTX_set1_sigalgs_list +#define SSL_set_quic_early_data_enabled SSL_set_early_data_enabled #endif diff --git a/src/quic_ssl.c b/src/quic_ssl.c index 5d53e4e5c..75353f014 100644 --- a/src/quic_ssl.c +++ b/src/quic_ssl.c @@ -1318,7 +1318,23 @@ int qc_alloc_ssl_sock_ctx(struct quic_conn *qc, struct connection *conn) if (!qc_ssl_set_quic_transport_params(ctx->ssl, qc, quic_version_1, 0)) goto err; - ssl_sock_srv_try_reuse_sess(ctx, srv); + if (!(srv->ssl_ctx.options & SRV_SSL_O_EARLY_DATA)) + ssl_sock_srv_try_reuse_sess(ctx, srv); +#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) && defined(HAVE_SSL_0RTT_QUIC) + else { + /* Enable early data only if the SSL session, transport parameters + * and application protocol could be reused. This insures the mux is + * correctly selected. + */ + if (ssl_sock_srv_try_reuse_sess(ctx, srv)) + SSL_set_quic_early_data_enabled(ctx->ssl, 1); + else { + /* No error here. 0-RTT will not be enabled. */ + TRACE_PROTO("Could not reuse any ALPN", QUIC_EV_CONN_NEW, qc); + } + } +#endif + SSL_set_connect_state(ctx->ssl); }