From: Amaury Denoyelle Date: Fri, 31 Oct 2025 09:12:55 +0000 (+0100) Subject: OPTIM: quic: adjust automatic ALPN setting for QUIC servers X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=73b5d331cc1535da70e4ae3a6bc6859e60684d58;p=thirdparty%2Fhaproxy.git OPTIM: quic: adjust automatic ALPN setting for QUIC servers If a QUIC server is declared without ALPN, "h3" value is automatically set during _srv_parse_finalize(). This patch adjusts this operation. Instead of relying on ssl_sock_parse_alpn(), a plain strdup() is used. This is considered more efficient as the ALPN string is constant in this case. This method is already used for listeners on the frontend side. --- diff --git a/doc/configuration.txt b/doc/configuration.txt index 55b84b880..32c495098 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -17696,7 +17696,9 @@ alpn delimited list of protocol names, for instance: "http/1.1,http/1.0" (without quotes). This requires that the SSL library is built with support for TLS extensions enabled (check with haproxy -vv). The ALPN extension replaces the - initial NPN extension. ALPN is required to connect to HTTP/2 servers. + initial NPN extension. ALPN is required to connect to HTTP/2 servers. It is + also required to be able to use HTTP/3 via a QUIC server, "h3" serves as a + default value for QUIC servers without "alpn" setting. Versions of OpenSSL prior to 1.0.2 didn't support ALPN and only supposed the now obsolete NPN extension. If both HTTP/2 and HTTP/1.1 are expected to be supported, both versions can diff --git a/src/server.c b/src/server.c index 02980db72..ba0419316 100644 --- a/src/server.c +++ b/src/server.c @@ -3935,10 +3935,13 @@ static int _srv_parse_finalize(char **args, int cur_arg, ha_warning("QUIC protocol detected, enabling ssl. Use 'ssl' to shut this warning.\n"); } - if (!srv->ssl_ctx.alpn_str && - ssl_sock_parse_alpn("h3", &srv->ssl_ctx.alpn_str, - &srv->ssl_ctx.alpn_len, &errmsg) != 0) { - return ERR_ALERT | ERR_FATAL; + if (!srv->ssl_ctx.alpn_str) { + srv->ssl_ctx.alpn_str = strdup("\002h3"); + if (!srv->ssl_ctx.alpn_str) { + ha_alert("out of memory while trying to allocate a default alpn string.\n"); + return ERR_ALERT | ERR_FATAL; + } + srv->ssl_ctx.alpn_len = strlen(srv->ssl_ctx.alpn_str); } #else ha_alert("QUIC protocol selected but support not compiled in (check build options).\n");