From: Olivier Houchard <ohouchard@haproxy.com>
Date: Wed, 19 Nov 2025 17:34:07 +0000 (+0100)
Subject: MEDIUM: ssl: Don't restrict usage of early-data with no ALPN
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=7ab7c8957f12c613917fd540f12c68e19e884d74;p=thirdparty%2Fhaproxy.git

MEDIUM: ssl: Don't restrict usage of early-data with no ALPN

In ssl_sock_io_cb(), immediately create the mux if we received early
data even if we have not received an ALPN. At this point, if we have not
received the ALPN, we will not receive one anyway, so we can just use
the default mux (h1 when in mode HTTP, pt when in mode TCP).
That way, we can immediately process early data even if the client sent
not ALPN (which will happen if the client is haproxy with no ALPN on the
server line).
---

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 40d5da29e..d6494ef55 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -6852,9 +6852,7 @@ struct task *ssl_sock_io_cb(struct task *t, void *context, unsigned int state)
 	if ((ctx->conn->flags & CO_FL_ERROR) ||
 	    !(ctx->conn->flags & CO_FL_SSL_WAIT_HS)
 #ifdef SSL_READ_EARLY_DATA_SUCCESS
-	    || (b_data(&ctx->early_buf) && (ctx->flags & SSL_SOCK_F_HAS_ALPN ||
-	               (objt_listener(conn->target) &&
-		        __objt_listener(conn->target)->bind_conf->mux_proto)))
+	    || b_data(&ctx->early_buf)
 #endif
 	    ) {
 		int woke = 0;