From 86a9e2aad0b77976376bb9f036f41130cf74c5e8 Mon Sep 17 00:00:00 2001 From: Frederic Lecaille Date: Sat, 2 Aug 2025 10:46:09 +0200 Subject: [PATCH] MINOR: quic-be: enable the use of 0-RTT This patch allows the use of 0-RTT feature on QUIC server lines with "allow-0rtt" option. In fact 0-RTT is really enabled only if ssl_sock_srv_try_reuse_sess() successfully manages to reuse the SSL session and the chosen application protocol from previous connections. Note that, at this time, 0-RTT works only with quictls and aws-lc as TLS stack. (0-RTT does not work at all (even for QUIC frontends) with libressl). --- include/haproxy/openssl-compat.h | 3 ++- src/quic_ssl.c | 18 +++++++++++++++++- 2 files changed, 19 insertions(+), 2 deletions(-) diff --git a/include/haproxy/openssl-compat.h b/include/haproxy/openssl-compat.h index ffced37cd..bd0da0491 100644 --- a/include/haproxy/openssl-compat.h +++ b/include/haproxy/openssl-compat.h @@ -77,7 +77,8 @@ enum ssl_encryption_level_t { #if defined(OPENSSL_IS_AWSLC) #define OPENSSL_NO_DH -#define SSL_CTX_set1_sigalgs_list SSL_CTX_set1_sigalgs_list +#define SSL_CTX_set1_sigalgs_list SSL_CTX_set1_sigalgs_list +#define SSL_set_quic_early_data_enabled SSL_set_early_data_enabled #endif diff --git a/src/quic_ssl.c b/src/quic_ssl.c index d4b414917..2914197e9 100644 --- a/src/quic_ssl.c +++ b/src/quic_ssl.c @@ -1301,7 +1301,23 @@ int qc_alloc_ssl_sock_ctx(struct quic_conn *qc, struct connection *conn) if (!qc_ssl_set_quic_transport_params(ctx->ssl, qc, quic_version_1, 0)) goto err; - ssl_sock_srv_try_reuse_sess(ctx, srv); + if (!(srv->ssl_ctx.options & SRV_SSL_O_EARLY_DATA)) + ssl_sock_srv_try_reuse_sess(ctx, srv); +#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) && defined(HAVE_SSL_0RTT_QUIC) + else { + /* Enable early data only if the SSL session, transport parameters + * and application protocol could be reused. This insures the mux is + * correctly selected. + */ + if (ssl_sock_srv_try_reuse_sess(ctx, srv)) + SSL_set_quic_early_data_enabled(ctx->ssl, 1); + else { + /* No error here. 0-RTT will not be enabled. */ + TRACE_PROTO("Could not reuse any ALPN", QUIC_EV_CONN_NEW, qc); + } + } +#endif + SSL_set_connect_state(ctx->ssl); } -- 2.47.3