MINOR: quic-be: enable the use of 0-RTT

This patch allows the use of 0-RTT feature on QUIC server lines with "allow-0rtt"
option. In fact 0-RTT is really enabled only if ssl_sock_srv_try_reuse_sess()
successfully manages to reuse the SSL session and the chosen application protocol
from previous connections.

Note that, at this time, 0-RTT works only with quictls and aws-lc as TLS stack.

(0-RTT does not work at all (even for QUIC frontends) with libressl).

diff --git a/include/haproxy/openssl-compat.h b/include/haproxy/openssl-compat.h
index 7b072bec8af09d590f9f36c7e5a0ef496d2dccce..0b9bd830d4836306e7046be1f1f42b281af2fc9e 100644 (file)
--- a/include/haproxy/openssl-compat.h
+++ b/include/haproxy/openssl-compat.h
@@ -77,7 +77,8 @@ enum ssl_encryption_level_t {
 
 #if defined(OPENSSL_IS_AWSLC)
 #define OPENSSL_NO_DH
-#define SSL_CTX_set1_sigalgs_list SSL_CTX_set1_sigalgs_list
+#define SSL_CTX_set1_sigalgs_list       SSL_CTX_set1_sigalgs_list
+#define SSL_set_quic_early_data_enabled SSL_set_early_data_enabled
 #endif
 
 

diff --git a/src/quic_ssl.c b/src/quic_ssl.c
index dfa25b7acaefe3fff8134b9d249ffc147e84a883..5fd336bfc390b329783274add039eb66d32da000 100644 (file)
--- a/src/quic_ssl.c
+++ b/src/quic_ssl.c
@@ -1281,7 +1281,23 @@ int qc_alloc_ssl_sock_ctx(struct quic_conn *qc, struct connection *conn)
                if (!qc_ssl_set_quic_transport_params(ctx->ssl, qc, quic_version_1, 0))
                        goto err;
 
-               ssl_sock_srv_try_reuse_sess(ctx, srv);
+               if (!(srv->ssl_ctx.options & SRV_SSL_O_EARLY_DATA))
+                   ssl_sock_srv_try_reuse_sess(ctx, srv);
+#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) && defined(HAVE_SSL_0RTT_QUIC)
+               else {
+                       /* Enable early data only if the SSL session, transport parameters
+                        * and application protocol could be reused. This insures the mux is
+                        * correctly selected.
+                        */
+                       if (ssl_sock_srv_try_reuse_sess(ctx, srv))
+                               SSL_set_quic_early_data_enabled(ctx->ssl, 1);
+                       else {
+                               /* No error here. 0-RTT will not be enabled. */
+                               TRACE_PROTO("Could not reuse SSL session", QUIC_EV_CONN_NEW, qc);
+                       }
+               }
+#endif
+
                SSL_set_connect_state(ctx->ssl);
                ssl_err = SSL_do_handshake(ctx->ssl);
                TRACE_PROTO("SSL_do_handshake() called", QUIC_EV_CONN_NEW, qc, &ssl_err);