From 2677dc1c32f1b337fb5b946665a1621eb27dede7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20L=C3=A9caille?= <flecaille@haproxy.com>
Date: Thu, 17 Aug 2023 10:53:34 +0200
Subject: [PATCH] MINOR: quic+openssl_compat: Emit an alert for "allow-0rtt"
 option

QUIC 0-RTT is not supported when haproxy is linked against an TLS stack with
limited QUIC support (OpenSSL).

Modify the "allow-0rtt" option callback to make it emit a warning if set on
a QUIC listener "bind" line.
---
 src/cfgparse-ssl.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/cfgparse-ssl.c b/src/cfgparse-ssl.c
index 08fcd1cd4..72caeb364 100644
--- a/src/cfgparse-ssl.c
+++ b/src/cfgparse-ssl.c
@@ -1089,8 +1089,13 @@ static int ssl_bind_parse_allow_0rtt(char **args, int cur_arg, struct proxy *px,
 
 static int bind_parse_allow_0rtt(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
 {
+#ifdef USE_QUIC_OPENSSL_COMPAT
+	memprintf(err, "'%s' : 0-RTT is not supported in limited QUIC compatibility mode, ignored.", args[cur_arg]);
+	return ERR_WARN;
+#else
 	conf->ssl_conf.early_data = 1;
 	return 0;
+#endif
 }
 
 /* parse the "npn" bind keyword */