From 287f32fd012fcc60b38f654b4b9a3bf7b4dfa078 Mon Sep 17 00:00:00 2001 From: Willy Tarreau Date: Fri, 20 May 2022 18:16:52 +0200 Subject: [PATCH] MINOR: listener: automatically enable SSL if a QUIC transport is found When a bind line is configured without the "ssl" keyword, a warning is emitted and a crash happens at runtime: bind quic4@:4449 crt rsa+dh2048.pem alpn h3 allow-0rtt [WARNING] (17867) : config : Proxy 'decrypt': A certificate was specified but SSL was not enabled on bind 'quic4@:4449' at [quic-mini.cfg:24] (use 'ssl'). Let's automatically turn SSL on when QUIC is detected, as it doesn't exist without SSL anyway. It solves the runtime issue, and also makes sure it is not possible to accidentally configure a quic listener with no certificate since the error is detected via the SSL checks. A warning is emitted in this case, to encourage the user to fix the configuration so that it remains reviewable. --- src/listener.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/listener.c b/src/listener.c index 929c2387a..53039bb60 100644 --- a/src/listener.c +++ b/src/listener.c @@ -1648,6 +1648,11 @@ int bind_parse_args_list(struct bind_conf *bind_conf, char **args, int cur_arg, if ((bind_conf->options & (BC_O_USE_SOCK_DGRAM|BC_O_USE_XPRT_STREAM)) == (BC_O_USE_SOCK_DGRAM|BC_O_USE_XPRT_STREAM)) { #ifdef USE_QUIC bind_conf->xprt = xprt_get(XPRT_QUIC); + if (!(bind_conf->options & BC_O_USE_SSL)) { + bind_conf->options |= BC_O_USE_SSL; + ha_warning("parsing [%s:%d] : '%s %s' in section '%s' : QUIC protocol detected, enabling ssl. Use 'ssl' to shut this warning.\n", + file, linenum, args[0], args[1], section); + } quic_transport_params_init(&bind_conf->quic_params, 1); #else ha_alert("parsing [%s:%d] : '%s %s' in section '%s' : QUIC protocol selected but support not compiled in (check build options).\n",