mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-09-22 22:31:28 +02:00
Code Issues Projects Releases Wiki Activity

MEDIUM: xprt-quic: implement get_ssl_sock_ctx()

Browse Source 
By being able to return the ssl_sock_ctx, we're now enabling the whole
set of SSL sample fetch methods to work on the current SSL context of
the QUIC connection, as seen in the following test showing a request
forwarded to an HTTP/1 server with plenty of SSL headers filled:

00000001:decrypt.clireq[000f:ffffffff]: GET / HTTP/1.1
00000001:decrypt.clihdr[000f:ffffffff]: host: localhost
00000001:decrypt.clihdr[000f:ffffffff]: user-agent: nghttp3/ngtcp2 client
00000001:decrypt.clihdr[000f:ffffffff]: x-src: 127.0.0.1
00000001:decrypt.clihdr[000f:ffffffff]: x-dst: 127.0.0.4
00000001:decrypt.clihdr[000f:ffffffff]: x-ssl_f_serial: D16197E7D3E634E9
00000001:decrypt.clihdr[000f:ffffffff]: x-ssl_f_key_alg: rsaEncryption
00000001:decrypt.clihdr[000f:ffffffff]: x-ssl_f_sig_alg: RSA-SHA1
00000001:decrypt.clihdr[000f:ffffffff]: x-ssl_fc: 1
00000001:decrypt.clihdr[000f:ffffffff]: x-ssl_fc_has_sni: 1
00000001:decrypt.clihdr[000f:ffffffff]: x-ssl_fc_sni: blah
00000001:decrypt.clihdr[000f:ffffffff]: x-ssl_fc_alpn: h3
00000001:decrypt.clihdr[000f:ffffffff]: x-ssl_fc_protocol: TLSv1.3
00000001:decrypt.clihdr[000f:ffffffff]: x-ssl_fc_cipher: TLS_AES_256_GCM_SHA384
00000001:decrypt.clihdr[000f:ffffffff]: x-ssl_fc_alg_keysize: 256
00000001:decrypt.clihdr[000f:ffffffff]: x-ssl_fc_use_keysize: 256
00000001:decrypt.clihdr[000f:ffffffff]: x-forwarded-for: 127.0.0.1

The code is trivial, but this is marked as medium as there's always
the risk that some of the callable functions do not like being called
on such SSL contexts.
This commit is contained in:
Willy Tarreau 2022-04-11 11:57:35 +02:00
parent 939b0bf866
commit 54a1dcb1bb
1 changed files with 9 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
src/xprt_quic.c
View File

@ -5759,6 +5759,14 @@ static int qc_xprt_start(struct connection *conn, void *ctx)
return 1; return 1;
} }
static struct ssl_sock_ctx *qc_get_ssl_sock_ctx(struct connection *conn)
{
if (!conn || conn->xprt != xprt_get(XPRT_QUIC) || !conn->qc || !conn->xprt_ctx)
return NULL;
return conn->qc->xprt_ctx;
}
/* transport-layer operations for QUIC connections. */ /* transport-layer operations for QUIC connections. */
static struct xprt_ops ssl_quic = { static struct xprt_ops ssl_quic = {
.close = quic_close, .close = quic_close,
@ -5769,6 +5777,7 @@ static struct xprt_ops ssl_quic = {
.prepare_bind_conf = ssl_sock_prepare_bind_conf, .prepare_bind_conf = ssl_sock_prepare_bind_conf,
.destroy_bind_conf = ssl_sock_destroy_bind_conf, .destroy_bind_conf = ssl_sock_destroy_bind_conf,
.get_alpn = ssl_sock_get_alpn, .get_alpn = ssl_sock_get_alpn,
.get_ssl_sock_ctx = qc_get_ssl_sock_ctx,
.name = "QUIC", .name = "QUIC",
}; };