BUG/MINOR: quic-be: backend SSL session reuse fix (OpenSSL 3.5)

This bug impacts only the QUIC backends when haproxy is compiled against OpenSSL 3.5 with QUIC API(HAVE_OPENSSL_QUIC). The QUIC clients could not reuse their SSL session because the TLS tickets received from the servers could not be provided to the TLS stack. This should be done when the stack calls ha_quic_ossl_crypto_recv_rcd() (OSSL_FUNC_SSL_QUIC_TLS_CRYPTO_RECV_RCD callback). According to OpenSSL team, an SSL_read() call must be done after the handshake completion. It seems the correct location is at the same level as for SSL_process_quic_post_handshake() for quictls. Thank you to @mattcaswell, @Sashan and @vdukhovni for having helped in solving this issue. Must be backported to 3.1
2025-11-29 23:01:03 +01:00 · 2025-11-04 10:06:13 +01:00 · 2025-11-04 10:06:13 +01:00 · 54eeda4b01
commit 54eeda4b01
parent 644bf585c3
1 changed files with 7 additions and 0 deletions
--- a/src/quic_ssl.c
+++ b/src/quic_ssl.c
@ -1072,6 +1072,13 @@ int qc_ssl_do_hanshake(struct quic_conn *qc, struct ssl_sock_ctx *ctx)

 		TRACE_STATE("SSL post handshake succeeded", QUIC_EV_CONN_IO_CB, qc, &state);
 	}
+#else
+	else {
+		/* Poke to SSL state engine to give TLS record layer chance to handle
+		 * session tickets.
+		 */
+		SSL_read(ctx->ssl, NULL, 0);
+	}
 #endif

 out: