MINOR: quic: Prevent QUIC backend use with the OpenSSL QUIC compatibility module (USE_OPENSS_COMPAT)

Make the server line parsing fail when a QUIC backend is configured if haproxy is built to use the OpenSSL stack compatibility module. This latter does not support the QUIC client part.
2025-08-06 23:27:04 +02:00 · 2025-07-02 17:56:03 +02:00 · 2025-07-02 17:56:03 +02:00 · 5a87f4673a
commit 5a87f4673a
parent 87ada46f38
2 changed files with 10 additions and 0 deletions
--- a/include/haproxy/openssl-compat.h
+++ b/include/haproxy/openssl-compat.h
@ -47,6 +47,7 @@
 #ifdef USE_QUIC_OPENSSL_COMPAT
 #include <haproxy/quic_openssl_compat.h>
 #else
+#define HAVE_OPENSSL_QUIC_CLIENT_SUPPORT
 #if defined(OSSL_FUNC_SSL_QUIC_TLS_CRYPTO_SEND)
 /* This macro is defined by the new OpenSSL 3.5.0 QUIC TLS API and it is not
 * defined by quictls.
--- a/src/server.c
+++ b/src/server.c
@ -3610,6 +3610,7 @@ static int _srv_parse_init(struct server **srv, char **args, int *cur_arg,
 		}

 #ifdef USE_QUIC
+#ifdef HAVE_OPENSSL_QUIC_CLIENT_SUPPORT
 		if (srv_is_quic(newsrv)) {
 			if (!experimental_directives_allowed) {
 				ha_alert("QUIC is experimental for server '%s',"
@ -3622,6 +3623,14 @@ static int _srv_parse_init(struct server **srv, char **args, int *cur_arg,
 			newsrv->xprt = xprt_get(XPRT_QUIC);
 			quic_transport_params_init(&newsrv->quic_params, 0);
 		}
+#else
+		if (srv_is_quic(newsrv)) {
+			ha_alert("The SSL stack does not provide a support for QUIC server '%s'",
+			         newsrv->id);
+			err_code |= ERR_ALERT | ERR_FATAL;
+			goto out;
+		}
+#endif
 #endif

 		if (!port1 || !port2) {