From 5c4519934708bfe6a26b9ad0cc93a8c5c87df112 Mon Sep 17 00:00:00 2001 From: William Lallemand Date: Mon, 29 Jan 2024 18:36:31 +0100 Subject: [PATCH] MEDIUM: ssl/quic: always compile the ssl_conf.early_data test Always compile the test of the early_data variable in "ssl_quic_initial_ctx", this way we can emit a warning about its support or not. The test was moved in a more simple preprocessor check which only checks the new HAVE_SSL_0RTT_QUIC constant. Could be backported to 2.9 with the 2 previous commits. However AWS-LC must be excluded of HAVE_SSL_0RTT_QUIC in this version. --- src/quic_ssl.c | 21 ++++++++++----------- 1 file changed, 10 insertions(+), 11 deletions(-) diff --git a/src/quic_ssl.c b/src/quic_ssl.c index 485499a09..08c119f3e 100644 --- a/src/quic_ssl.c +++ b/src/quic_ssl.c @@ -447,19 +447,18 @@ int ssl_quic_initial_ctx(struct bind_conf *bind_conf) SSL_CTX_set_min_proto_version(ctx, TLS1_3_VERSION); SSL_CTX_set_max_proto_version(ctx, TLS1_3_VERSION); + if (bind_conf->ssl_conf.early_data) { +#if !defined(HAVE_SSL_0RTT_QUIC) + ha_warning("Binding [%s:%d] for %s %s: 0-RTT with QUIC is not supported by this SSL library, ignored.\n", + bind_conf->file, bind_conf->line, proxy_type_str(bind_conf->frontend), bind_conf->frontend->id); +#else + SSL_CTX_set_options(ctx, SSL_OP_NO_ANTI_REPLAY); + SSL_CTX_set_max_early_data(ctx, 0xffffffff); +#endif /* ! HAVE_SSL_0RTT_QUIC */ + } + #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME # if defined(HAVE_SSL_CLIENT_HELLO_CB) -# if defined(SSL_OP_NO_ANTI_REPLAY) - if (bind_conf->ssl_conf.early_data) { - SSL_CTX_set_options(ctx, SSL_OP_NO_ANTI_REPLAY); -# if defined(USE_QUIC_OPENSSL_COMPAT) || defined(OPENSSL_IS_AWSLC) - ha_warning("Binding [%s:%d] for %s %s: 0-RTT is not supported in limited QUIC compatibility mode, ignored.\n", - bind_conf->file, bind_conf->line, proxy_type_str(bind_conf->frontend), bind_conf->frontend->id); -# else - SSL_CTX_set_max_early_data(ctx, 0xffffffff); -# endif /* ! USE_QUIC_OPENSSL_COMPAT */ - } -# endif /* !SSL_OP_NO_ANTI_REPLAY */ SSL_CTX_set_client_hello_cb(ctx, ssl_sock_switchctx_cbk, NULL); SSL_CTX_set_tlsext_servername_callback(ctx, ssl_sock_switchctx_err_cbk); # else /* ! HAVE_SSL_CLIENT_HELLO_CB */