MEDIUM: quic-be: enable the use of 0-RTT

This patch allows the use of 0-RTT feature on QUIC server lines with "allow-0rtt" option. In fact 0-RTT is really enabled only if ssl_sock_srv_try_reuse_sess() successfully manages to reuse the SSL session and the chosen application protocol from previous connections. Note that, at this time, 0-RTT works only with quictls and aws-lc as TLS stack. (0-RTT does not work at all (even for QUIC frontends) with libressl).
2025-12-03 08:41:40 +01:00 · 2025-08-02 10:46:09 +02:00 · 2025-08-02 10:46:09 +02:00 · 6419b9f204
commit 6419b9f204
parent 46d490f7c2
2 changed files with 19 additions and 2 deletions
--- a/include/haproxy/openssl-compat.h
+++ b/include/haproxy/openssl-compat.h
@ -77,7 +77,8 @@ enum ssl_encryption_level_t {
 #if defined(OPENSSL_IS_AWSLC)
 #define OPENSSL_NO_DH
-#define SSL_CTX_set1_sigalgs_list SSL_CTX_set1_sigalgs_list
+#define SSL_CTX_set1_sigalgs_list       SSL_CTX_set1_sigalgs_list
 #define SSL_set_quic_early_data_enabled SSL_set_early_data_enabled
 #endif
--- a/src/quic_ssl.c
+++ b/src/quic_ssl.c
@ -1322,7 +1322,23 @@ int qc_alloc_ssl_sock_ctx(struct quic_conn *qc, void *target)
 		if (!qc_ssl_set_quic_transport_params(ctx->ssl, qc, quic_version_1, 0))
 			goto err;
-		ssl_sock_srv_try_reuse_sess(ctx, srv);
+		if (!(srv->ssl_ctx.options & SRV_SSL_O_EARLY_DATA))
 		    ssl_sock_srv_try_reuse_sess(ctx, srv);
 #if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) && defined(HAVE_SSL_0RTT_QUIC)
 		else {
 			/* Enable early data only if the SSL session, transport parameters
 			 * and application protocol could be reused. This insures the mux is
 			 * correctly selected.
 			 */
 			if (ssl_sock_srv_try_reuse_sess(ctx, srv))
 				SSL_set_quic_early_data_enabled(ctx->ssl, 1);
 			else {
 				/* No error here. 0-RTT will not be enabled. */
 				TRACE_PROTO("Could not reuse any ALPN", QUIC_EV_CONN_NEW, qc);
 			}
 		}
 #endif
 		SSL_set_connect_state(ctx->ssl);
 	}