From 8c004153e5f1802b2060629d8656b42b84c65bbd Mon Sep 17 00:00:00 2001 From: William Lallemand Date: Mon, 21 Aug 2023 13:51:56 +0200 Subject: [PATCH] BUG/MINOR: quic: allow-0rtt warning must only be emitted with quic bind When built with USE_QUIC_OPENSSL_COMPAT, a warning is emitted when using allow-0rtt. However this warning is emitted for every allow-0rtt keywords on the bind line which is confusing, it must only be done in case the bind is a quic one. Also this does not handle the case where the allow-0rtt keyword is in the crt-list. This patch moves the warning to ssl_quic_initial_ctx() in order to emit the warning in every useful cases. --- src/cfgparse-ssl.c | 5 ----- src/quic_ssl.c | 8 ++++++-- 2 files changed, 6 insertions(+), 7 deletions(-) diff --git a/src/cfgparse-ssl.c b/src/cfgparse-ssl.c index 72caeb364..08fcd1cd4 100644 --- a/src/cfgparse-ssl.c +++ b/src/cfgparse-ssl.c @@ -1089,13 +1089,8 @@ static int ssl_bind_parse_allow_0rtt(char **args, int cur_arg, struct proxy *px, static int bind_parse_allow_0rtt(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err) { -#ifdef USE_QUIC_OPENSSL_COMPAT - memprintf(err, "'%s' : 0-RTT is not supported in limited QUIC compatibility mode, ignored.", args[cur_arg]); - return ERR_WARN; -#else conf->ssl_conf.early_data = 1; return 0; -#endif } /* parse the "npn" bind keyword */ diff --git a/src/quic_ssl.c b/src/quic_ssl.c index d017d8b03..98067f67b 100644 --- a/src/quic_ssl.c +++ b/src/quic_ssl.c @@ -1,5 +1,6 @@ #include #include +#include #include #include #include @@ -400,9 +401,12 @@ int ssl_quic_initial_ctx(struct bind_conf *bind_conf) # if defined(SSL_OP_NO_ANTI_REPLAY) if (bind_conf->ssl_conf.early_data) { SSL_CTX_set_options(ctx, SSL_OP_NO_ANTI_REPLAY); -#ifndef USE_QUIC_OPENSSL_COMPAT +# ifdef USE_QUIC_OPENSSL_COMPAT + ha_warning("Binding [%s:%d] for %s %s: 0-RTT is not supported in limited QUIC compatibility mode, ignored.\n", + bind_conf->file, bind_conf->line, proxy_type_str(bind_conf->frontend), bind_conf->frontend->id); +# else SSL_CTX_set_max_early_data(ctx, 0xffffffff); -#endif +# endif /* ! USE_QUIC_OPENSSL_COMPAT */ } # endif /* !SSL_OP_NO_ANTI_REPLAY */ SSL_CTX_set_client_hello_cb(ctx, ssl_sock_switchctx_cbk, NULL);