From a203ce685464988afbd92c8a376fcafae9bab5b5 Mon Sep 17 00:00:00 2001
From: akarl10 <mike@mwsys.mine.bz>
Date: Thu, 1 Jan 2026 14:32:56 +0100
Subject: [PATCH] BUG/MINOR: ech/quic: enable ech configuration also for quic
 listeners

Patch dba4fd24 ("MEDIUM: ssl/ech: config and load keys") introduced
ECH configuration for bind lines, but the QUIC configuration parsers
still suffers from not using the same code as the TCP/TLS one, so the
init for QUIC was missed.

Must be backported in 3.3.
---
 src/quic_ssl.c | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/src/quic_ssl.c b/src/quic_ssl.c
index 2dce68643..c838a5e06 100644
--- a/src/quic_ssl.c
+++ b/src/quic_ssl.c
@@ -10,6 +10,9 @@
 #include <haproxy/ssl_sock.h>
 #include <haproxy/stats.h>
 #include <haproxy/trace.h>
+#ifdef USE_ECH
+#include <haproxy/ech.h>
+#endif
 
 DECLARE_TYPED_POOL(pool_head_quic_ssl_sock_ctx, "quic_ssl_sock_ctx", struct ssl_sock_ctx);
 const char *default_quic_ciphersuites = "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"
@@ -810,6 +813,20 @@ int ssl_quic_initial_ctx(struct bind_conf *bind_conf)
 		cfgerr++;
 #endif
 
+#ifdef USE_ECH
+	if (bind_conf->ssl_conf.ech_filedir) {
+		int loaded = 0;
+
+		if (load_echkeys(ctx, bind_conf->ssl_conf.ech_filedir, &loaded) != 1) {
+			cfgerr += 1;
+			ha_alert("Proxy '%s': failed to load ECH key s from %s for '%s' at [%s:%d].\n",
+			         bind_conf->frontend->id, bind_conf->ssl_conf.ech_filedir,
+			         bind_conf->arg, bind_conf->file, bind_conf->line);
+		}
+	}
+#endif
+
+
 	return cfgerr;
 }