From c15129f7dcc4ba837121a7ebe30d13235fe991b8 Mon Sep 17 00:00:00 2001 From: Amaury Denoyelle Date: Thu, 11 Sep 2025 10:06:26 +0200 Subject: [PATCH] DOC: quic: clarifies limited-quic support This patch extends the documentation for "limited-quic" global keyword. It mentions first that it relies on USE_QUIC_OPENSSL_COMPAT=1 build option. Compatibility with TLS libraries is now clearly exposed. In particular, it highlights the fact that it is mostly targetted at OpenSSL version prior to 3.5.2, and that it should be disabled if a recent OpenSSL release is available. It also states that limited-quic does nothing if USE_QUIC_OPENSSL_COMPAT is not set during compilation. --- doc/configuration.txt | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/doc/configuration.txt b/doc/configuration.txt index 4274323d4..0041a5a9c 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -2772,11 +2772,21 @@ key-base ignore "key-base". This option only works with a crt-store load line. limited-quic - This setting must be used to explicitly enable the QUIC listener bindings when - haproxy is compiled against a TLS/SSL stack without QUIC support, typically - OpenSSL. It has no effect when haproxy is compiled against a TLS/SSL stack - with QUIC support, quictls for instance. Note that QUIC 0-RTT is not supported - when this setting is set. + This setting must be used to explicitly enable the QUIC listener bindings + when haproxy is compiled with a version of OpenSSL without QUIC support. It + activates an haproxy internal compatibility layer which must have been + selected at build time with USE_QUIC_OPENSSL_COMPAT=1. This compatibility + layer supports most of the necessary TLS operations, albeit without QUIC + 0-RTT capability. + + This feature is primarily targetted for OpenSSL prior to version 3.5.2, where + QUIC API was not implemented or only partially. The compatibility layer can + still be activated for version 3.5.2 and above, but this is probably + unnecessary. + + If limited-quic is set but the compatibility layer was not selected at build + time, the option is silently ignored and QUIC TLS operations rely on the TLS + library. localpeer Sets the local instance's peer name. It will be ignored if the "-L"