mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-08-06 07:07:04 +02:00
Code Issues Projects Releases Wiki Activity

MINOR: quic-be: enable the use of 0-RTT

Browse Source 
This patch allows the use of 0-RTT feature on QUIC server lines with "allow-0rtt"
option. In fact 0-RTT is really enabled only if ssl_sock_srv_try_reuse_sess()
successfully manages to reuse the SSL session and the chosen application protocol
from previous connections.

Note that, at this time, 0-RTT works only with quictls and aws-lc as TLS stack.

(0-RTT does not work at all (even for QUIC frontends) with libressl).
This commit is contained in:
Frederic Lecaille 2025-08-02 10:46:09 +02:00
parent 477ed7d25b
commit c22e97e8ed
2 changed files with 19 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
include/haproxy/openssl-compat.h
View File

@ -77,7 +77,8 @@ enum ssl_encryption_level_t {
#if defined(OPENSSL_IS_AWSLC)
#define OPENSSL_NO_DH
#define SSL_CTX_set1_sigalgs_list SSL_CTX_set1_sigalgs_list
#define SSL_CTX_set1_sigalgs_list SSL_CTX_set1_sigalgs_list
#define SSL_set_quic_early_data_enabled SSL_set_early_data_enabled
#endif

18
src/quic_ssl.c
View File

@ -1281,7 +1281,23 @@ int qc_alloc_ssl_sock_ctx(struct quic_conn *qc, struct connection *conn)
if (!qc_ssl_set_quic_transport_params(ctx->ssl, qc, quic_version_1, 0))
goto err;
ssl_sock_srv_try_reuse_sess(ctx, srv);
if (!(srv->ssl_ctx.options & SRV_SSL_O_EARLY_DATA))
ssl_sock_srv_try_reuse_sess(ctx, srv);
#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) && defined(HAVE_SSL_0RTT_QUIC)
else {
/* Enable early data only if the SSL session, transport parameters
* and application protocol could be reused. This insures the mux is
* correctly selected.
*/
if (ssl_sock_srv_try_reuse_sess(ctx, srv))
SSL_set_quic_early_data_enabled(ctx->ssl, 1);
else {
/* No error here. 0-RTT will not be enabled. */
TRACE_PROTO("Could not reuse SSL session", QUIC_EV_CONN_NEW, qc);
}
}
#endif
SSL_set_connect_state(ctx->ssl);
ssl_err = SSL_do_handshake(ctx->ssl);
TRACE_PROTO("SSL_do_handshake() called", QUIC_EV_CONN_NEW, qc, &ssl_err);