From c22e97e8ed1cbe54c99b0157970cb8fdf7e6844a Mon Sep 17 00:00:00 2001 From: Frederic Lecaille Date: Sat, 2 Aug 2025 10:46:09 +0200 Subject: [PATCH] MINOR: quic-be: enable the use of 0-RTT This patch allows the use of 0-RTT feature on QUIC server lines with "allow-0rtt" option. In fact 0-RTT is really enabled only if ssl_sock_srv_try_reuse_sess() successfully manages to reuse the SSL session and the chosen application protocol from previous connections. Note that, at this time, 0-RTT works only with quictls and aws-lc as TLS stack. (0-RTT does not work at all (even for QUIC frontends) with libressl). --- include/haproxy/openssl-compat.h | 3 ++- src/quic_ssl.c | 18 +++++++++++++++++- 2 files changed, 19 insertions(+), 2 deletions(-) diff --git a/include/haproxy/openssl-compat.h b/include/haproxy/openssl-compat.h index 7b072bec8..0b9bd830d 100644 --- a/include/haproxy/openssl-compat.h +++ b/include/haproxy/openssl-compat.h @@ -77,7 +77,8 @@ enum ssl_encryption_level_t { #if defined(OPENSSL_IS_AWSLC) #define OPENSSL_NO_DH -#define SSL_CTX_set1_sigalgs_list SSL_CTX_set1_sigalgs_list +#define SSL_CTX_set1_sigalgs_list SSL_CTX_set1_sigalgs_list +#define SSL_set_quic_early_data_enabled SSL_set_early_data_enabled #endif diff --git a/src/quic_ssl.c b/src/quic_ssl.c index dfa25b7ac..5fd336bfc 100644 --- a/src/quic_ssl.c +++ b/src/quic_ssl.c @@ -1281,7 +1281,23 @@ int qc_alloc_ssl_sock_ctx(struct quic_conn *qc, struct connection *conn) if (!qc_ssl_set_quic_transport_params(ctx->ssl, qc, quic_version_1, 0)) goto err; - ssl_sock_srv_try_reuse_sess(ctx, srv); + if (!(srv->ssl_ctx.options & SRV_SSL_O_EARLY_DATA)) + ssl_sock_srv_try_reuse_sess(ctx, srv); +#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) && defined(HAVE_SSL_0RTT_QUIC) + else { + /* Enable early data only if the SSL session, transport parameters + * and application protocol could be reused. This insures the mux is + * correctly selected. + */ + if (ssl_sock_srv_try_reuse_sess(ctx, srv)) + SSL_set_quic_early_data_enabled(ctx->ssl, 1); + else { + /* No error here. 0-RTT will not be enabled. */ + TRACE_PROTO("Could not reuse SSL session", QUIC_EV_CONN_NEW, qc); + } + } +#endif + SSL_set_connect_state(ctx->ssl); ssl_err = SSL_do_handshake(ctx->ssl); TRACE_PROTO("SSL_do_handshake() called", QUIC_EV_CONN_NEW, qc, &ssl_err);