From cb3d5ac54d81e9ac289bc3bfa0511c4f5e0bc7f0 Mon Sep 17 00:00:00 2001
From: Frederic Lecaille <flecaille@haproxy.com>
Date: Mon, 1 Dec 2025 16:42:52 +0100
Subject: [PATCH] BUG/MINOR: quic-be: missing connection stream closure upon
 TLS alert to send

This is the same issue as the one fixed by this commit:
   BUG/MINOR: quic-be: handshake errors without connection stream closure
But this time this is when the client has to send an alert to the server.
The fix consists in creating the mux after having set the handshake connection
error flag and error_code.

This bug was revealed by ssl/set_ssl_cafile.vtc reg test.

Depends on this commit:
     MINOR: quic: avoid code duplication in TLS alert callback

Must be backported to 3.3
---
 src/quic_ssl.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/src/quic_ssl.c b/src/quic_ssl.c
index 155e9e8ec..c1fcfe23b 100644
--- a/src/quic_ssl.c
+++ b/src/quic_ssl.c
@@ -171,6 +171,15 @@ static int ha_quic_send_alert(SSL *ssl, enum ssl_encryption_level_t level, uint8
 	TRACE_PROTO("Received TLS alert", QUIC_EV_CONN_SSLALERT, qc, &alert, &level);
 
 	quic_set_tls_alert(qc, alert);
+	if (qc->conn) {
+		ssl_sock_handle_hs_error(qc->conn);
+		if (objt_server(qc->conn->target) && !qc->conn->mux) {
+			/* This has as side effect to close the connection stream */
+			if (conn_create_mux(qc->conn, NULL) >= 0)
+				qc->conn->mux->wake(qc->conn);
+		}
+	}
+
 	TRACE_LEAVE(QUIC_EV_CONN_SSLALERT, qc);
 	return 1;
 }