From d293cc62dc119033061ca7cb87e15d0aa062220d Mon Sep 17 00:00:00 2001 From: Amaury Denoyelle Date: Tue, 9 Sep 2025 17:19:13 +0200 Subject: [PATCH] MINOR: quic: display build warning for compat layer on recent OpenSSL Build option USE_QUIC_OPENSSL_COMPAT=1 must be set to activate QUIC support for OpenSSL prior to version 3.5.2. This compiles an internal compatibility layer, which must be then activated at runtime with global option limited-quic. Starting from OpenSSL version 3.5.2, a proper QUIC TLS API is now exposed. Thus, the compatibility layer is unneeded. However it can still be compiled against newer OpenSSL releases and activated at runtime, mostly for test purpose. As this compatibility layer has some limitations, (no support for QUIC 0-RTT), it's important that users notice this situation and disable it if possible. Thus, this patch adds a notice warning when USE_QUIC_OPENSSL_COMPAT=1 is set when building against OpenSSL 3.5.2 and above. This should be sufficient for users and packagers to understand that this option is not necessary anymore. Note that USE_QUIC_OPENSSL_COMPAT=1 is incompatible with others TLS library which exposed a QUIC API based on original BoringSSL patches set. A build error will prevent the compatibility layer to be built. limited-quic option is thus silently ignored. --- include/haproxy/quic_openssl_compat.h | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/include/haproxy/quic_openssl_compat.h b/include/haproxy/quic_openssl_compat.h index 837a28d53..7147a6ff9 100644 --- a/include/haproxy/quic_openssl_compat.h +++ b/include/haproxy/quic_openssl_compat.h @@ -7,6 +7,11 @@ #include #include +/* Warn about native support in OpenSSL. */ +#if (OPENSSL_VERSION_NUMBER >= 0x30500020L) +# pragma message "QUIC OpenSSL compat layer is unnecessary starting from OpenSSL 3.5.2 and newer." +#endif + #define QUIC_OPENSSL_COMPAT_SSL_TP_EXT 0x39 /* Used by keylog */