mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-08-06 07:07:04 +02:00
Code Issues Projects Releases Wiki Activity

MINOR: quic-be: TLS version restriction to 1.3

Browse Source 
This patch skips the TLS version settings. They have as a side effect to add
all the TLS version extensions to the ClientHello message (TLS 1.0 to TLS 1.3).
QUIC supports only TLS 1.3.
This commit is contained in:
Frederic Lecaille 2025-07-04 16:38:06 +02:00
parent 93a94ba87b
commit e76f1ad171
1 changed files with 5 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
src/ssl_sock.c
View File

@ -4492,6 +4492,10 @@ static int ssl_sock_prepare_srv_ssl_ctx(const struct server *srv, SSL_CTX *ctx)
#endif
X509_STORE *store = SSL_CTX_get_cert_store(ctx);
/* QUIC supports only TLS 1.3. Skip these TLS versions settings. */
if (srv_is_quic(srv))
goto options;
if (conf_ssl_methods->flags && (conf_ssl_methods->min || conf_ssl_methods->max))
ha_warning("no-sslv3/no-tlsv1x are ignored for this server. "
"Use only 'ssl-min-ver' and 'ssl-max-ver' to fix.\n");
@ -4549,6 +4553,7 @@ static int ssl_sock_prepare_srv_ssl_ctx(const struct server *srv, SSL_CTX *ctx)
methodVersions[max].ctx_set_version(ctx, SET_MAX);
#endif
options:
if (srv->ssl_ctx.options & SRV_SSL_O_NO_TLS_TICKETS)
options |= SSL_OP_NO_TICKET;