mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-08-06 15:17:01 +02:00
Code Issues Projects Releases Wiki Activity

BUG/MEDIUM: quic: SSL/TCP handshake failures with OpenSSL 3.5

Browse Source 
This bug arrived with this commit:

    MINOR: quic: OpenSSL 3.5 internal QUIC custom extension for transport parameters reset

To make QUIC connection succeed with OpenSSL 3.5 API, a call to quic_ssl_set_tls_cbs()
was needed from several callback which call SSL_set_SSL_CTX(). This has as side effect
to set the QUIC callbacks used by the OpenSSL 3.5 API.

But quic_ssl_set_tls_cbs() was also called for TCP sessions leading the SSL stack
to run QUIC code, if the QUIC support is enabled.

To fix this, simply ignore the TCP connections inspecting the <ssl_qc_app_data_index>
index value which is NULL for such connections.

Must be backported to 3.2.
This commit is contained in:
Frederic Lecaille 2025-07-07 12:01:22 +02:00
parent d0bd0595da
commit fb0324eb09
1 changed files with 6 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
src/quic_ssl.c
View File

@ -1095,6 +1095,12 @@ int qc_ssl_provide_all_quic_data(struct quic_conn *qc, struct ssl_sock_ctx *ctx)
/* Simple helper to set the specifig OpenSSL/quictls QUIC API callbacks */ /* Simple helper to set the specifig OpenSSL/quictls QUIC API callbacks */
int quic_ssl_set_tls_cbs(SSL *ssl) int quic_ssl_set_tls_cbs(SSL *ssl)
{ {
struct quic_conn *qc = SSL_get_ex_data(ssl, ssl_qc_app_data_index);
/* Ignore the TCP connections */
if (!qc)
return 1;
#ifdef HAVE_OPENSSL_QUIC #ifdef HAVE_OPENSSL_QUIC
return SSL_set_quic_tls_cbs(ssl, ha_quic_dispatch, NULL); return SSL_set_quic_tls_cbs(ssl, ha_quic_dispatch, NULL);
#else #else