mirror of
https://git.haproxy.org/git/haproxy.git/
synced 2025-11-28 06:11:32 +01:00
1b03f8016d
Highly inspired from nginx openssl wrapper code. This wrapper implement this list of functions: SSL_set_quic_method(), SSL_quic_read_level(), SSL_quic_write_level(), SSL_set_quic_transport_params(), SSL_provide_quic_data(), SSL_process_quic_post_handshake() and SSL_QUIC_METHOD QUIC specific bio method which are also implemented by quictls to support QUIC from OpenSSL. So, its aims is to support QUIC from a standard OpenSSL stack without QUIC support. It relies on the OpenSSL keylog feature to retreive the secrets derived by the OpenSSL stack during a handshake and to pass them to the ->set_encryption_secrets() callback as this is done by quictls. It makes usage of a callback (quic_tls_compat_msg_callback()) to handle some TLS messages only on the receipt path. Some of them must be passed to the ->add_handshake_data() callback as this is done with quictls to be sent to the peer as CRYPTO data. quic_tls_compat_msg_callback() callback also sends the received TLS alert with ->send_alert() callback. AES 128-bits with CCM mode is not supported at this time. It is often disabled by the OpenSSL stack, but as it can be enabled by "ssl-default-bind-ciphersuites", the wrapper will send a TLS alerts (Handhshake failure) if this algorithm is negotiated between the client and the server. 0rtt is also not supported by this wrapper.