mirror of
https://git.haproxy.org/git/haproxy.git/
synced 2025-12-06 10:11:00 +01:00
3095fa27ab
This patch impacts both the QUIC frontends and listeners. Before this patch "ssl-default-bind-ciphersuites", "ssl-default-bind-curves", were ignored by QUIC. For the backend, "ssl-default-server-ciphersuites" and "ssl-default-server-curves" were not ignored but set from set from ssl_quic_srv_new_ssl_ctx() which is QUIC specific, in place of ssl_sock_init_srv() as this is done for TCP. Rename <quic_ciphers> global variable to <default_quic_ciphersuites> and <quic_groups> to <default_quic_curves> to reflect the OpenSSL API naming. On frontend side, add support for "ssl-default-bind-ciphersuites" and "ssl-default-bind-curves" global options and "ciphersuites" and "curves" "bind" options. These options are taken into an account by ssl_quic_initial_ctx() which inspects these four variable before calling SSL_CTX_set_ciphersuites() and SSL_CTX_set_curves(). Note that the bind_conf struct is not modified when no "ciphersuites" or "curves" option are used on "bind" lines. Idem on backend side, rely on ssl_sock_init_srv() to set the server ciphersuites and curves. This function is modified to use respectively <default_quic_ciphersuites> and <default_quic_curves> if no ciphersuites and curves were set by "ssl-default-server-ciphersuites", "ssl-default-server-curves" as global options or "ciphersuites", "curves" as "server" line options. Thank to @rwagoner for having reported this issue in GH #3194 when using an OpenSSL 3.5.4 stack with FIPS support. Must be backported as far as 2.6