Skip to content

Commit 5413c76

Browse files
haproxyFredhaproxyFred
committed
MINOR: quic: OpenSSL 3.5 internal QUIC custom extension for tranport parameter reset
A QUIC must sent its transport parameter using a TLS custom extention. This extension is reset by SSL_set_SSL_CTX(). It can be restored calling quic_ssl_set_tls_cbs() (which calls SSL_set_quic_tls_cbs()).
1 parent 5075a21 commit 5413c76

File tree

2 files changed

+16
-1
lines changed

2 files changed

+16
-1
lines changed

src/ssl_clienthello.c

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -16,6 +16,7 @@
1616
#include <haproxy/proto_tcp.h>
1717
#include <haproxy/quic_conn.h>
1818
#include <haproxy/quic_openssl_compat.h>
19+
#include <haproxy/quic_ssl.h>
1920
#include <haproxy/quic_tp.h>
2021
#include <haproxy/ssl_ckch.h>
2122
#include <haproxy/ssl_gencert.h>
@@ -28,6 +29,9 @@ static void ssl_sock_switchctx_set(SSL *ssl, SSL_CTX *ctx)
2829
SSL_set_verify(ssl, SSL_CTX_get_verify_mode(ctx), ssl_sock_bind_verifycbk);
2930
SSL_set_client_CA_list(ssl, SSL_dup_CA_list(SSL_CTX_get_client_CA_list(ctx)));
3031
SSL_set_SSL_CTX(ssl, ctx);
32+
#if defined(USE_QUIC) && defined(HAVE_OPENSSL_QUIC)
33+
quic_ssl_set_tls_cbs(ssl);
34+
#endif
3135
}
3236

3337
/*

src/ssl_gencert.c

Lines changed: 12 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,7 @@
1212

1313
#include <haproxy/errors.h>
1414
#include <haproxy/openssl-compat.h>
15+
#include <haproxy/quic_ssl.h>
1516
#include <haproxy/ssl_ckch.h>
1617
#include <haproxy/ssl_sock.h>
1718
#include <haproxy/xxhash.h>
@@ -284,8 +285,12 @@ SSL_CTX *ssl_sock_assign_generated_cert(unsigned int key, struct bind_conf *bind
284285
HA_RWLOCK_WRLOCK(SSL_GEN_CERTS_LOCK, &ssl_ctx_lru_rwlock);
285286
lru = lru64_lookup(key, ssl_ctx_lru_tree, bind_conf->ca_sign_ckch->cert, 0);
286287
if (lru && lru->domain) {
287-
if (ssl)
288+
if (ssl) {
288289
SSL_set_SSL_CTX(ssl, (SSL_CTX *)lru->data);
290+
#if defined(USE_QUIC) && defined(HAVE_OPENSSL_QUIC)
291+
quic_ssl_set_tls_cbs(ssl);
292+
#endif
293+
}
289294
HA_RWLOCK_WRUNLOCK(SSL_GEN_CERTS_LOCK, &ssl_ctx_lru_rwlock);
290295
return (SSL_CTX *)lru->data;
291296
}
@@ -354,12 +359,18 @@ int ssl_sock_generate_certificate(const char *servername, struct bind_conf *bind
354359
lru64_commit(lru, ssl_ctx, cacert, 0, (void (*)(void *))SSL_CTX_free);
355360
}
356361
SSL_set_SSL_CTX(ssl, ssl_ctx);
362+
#if defined(USE_QUIC) && defined(HAVE_OPENSSL_QUIC)
363+
quic_ssl_set_tls_cbs(ssl);
364+
#endif
357365
HA_RWLOCK_WRUNLOCK(SSL_GEN_CERTS_LOCK, &ssl_ctx_lru_rwlock);
358366
return 1;
359367
}
360368
else {
361369
ssl_ctx = ssl_sock_do_create_cert(servername, bind_conf, ssl);
362370
SSL_set_SSL_CTX(ssl, ssl_ctx);
371+
#if defined(USE_QUIC) && defined(HAVE_OPENSSL_QUIC)
372+
quic_ssl_set_tls_cbs(ssl);
373+
#endif
363374
/* No LRU cache, this CTX will be released as soon as the session dies */
364375
SSL_CTX_free(ssl_ctx);
365376
return 1;

0 commit comments

Comments
 (0)