RepoMirrors/haproxy
1
0
Fork 0
mirror of http://git.haproxy.org/git/haproxy.git/ synced 2025-01-03 02:32:03 +00:00
Code Issues Packages Projects Releases Wiki Activity

MINOR: quic+openssl_compat: Do not start without "limited-quic"

Browse Source 
Add a check for limited-quic in check_config_validity() when compiled
with USE_QUIC_OPENSSL_COMPAT so that we prevent a config from starting
accidentally with limited QUIC support. If a QUIC listener is found
when using the compatibility mode and limited-quic is not set, an error
message is reported explaining that the SSL library is not compatible
and proposing the user to enable limited-quic if that's what they want,
and the startup fails.

This partially reverts commit 7c730803d ("MINOR: quic: Warning for
OpenSSL wrapper QUIC bindings without "limited-quic"") since a warning
was not sufficient.
This commit is contained in:
Frdric Lcaille 2023-08-17 10:15:09 +02:00 committed by Willy Tarreau
parent cd97ba147c
commit 0e13325f23
2 changed files with 15 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
src/cfgparse.c
View File

@ -4284,6 +4284,7 @@ init_proxies_list_stage2:
} }
/* adjust this proxy's listeners */ /* adjust this proxy's listeners */
bind_conf = NULL;
next_id = 1; next_id = 1;
list_for_each_entry(listener, &curproxy->conf.listeners, by_fe) { list_for_each_entry(listener, &curproxy->conf.listeners, by_fe) {
if (!listener->luid) { if (!listener->luid) {
@ -4312,6 +4313,20 @@ init_proxies_list_stage2:
cfgerr++; cfgerr++;
} }
} }
# ifdef USE_QUIC_OPENSSL_COMPAT
/* store the last checked bind_conf in bind_conf */
if (!(global.tune.options & GTUNE_NO_QUIC) &&
!(global.tune.options & GTUNE_LIMITED_QUIC) &&
listener->bind_conf != bind_conf) {
bind_conf = listener->bind_conf;
ha_alert("Binding [%s:%d] for %s %s: this SSL library does not support the "
"QUIC protocol. A limited compatibility layer may be enabled using "
"the \"limited-quic\" global option if desired.\n",
listener->bind_conf->file, listener->bind_conf->line,
proxy_type_str(curproxy), curproxy->id);
cfgerr++;
}
# endif
li_init_per_thr(listener); li_init_per_thr(listener);
} }

13
src/protocol.c
View File

@ -120,21 +120,8 @@ int protocol_supports_flag(struct protocol *proto, uint flag)
*/ */
static inline int protocol_may_bind_quic(struct listener *l) static inline int protocol_may_bind_quic(struct listener *l)
{ {
#ifdef USE_QUIC_OPENSSL_COMPAT
struct proxy *px = l->bind_conf->frontend;
#endif
if (global.tune.options & GTUNE_NO_QUIC) if (global.tune.options & GTUNE_NO_QUIC)
return 0; return 0;
#ifdef USE_QUIC_OPENSSL_COMPAT
if (!(global.tune.options & GTUNE_LIMITED_QUIC)) {
ha_warning("Binding [%s:%d] for %s %s: receiving socket not bound"
" (\"limited-quic\" global option is not set)\n",
l->bind_conf->file, l->bind_conf->line,
proxy_type_str(px), px->id);
return 0;
}
#endif
return 1; return 1;
} }
#endif #endif