BUG/MINOR: ssl: do not try to use early data if not configured

The CO_FL_EARLY_SSL_HS flag was inconditionally set on the connection, resulting in SSL_read_early_data() always being used first in handshake calculations. While this seems to work well (probably that there are fallback paths inside openssl), it's particularly confusing and makes the debugging quite complicated. It possibly is not optimal by the way. This flag ought to be set only when early_data is configured on the bind line. Apparently there used to be a good reason for doing it this way in 1.8 times, but it really does not make sense anymore. It may be OK to backport this to 2.3 if this helps with troubleshooting, but better not go too far as it's unlikely to fix any real issue while it could introduce some in old versions.
2025-02-18 03:26:55 +00:00 · 2021-02-03 11:21:38 +01:00 · 2021-02-03 11:21:38 +01:00 · a84986ae4f
commit a84986ae4f
parent 23296f92f4
1 changed files with 2 additions and 1 deletions
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@ -5311,7 +5311,8 @@ static int ssl_sock_init(struct connection *conn, void **xprt_ctx)
 		/* leave init state and start handshake */
 		conn->flags |= CO_FL_SSL_WAIT_HS | CO_FL_WAIT_L6_CONN;
 #ifdef SSL_READ_EARLY_DATA_SUCCESS
-		conn->flags |= CO_FL_EARLY_SSL_HS;
+		if (bc->ssl_conf.early_data)
+			conn->flags |= CO_FL_EARLY_SSL_HS;
 #endif

 		_HA_ATOMIC_ADD(&sslconns, 1);