From df3231c74a6ab18f7b7c9e98851ff8ef672ae04f Mon Sep 17 00:00:00 2001
From: Willy Tarreau <w@1wt.eu>
Date: Fri, 2 Sep 2022 09:02:21 +0200
Subject: [PATCH] MEDIUM: httpclient: enable ALPN support on outgoing https
 connections

Since everything is available for this, let's enable ALPN with the
usual "h2,http/1.1" on the https server. This will allow HTTPS requests
to use HTTP/2 when available.

It may be needed to permit to disable this (or to set the string) in
case some client code explicitly checks for the "HTTP/1.1" string, but
since httpclient is quite young it's unlikely that such code already
exists.
---
 src/http_client.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/src/http_client.c b/src/http_client.c
index 72acd7f43..c3a8d490c 100644
--- a/src/http_client.c
+++ b/src/http_client.c
@@ -32,7 +32,7 @@
 #include <haproxy/resolvers.h>
 #include <haproxy/sc_strm.h>
 #include <haproxy/server.h>
-#include <haproxy/ssl_sock-t.h>
+#include <haproxy/ssl_sock.h>
 #include <haproxy/sock_inet.h>
 #include <haproxy/stconn.h>
 #include <haproxy/tools.h>
@@ -1186,6 +1186,12 @@ static int httpclient_precheck()
 		goto err;
 	}
 
+#ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
+	if (ssl_sock_parse_alpn("h2,http/1.1", &httpclient_srv_ssl->ssl_ctx.alpn_str, &httpclient_srv_ssl->ssl_ctx.alpn_len, &errmsg) != 0) {
+		err_code |= ERR_ALERT | ERR_FATAL;
+		goto err;
+	}
+#endif
 	httpclient_srv_ssl->ssl_ctx.verify = httpclient_ssl_verify;
 	/* if the verify is required, try to load the system CA */
 	if (httpclient_ssl_verify == SSL_SOCK_VERIFY_REQUIRED) {