commit 9f01534cd68de78c74b50d7b8def07a72c2a3b49
Author: Olivier Houchard <ohouchard@haproxy.com>
Date:   Wed Jan 2 18:46:41 2019 +0100

    BUG/MEDIUM: ssl: Disable anti-replay protection and set max data with 0RTT.
    
    When using early data, disable the OpenSSL anti-replay protection, and set
    the max amount of early data we're ready to accept, based on the size of
    buffers, or early data won't work with the released OpenSSL 1.1.1.
    
    This should be backported to 1.8.
    
    (cherry picked from commit 51088ce68fee0bae52118d6823873417046f9efe)
    Signed-off-by: Willy Tarreau <w@1wt.eu>
    (cherry picked from commit 6703b633078b6bae12395ee3e310427b37965d68)
    Signed-off-by: William Lallemand <wlallemand@haproxy.org>

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 24ccc4b1..11655533 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -3821,6 +3821,10 @@ ssl_sock_initial_ctx(struct bind_conf *bind_conf)
 	SSL_CTX_set_select_certificate_cb(ctx, ssl_sock_switchctx_cbk);
 	SSL_CTX_set_tlsext_servername_callback(ctx, ssl_sock_switchctx_err_cbk);
 #elif (OPENSSL_VERSION_NUMBER >= 0x10101000L)
+	if (bind_conf->ssl_conf.early_data) {
+		SSL_CTX_set_options(ctx, SSL_OP_NO_ANTI_REPLAY);
+		SSL_CTX_set_max_early_data(ctx, global.tune.bufsize - global.tune.maxrewrite);
+	}
 	SSL_CTX_set_client_hello_cb(ctx, ssl_sock_switchctx_cbk, NULL);
 	SSL_CTX_set_tlsext_servername_callback(ctx, ssl_sock_switchctx_err_cbk);
 #else