512411108c
- Add new patches (see https://www.haproxy.org/bugs/bugs-1.8.17.html) - Raise PKG_RELEASE to 2 - Prefix patches with 3-digit numbers instead of 4-digit numbers Signed-off-by: Christian Lachner <gladiac@gmail.com>
32 lines
1.4 KiB
Diff
32 lines
1.4 KiB
Diff
commit 9f01534cd68de78c74b50d7b8def07a72c2a3b49
|
|
Author: Olivier Houchard <ohouchard@haproxy.com>
|
|
Date: Wed Jan 2 18:46:41 2019 +0100
|
|
|
|
BUG/MEDIUM: ssl: Disable anti-replay protection and set max data with 0RTT.
|
|
|
|
When using early data, disable the OpenSSL anti-replay protection, and set
|
|
the max amount of early data we're ready to accept, based on the size of
|
|
buffers, or early data won't work with the released OpenSSL 1.1.1.
|
|
|
|
This should be backported to 1.8.
|
|
|
|
(cherry picked from commit 51088ce68fee0bae52118d6823873417046f9efe)
|
|
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
|
(cherry picked from commit 6703b633078b6bae12395ee3e310427b37965d68)
|
|
Signed-off-by: William Lallemand <wlallemand@haproxy.org>
|
|
|
|
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
|
|
index 24ccc4b1..11655533 100644
|
|
--- a/src/ssl_sock.c
|
|
+++ b/src/ssl_sock.c
|
|
@@ -3821,6 +3821,10 @@ ssl_sock_initial_ctx(struct bind_conf *bind_conf)
|
|
SSL_CTX_set_select_certificate_cb(ctx, ssl_sock_switchctx_cbk);
|
|
SSL_CTX_set_tlsext_servername_callback(ctx, ssl_sock_switchctx_err_cbk);
|
|
#elif (OPENSSL_VERSION_NUMBER >= 0x10101000L)
|
|
+ if (bind_conf->ssl_conf.early_data) {
|
|
+ SSL_CTX_set_options(ctx, SSL_OP_NO_ANTI_REPLAY);
|
|
+ SSL_CTX_set_max_early_data(ctx, global.tune.bufsize - global.tune.maxrewrite);
|
|
+ }
|
|
SSL_CTX_set_client_hello_cb(ctx, ssl_sock_switchctx_cbk, NULL);
|
|
SSL_CTX_set_tlsext_servername_callback(ctx, ssl_sock_switchctx_err_cbk);
|
|
#else
|