From 2e16bafec4adf26300346f6fc58a02845c9c2139 Mon Sep 17 00:00:00 2001 From: Frederic Lecaille Date: Tue, 16 Jan 2024 10:17:27 +0100 Subject: [PATCH] BUG/MEDIUM: quic: keylog callback not called (USE_OPENSSL_COMPAT) This bug impacts only the QUIC OpenSSL compatibility module (USE_QUIC_OPENSSL_COMPAT) and it was introduced by this commit: BUG/MINOR: quic: Wrong keylog callback setting. quic_tls_compat_keylog_callback() callback was no more set when the SSL keylog was enabled by tune.ssl.keylog setting. This is the callback which sets the TLS secrets into haproxy. Set it again when the SSL keylog is not enabled by configuration. Thank you to @Greg57070 for having reported this issue in GH #2412. Must be backported as far as 2.8. (cherry picked from commit 0eaf42a2a47f2ee73045e48274ed98e00aa44dba) Signed-off-by: Christopher Faulet --- src/quic_openssl_compat.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/quic_openssl_compat.c b/src/quic_openssl_compat.c index 2a8f83d..d914ac4 100644 --- a/src/quic_openssl_compat.c +++ b/src/quic_openssl_compat.c @@ -61,6 +61,12 @@ int quic_tls_compat_init(struct bind_conf *bind_conf, SSL_CTX *ctx) if (bind_conf->xprt != xprt_get(XPRT_QUIC)) return 1; + /* This callback is already registered if the TLS keylog is activated for + * traffic decryption analysis. + */ + if (!global_ssl.keylog) + SSL_CTX_set_keylog_callback(ctx, quic_tls_compat_keylog_callback); + if (SSL_CTX_has_client_custom_ext(ctx, QUIC_OPENSSL_COMPAT_SSL_TP_EXT)) return 1; -- 1.7.10.4