BUG/MEDIUM: quic: keylog callback not called (USE_OPENSSL_COMPAT)

This bug impacts only the QUIC OpenSSL compatibility module (USE_QUIC_OPENSSL_COMPAT) and it was introduced by this commit: BUG/MINOR: quic: Wrong keylog callback setting. quic_tls_compat_keylog_callback() callback was no more set when the SSL keylog was enabled by tune.ssl.keylog setting. This is the callback which sets the TLS secrets into haproxy. Set it again when the SSL keylog is not enabled by configuration. Thank you to @Greg57070 for having reported this issue in GH haproxy#2412. Must be backported as far as 2.8. (cherry picked from commit 0eaf42a) Signed-off-by: Christopher Faulet <[email protected]>
FireBurn · Jan 17, 2024 · 2e16baf · 2e16baf
1 parent 4216dfd
commit 2e16baf
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/src/quic_openssl_compat.c b/src/quic_openssl_compat.c
@@ -61,6 +61,12 @@ int quic_tls_compat_init(struct bind_conf *bind_conf, SSL_CTX *ctx)
 	if (bind_conf->xprt != xprt_get(XPRT_QUIC))
 		return 1;
 
+	/* This callback is already registered if the TLS keylog is activated for
+	 * traffic decryption analysis.
+	 */
+	if (!global_ssl.keylog)
+		SSL_CTX_set_keylog_callback(ctx, quic_tls_compat_keylog_callback);
+
 	if (SSL_CTX_has_client_custom_ext(ctx, QUIC_OPENSSL_COMPAT_SSL_TP_EXT))
 		return 1;