diff --git a/daemon/daemon.c b/daemon/daemon.c index 1c8272b14..9e1d5d4f7 100644 --- a/daemon/daemon.c +++ b/daemon/daemon.c @@ -956,6 +956,9 @@ daemon_delete(struct daemon* daemon) listen_sslctx_delete_ticket_keys(); SSL_CTX_free((SSL_CTX*)daemon->listen_sslctx); SSL_CTX_free((SSL_CTX*)daemon->connect_sslctx); +#endif +#ifdef HAVE_NGTCP2 + SSL_CTX_free((SSL_CTX*)daemon->quic_sslctx); #endif free(daemon); /* lex cleanup */ diff --git a/daemon/daemon.h b/daemon/daemon.h index fc1bde713..f93887e3d 100644 --- a/daemon/daemon.h +++ b/daemon/daemon.h @@ -99,6 +99,8 @@ struct daemon { struct daemon_remote* rc; /** ssl context for listening to dnstcp over ssl, and connecting ssl */ void* listen_sslctx, *connect_sslctx; + /** ssl context for listening to quic */ + void* quic_sslctx; /** num threads allocated */ int num; /** num threads allocated in the previous config or 0 at first */ diff --git a/daemon/unbound.c b/daemon/unbound.c index 306fe6caf..f394fbde3 100644 --- a/daemon/unbound.c +++ b/daemon/unbound.c @@ -494,8 +494,9 @@ perform_setup(struct daemon* daemon, struct config_file* cfg, int debug_mode, fatal_exit("could not set up remote-control"); if(cfg->ssl_service_key && cfg->ssl_service_key[0]) { if(!(daemon->listen_sslctx = listen_sslctx_create( - cfg->ssl_service_key, cfg->ssl_service_pem, NULL))) + cfg->ssl_service_key, cfg->ssl_service_pem, NULL))) { fatal_exit("could not set up listen SSL_CTX"); + } if(cfg->tls_ciphers && cfg->tls_ciphers[0]) { if (!SSL_CTX_set_cipher_list(daemon->listen_sslctx, cfg->tls_ciphers)) { fatal_exit("failed to set tls-cipher %s", cfg->tls_ciphers); @@ -507,18 +508,24 @@ perform_setup(struct daemon* daemon, struct config_file* cfg, int debug_mode, fatal_exit("failed to set tls-ciphersuites %s", cfg->tls_ciphersuites); } } -#endif +#endif /* HAVE_SSL_CTX_SET_CIPHERSUITES */ if(cfg->tls_session_ticket_keys.first && cfg->tls_session_ticket_keys.first->str[0] != 0) { if(!listen_sslctx_setup_ticket_keys(daemon->listen_sslctx, cfg->tls_session_ticket_keys.first)) { fatal_exit("could not set session ticket SSL_CTX"); } } +#ifdef HAVE_NGTCP2 + if(!(daemon->quic_sslctx = quic_sslctx_create( + cfg->ssl_service_key, cfg->ssl_service_pem, NULL))) { + fatal_exit("could not set up quic SSL_CTX"); + } +#endif /* HAVE_NGTCP2 */ } if(!(daemon->connect_sslctx = connect_sslctx_create(NULL, NULL, cfg->tls_cert_bundle, cfg->tls_win_cert))) fatal_exit("could not set up connect SSL_CTX"); -#endif +#endif /* HAVE_SSL */ /* init syslog (as root) if needed, before daemonize, otherwise * a fork error could not be printed since daemonize closed stderr.*/ diff --git a/daemon/worker.c b/daemon/worker.c index 713de3163..e2496f1fd 100644 --- a/daemon/worker.c +++ b/daemon/worker.c @@ -2174,9 +2174,9 @@ worker_init(struct worker* worker, struct config_file *cfg, cfg->harden_large_queries, cfg->http_max_streams, cfg->http_endpoint, cfg->http_notls_downstream, worker->daemon->tcl, worker->daemon->listen_sslctx, + worker->daemon->quic_sslctx, dtenv, worker->daemon->doq_table, worker->env.rnd, - cfg->ssl_service_key, cfg->ssl_service_pem, cfg, - worker_handle_request, worker); + cfg, worker_handle_request, worker); if(!worker->front) { log_err("could not create listening sockets"); worker_delete(worker); diff --git a/services/listen_dnsport.c b/services/listen_dnsport.c index 5dbac3650..a4cb25f2a 100644 --- a/services/listen_dnsport.c +++ b/services/listen_dnsport.c @@ -1523,9 +1523,9 @@ listen_create(struct comm_base* base, struct listen_port* ports, size_t bufsize, int tcp_accept_count, int tcp_idle_timeout, int harden_large_queries, uint32_t http_max_streams, char* http_endpoint, int http_notls, struct tcl_list* tcp_conn_limit, - void* sslctx, struct dt_env* dtenv, struct doq_table* doq_table, - struct ub_randstate* rnd, const char* ssl_service_key, - const char* ssl_service_pem, struct config_file* cfg, + void* sslctx, void* quic_sslctx, struct dt_env* dtenv, + struct doq_table* doq_table, + struct ub_randstate* rnd,struct config_file* cfg, comm_point_callback_type* cb, void *cb_arg) { struct listen_dnsport* front = (struct listen_dnsport*) @@ -1558,8 +1558,7 @@ listen_create(struct comm_base* base, struct listen_port* ports, #endif cp = comm_point_create_doq(base, ports->fd, front->udp_buff, cb, cb_arg, ports->socket, - doq_table, rnd, ssl_service_key, - ssl_service_pem, cfg); + doq_table, rnd, quic_sslctx, cfg); } else if(ports->ftype == listen_type_tcp || ports->ftype == listen_type_tcp_dnscrypt) { cp = comm_point_create_tcp(base, ports->fd, @@ -1620,10 +1619,13 @@ listen_create(struct comm_base* base, struct listen_port* ports, (ports->ftype == listen_type_udpancil) || (ports->ftype == listen_type_tcp_dnscrypt) || (ports->ftype == listen_type_udp_dnscrypt) || - (ports->ftype == listen_type_udpancil_dnscrypt)) + (ports->ftype == listen_type_udpancil_dnscrypt)) { cp->ssl = NULL; - else + } else if(ports->ftype == listen_type_doq) { + cp->ssl = quic_sslctx; + } else { cp->ssl = sslctx; + } cp->dtenv = dtenv; cp->do_not_close = 1; #ifdef USE_DNSCRYPT @@ -4598,10 +4600,9 @@ doq_alpn_select_cb(SSL* ATTR_UNUSED(ssl), const unsigned char** out, return SSL_TLSEXT_ERR_ALERT_FATAL; } -/** create new tls session for server doq connection */ -static SSL_CTX* -doq_ctx_server_setup(struct doq_server_socket* doq_socket) +void* quic_sslctx_create(char* key, char* pem, char* verifypem) { +#ifdef HAVE_NGHTTP2 char* sid_ctx = "unbound server"; #ifndef HAVE_NGTCP2_CRYPTO_QUICTLS_CONFIGURE_SERVER_CONTEXT SSL_QUIC_METHOD* quic_method; @@ -4611,6 +4612,16 @@ doq_ctx_server_setup(struct doq_server_socket* doq_socket) log_crypto_err("Could not SSL_CTX_new"); return NULL; } + if(!key || key[0] == 0) { + log_err("doq: error, no tls-service-key file specified"); + SSL_CTX_free(ctx); + return NULL; + } + if(!pem || pem[0] == 0) { + log_err("doq: error, no tls-service-pem file specified"); + SSL_CTX_free(ctx); + return NULL; + } SSL_CTX_set_options(ctx, (SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS) | SSL_OP_SINGLE_ECDH_USE | @@ -4623,43 +4634,37 @@ doq_ctx_server_setup(struct doq_server_socket* doq_socket) SSL_CTX_set_alpn_select_cb(ctx, doq_alpn_select_cb, NULL); #endif SSL_CTX_set_default_verify_paths(ctx); - if(!SSL_CTX_use_certificate_chain_file(ctx, - doq_socket->ssl_service_pem)) { - log_err("doq: error for cert file: %s", - doq_socket->ssl_service_pem); + if(!SSL_CTX_use_certificate_chain_file(ctx, pem)) { + log_err("doq: error for cert file: %s", pem); log_crypto_err("doq: error in " "SSL_CTX_use_certificate_chain_file"); SSL_CTX_free(ctx); return NULL; } - if(!SSL_CTX_use_PrivateKey_file(ctx, doq_socket->ssl_service_key, - SSL_FILETYPE_PEM)) { - log_err("doq: error for private key file: %s", - doq_socket->ssl_service_key); + if(!SSL_CTX_use_PrivateKey_file(ctx, key, SSL_FILETYPE_PEM)) { + log_err("doq: error for private key file: %s", key); log_crypto_err("doq: error in SSL_CTX_use_PrivateKey_file"); SSL_CTX_free(ctx); return NULL; } if(!SSL_CTX_check_private_key(ctx)) { - log_err("doq: error for key file: %s", - doq_socket->ssl_service_key); + log_err("doq: error for key file: %s", key); log_crypto_err("doq: error in SSL_CTX_check_private_key"); SSL_CTX_free(ctx); return NULL; } SSL_CTX_set_session_id_context(ctx, (void*)sid_ctx, strlen(sid_ctx)); - if(doq_socket->ssl_verify_pem && doq_socket->ssl_verify_pem[0]) { - if(!SSL_CTX_load_verify_locations(ctx, - doq_socket->ssl_verify_pem, NULL)) { + if(verifypem && verifypem[0]) { + if(!SSL_CTX_load_verify_locations(ctx, verifypem, NULL)) { log_err("doq: error for verify pem file: %s", - doq_socket->ssl_verify_pem); + verifypem); log_crypto_err("doq: error in " "SSL_CTX_load_verify_locations"); SSL_CTX_free(ctx); return NULL; } SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file( - doq_socket->ssl_verify_pem)); + verifypem)); SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER| SSL_VERIFY_CLIENT_ONCE| SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL); @@ -4672,7 +4677,7 @@ doq_ctx_server_setup(struct doq_server_socket* doq_socket) SSL_CTX_free(ctx); return NULL; } -#else +#else /* HAVE_NGTCP2_CRYPTO_QUICTLS_CONFIGURE_SERVER_CONTEXT */ /* The quic_method needs to remain valid during the SSL_CTX * lifetime, so we allocate it. It is freed with the * doq_server_socket. */ @@ -4690,6 +4695,10 @@ doq_ctx_server_setup(struct doq_server_socket* doq_socket) SSL_CTX_set_quic_method(ctx, doq_socket->quic_method); #endif return ctx; +#else /* HAVE_NGHTTP2 */ + (void)key; (void)pem; (void)verifypem; + return NULL; +#endif /* HAVE_NGHTTP2 */ } /** Get the ngtcp2_conn from ssl userdata of type ngtcp2_conn_ref */ @@ -4720,16 +4729,6 @@ doq_ssl_server_setup(SSL_CTX* ctx, struct doq_conn* conn) return ssl; } -/** setup the doq_socket server tls context */ -int -doq_socket_setup_ctx(struct doq_server_socket* doq_socket) -{ - doq_socket->ctx = doq_ctx_server_setup(doq_socket); - if(!doq_socket->ctx) - return 0; - return 1; -} - int doq_conn_setup(struct doq_conn* conn, uint8_t* scid, size_t scidlen, uint8_t* ocid, size_t ocidlen, const uint8_t* token, size_t tokenlen) diff --git a/services/listen_dnsport.h b/services/listen_dnsport.h index c29f4d72b..629f20bd4 100644 --- a/services/listen_dnsport.h +++ b/services/listen_dnsport.h @@ -195,11 +195,10 @@ int resolve_interface_names(char** ifs, int num_ifs, * @param http_notls: no TLS for http downstream * @param tcp_conn_limit: TCP connection limit info. * @param sslctx: nonNULL if ssl context. + * @param quic_sslctx: nonNULL if quic ssl context. * @param dtenv: nonNULL if dnstap enabled. * @param doq_table: the doq connection table, with shared information. * @param rnd: random state. - * @param ssl_service_key: the SSL service key file. - * @param ssl_service_pem: the SSL service pem file. * @param cfg: config file struct. * @param cb: callback function when a request arrives. It is passed * the packet and user argument. Return true to send a reply. @@ -211,9 +210,9 @@ listen_create(struct comm_base* base, struct listen_port* ports, size_t bufsize, int tcp_accept_count, int tcp_idle_timeout, int harden_large_queries, uint32_t http_max_streams, char* http_endpoint, int http_notls, struct tcl_list* tcp_conn_limit, - void* sslctx, struct dt_env* dtenv, struct doq_table* doq_table, - struct ub_randstate* rnd, const char* ssl_service_key, - const char* ssl_service_pem, struct config_file* cfg, + void* sslctx, void* quic_sslctx, struct dt_env* dtenv, + struct doq_table* doq_table, + struct ub_randstate* rnd,struct config_file* cfg, comm_point_callback_type* cb, void *cb_arg); /** @@ -512,6 +511,15 @@ struct doq_table { size_t current_size; }; +/** + * create SSL context for QUIC + * @param key: private key file. + * @param pem: public key cert. + * @param verifypem: if nonNULL, verifylocation file. + * return SSL_CTX* or NULL on failure (logged). + */ +void* quic_sslctx_create(char* key, char* pem, char* verifypem); + /** create doq table */ struct doq_table* doq_table_create(struct config_file* cfg, struct ub_randstate* rnd); @@ -712,9 +720,6 @@ int doq_timer_cmp(const void* key1, const void* key2); /** compare function of doq_stream */ int doq_stream_cmp(const void* key1, const void* key2); -/** setup the doq_socket server tls context */ -int doq_socket_setup_ctx(struct doq_server_socket* doq_socket); - /** setup the doq connection callbacks, and settings. */ int doq_conn_setup(struct doq_conn* conn, uint8_t* scid, size_t scidlen, uint8_t* ocid, size_t ocidlen, const uint8_t* token, size_t tokenlen); diff --git a/testcode/fake_event.c b/testcode/fake_event.c index 2f60b1381..2d175ed9b 100644 --- a/testcode/fake_event.c +++ b/testcode/fake_event.c @@ -938,11 +938,10 @@ listen_create(struct comm_base* base, struct listen_port* ATTR_UNUSED(ports), char* ATTR_UNUSED(http_endpoint), int ATTR_UNUSED(http_notls), struct tcl_list* ATTR_UNUSED(tcp_conn_limit), - void* ATTR_UNUSED(sslctx), struct dt_env* ATTR_UNUSED(dtenv), + void* ATTR_UNUSED(sslctx), void* ATTR_UNUSED(quic_ssl), + struct dt_env* ATTR_UNUSED(dtenv), struct doq_table* ATTR_UNUSED(table), struct ub_randstate* ATTR_UNUSED(rnd), - const char* ATTR_UNUSED(ssl_service_key), - const char* ATTR_UNUSED(ssl_service_pem), struct config_file* ATTR_UNUSED(cfg), comm_point_callback_type* cb, void *cb_arg) { diff --git a/testcode/testbound.c b/testcode/testbound.c index 442e23434..f9ea86e69 100644 --- a/testcode/testbound.c +++ b/testcode/testbound.c @@ -602,6 +602,12 @@ void listen_desetup_locks(void) } #ifdef HAVE_NGTCP2 +void* quic_sslctx_create(char* ATTR_UNUSED(key), char* ATTR_UNUSED(pem), + char* ATTR_UNUSED(verifypem)) +{ + return NULL; +} + void comm_point_doq_callback(int ATTR_UNUSED(fd), short ATTR_UNUSED(event), void* ATTR_UNUSED(arg)) { diff --git a/util/net_help.h b/util/net_help.h index eba38cee0..4365c9a6a 100644 --- a/util/net_help.h +++ b/util/net_help.h @@ -488,7 +488,7 @@ int listen_sslctx_setup(void* ctxt); */ void listen_sslctx_setup_2(void* ctxt); -/** +/** * create SSL listen context * @param key: private key file. * @param pem: public key cert. diff --git a/util/netevent.c b/util/netevent.c index 9181d3e4a..8f64278c3 100644 --- a/util/netevent.c +++ b/util/netevent.c @@ -2687,8 +2687,8 @@ comm_point_doq_callback(int fd, short event, void* arg) /** create new doq server socket structure */ static struct doq_server_socket* doq_server_socket_create(struct doq_table* table, struct ub_randstate* rnd, - const char* ssl_service_key, const char* ssl_service_pem, - struct comm_point* c, struct comm_base* base, struct config_file* cfg) + const void* quic_sslctx, struct comm_point* c, struct comm_base* base, + struct config_file* cfg) { size_t doq_buffer_size = 4096; /* bytes buffer size, for one packet. */ struct doq_server_socket* doq_socket; @@ -2699,69 +2699,29 @@ doq_server_socket_create(struct doq_table* table, struct ub_randstate* rnd, doq_socket->table = table; doq_socket->rnd = rnd; doq_socket->validate_addr = 1; - if(ssl_service_key == NULL || ssl_service_key[0]==0) { - log_err("doq server socket create: no tls-service-key"); - free(doq_socket); - return NULL; - } - if(ssl_service_pem == NULL || ssl_service_pem[0]==0) { - log_err("doq server socket create: no tls-service-pem"); - free(doq_socket); - return NULL; - } - doq_socket->ssl_service_key = strdup(ssl_service_key); - if(!doq_socket->ssl_service_key) { - free(doq_socket); - return NULL; - } - doq_socket->ssl_service_pem = strdup(ssl_service_pem); - if(!doq_socket->ssl_service_pem) { - free(doq_socket->ssl_service_key); - free(doq_socket); - return NULL; - } - doq_socket->ssl_verify_pem = NULL; /* the doq_socket has its own copy of the static secret, as * well as other config values, so that they do not need table.lock */ doq_socket->static_secret_len = table->static_secret_len; doq_socket->static_secret = memdup(table->static_secret, table->static_secret_len); if(!doq_socket->static_secret) { - free(doq_socket->ssl_service_key); - free(doq_socket->ssl_service_pem); - free(doq_socket->ssl_verify_pem); - free(doq_socket); - return NULL; - } - if(!doq_socket_setup_ctx(doq_socket)) { - free(doq_socket->ssl_service_key); - free(doq_socket->ssl_service_pem); - free(doq_socket->ssl_verify_pem); - free(doq_socket->static_secret); free(doq_socket); return NULL; } + doq_socket->ctx = (SSL_CTX*)quic_sslctx; doq_socket->idle_timeout = table->idle_timeout; doq_socket->sv_scidlen = table->sv_scidlen; doq_socket->cp = c; doq_socket->pkt_buf = sldns_buffer_new(doq_buffer_size); if(!doq_socket->pkt_buf) { - free(doq_socket->ssl_service_key); - free(doq_socket->ssl_service_pem); - free(doq_socket->ssl_verify_pem); free(doq_socket->static_secret); - SSL_CTX_free(doq_socket->ctx); free(doq_socket); return NULL; } doq_socket->blocked_pkt = sldns_buffer_new( sldns_buffer_capacity(doq_socket->pkt_buf)); if(!doq_socket->pkt_buf) { - free(doq_socket->ssl_service_key); - free(doq_socket->ssl_service_pem); - free(doq_socket->ssl_verify_pem); free(doq_socket->static_secret); - SSL_CTX_free(doq_socket->ctx); sldns_buffer_free(doq_socket->pkt_buf); free(doq_socket); return NULL; @@ -2769,11 +2729,7 @@ doq_server_socket_create(struct doq_table* table, struct ub_randstate* rnd, doq_socket->blocked_paddr = calloc(1, sizeof(*doq_socket->blocked_paddr)); if(!doq_socket->blocked_paddr) { - free(doq_socket->ssl_service_key); - free(doq_socket->ssl_service_pem); - free(doq_socket->ssl_verify_pem); free(doq_socket->static_secret); - SSL_CTX_free(doq_socket->ctx); sldns_buffer_free(doq_socket->pkt_buf); sldns_buffer_free(doq_socket->blocked_pkt); free(doq_socket); @@ -2781,11 +2737,7 @@ doq_server_socket_create(struct doq_table* table, struct ub_randstate* rnd, } doq_socket->timer = comm_timer_create(base, doq_timer_cb, doq_socket); if(!doq_socket->timer) { - free(doq_socket->ssl_service_key); - free(doq_socket->ssl_service_pem); - free(doq_socket->ssl_verify_pem); free(doq_socket->static_secret); - SSL_CTX_free(doq_socket->ctx); sldns_buffer_free(doq_socket->pkt_buf); sldns_buffer_free(doq_socket->blocked_pkt); free(doq_socket->blocked_paddr); @@ -2805,13 +2757,9 @@ doq_server_socket_delete(struct doq_server_socket* doq_socket) if(!doq_socket) return; free(doq_socket->static_secret); - SSL_CTX_free(doq_socket->ctx); #ifndef HAVE_NGTCP2_CRYPTO_QUICTLS_CONFIGURE_SERVER_CONTEXT free(doq_socket->quic_method); #endif - free(doq_socket->ssl_service_key); - free(doq_socket->ssl_service_pem); - free(doq_socket->ssl_verify_pem); sldns_buffer_free(doq_socket->pkt_buf); sldns_buffer_free(doq_socket->blocked_pkt); free(doq_socket->blocked_paddr); @@ -5862,8 +5810,8 @@ struct comm_point* comm_point_create_doq(struct comm_base *base, int fd, sldns_buffer* buffer, comm_point_callback_type* callback, void* callback_arg, struct unbound_socket* socket, struct doq_table* table, - struct ub_randstate* rnd, const char* ssl_service_key, - const char* ssl_service_pem, struct config_file* cfg) + struct ub_randstate* rnd, const void* quic_sslctx, + struct config_file* cfg) { #ifdef HAVE_NGTCP2 struct comm_point* c = (struct comm_point*)calloc(1, @@ -5900,15 +5848,13 @@ comm_point_create_doq(struct comm_base *base, int fd, sldns_buffer* buffer, c->dnscrypt = 0; c->dnscrypt_buffer = NULL; #endif -#ifdef HAVE_NGTCP2 - c->doq_socket = doq_server_socket_create(table, rnd, ssl_service_key, - ssl_service_pem, c, base, cfg); + c->doq_socket = doq_server_socket_create(table, rnd, quic_sslctx, c, + base, cfg); if(!c->doq_socket) { log_err("could not create doq comm_point"); comm_point_delete(c); return NULL; } -#endif c->inuse = 0; c->callback = callback; c->cb_arg = callback_arg; @@ -5940,8 +5886,7 @@ comm_point_create_doq(struct comm_base *base, int fd, sldns_buffer* buffer, (void)socket; (void)rnd; (void)table; - (void)ssl_service_key; - (void)ssl_service_pem; + (void)quic_sslctx; (void)cfg; sock_close(fd); return NULL; diff --git a/util/netevent.h b/util/netevent.h index acc4887b1..a9deeecea 100644 --- a/util/netevent.h +++ b/util/netevent.h @@ -593,8 +593,7 @@ struct comm_point* comm_point_create_udp_ancil(struct comm_base* base, * @param socket: and opened socket properties will be passed to your callback function. * @param table: the doq connection table for the host. * @param rnd: random generator to use. - * @param ssl_service_key: the ssl service key file. - * @param ssl_service_pem: the ssl service pem file. + * @param quic_sslctx: the quic ssl context. * @param cfg: config file struct. * @return: returns the allocated communication point. NULL on error. * Sets timeout to NULL. Turns off TCP options. @@ -603,8 +602,8 @@ struct comm_point* comm_point_create_doq(struct comm_base* base, int fd, struct sldns_buffer* buffer, comm_point_callback_type* callback, void* callback_arg, struct unbound_socket* socket, struct doq_table* table, - struct ub_randstate* rnd, const char* ssl_service_key, - const char* ssl_service_pem, struct config_file* cfg); + struct ub_randstate* rnd, const void* quic_sslctx, + struct config_file* cfg); /** * Create a TCP listener comm point. Calls malloc. @@ -1045,12 +1044,6 @@ struct doq_server_socket { struct ub_randstate* rnd; /** if address validation is enabled */ uint8_t validate_addr; - /** the ssl service key file */ - char* ssl_service_key; - /** the ssl service pem file */ - char* ssl_service_pem; - /** the ssl verify pem file */ - char* ssl_verify_pem; /** the server scid length */ int sv_scidlen; /** the idle timeout in nanoseconds */ diff --git a/winrc/win_svc.c b/winrc/win_svc.c index 49d4251fa..bd28bd206 100644 --- a/winrc/win_svc.c +++ b/winrc/win_svc.c @@ -366,6 +366,11 @@ service_init(int r, struct daemon** d, struct config_file** c) if(!(daemon->listen_sslctx = listen_sslctx_create( cfg->ssl_service_key, cfg->ssl_service_pem, NULL))) fatal_exit("could not set up listen SSL_CTX"); +#ifdef HAVE_NGTCP2 + if(!(daemon->quic_sslctx = quic_sslctx_create( + cfg->ssl_service_key, cfg->ssl_service_pem, NULL))) + fatal_exit("could not set up quic SSL_CTX"); +#endif /* HAVE_NGTCP2 */ } if(!(daemon->connect_sslctx = connect_sslctx_create(NULL, NULL, cfg->tls_cert_bundle, cfg->tls_win_cert)))