upstream/haproxy
1
0
Fork 0
mirror of https://github.com/haproxy/haproxy.git synced 2026-04-15 21:59:41 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

DOC: ssl: Document the restrictions on 0RTT.

Browse source 
Document that with QUIC, 0RTT only works with OpenSSL >= 3.5.2 and
AWS-LC, and for TLS/TCP, it only works with OpenSSL, and frontends
require that an ALPN be sent by the client to use the early data before
the handshake.
This commit is contained in:
Olivier Houchard 2025-11-25 11:02:21 +01:00 committed by Olivier Houchard
parent 91eb9b082b
commit f867068dc7
1 changed files with 6 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
doc/configuration.txt
View file

@ -16513,6 +16513,10 @@ allow-0rtt
you should only allow if for requests that are safe to replay, i.e. requests
that are idempotent. You can use the "wait-for-handshake" action for any
request that wouldn't be safe with early data.
With QUIC, 0rtt is supported with OpenSSL >= 3.5.2 and AWS-LC. With TCP/TLS,
0rtt is only supported with OpenSSL, and requires that the client sends an
ALPN, otherwise the early data won't be considered before the handshake
happens.
alpn <protocols>
This enables the TLS ALPN extension and advertises the specified protocol
@ -17741,6 +17745,8 @@ allow-0rtt
Allow sending early data to the server when using TLS 1.3.
Note that early data will be sent only if the client used early data, or
if the backend uses "retry-on" with the "0rtt-rejected" keyword.
With QUIC, 0rtt is supported with OpenSSL >= 3.5.2 and AWS-LC. With TCP/TLS,
0rtt is only supported with OpenSSL.
alpn <protocols>
May be used in the following contexts: tcp, http