MINOR: server: reject QUIC servers without explicit SSL

Report an error during server configuration if QUIC is used by SSL is not activiated via 'ssl' keyword. This is done in _srv_parse_finalize(), which is both used by static and dynamic servers. Note that contrary to listeners, an error is reported instead of a warning, and SSL is not automatically activated if missing. This is mainly due to the complex server configuration : _srv_parse_finalize() is ideal to affect every servers, including dynamic entries. However, it is executed after server SSL context allocation performed via <prepare_srv> XPRT operation. A proper fix would be to move SSL ctx alloc in _srv_parse_finalize(), but this may have unknown impact. Thus, for now a simpler solution has been chosen.
2025-06-12 16:16:43 +02:00 · 2025-06-12 16:16:43 +02:00 · 830affc17d
commit 830affc17d
parent 33cd96a5e9
1 changed files with 9 additions and 0 deletions
--- a/src/server.c
+++ b/src/server.c
@ -3836,6 +3836,15 @@ static int _srv_parse_finalize(char **args, int cur_arg,
 		}
 	}

+#ifdef USE_QUIC
+	if (srv_is_quic(srv)) {
+		if (!srv->use_ssl) {
+			ha_alert("QUIC protocol detected without explicit SSL requirement. Use 'ssl' to fix this.\n");
+			return ERR_ALERT | ERR_FATAL;
+		}
+	}
+#endif
+
 	srv_lb_commit_status(srv);

 	return 0;