]> git.kaiwu.me - haproxy.git/commit
BUG/MEDIUM: ktls: defer enabling TLS ULP on a socket until connected
authorKarol Kucharski <kkucharski@fastlogic.pl>
Thu, 11 Jun 2026 12:48:38 +0000 (14:48 +0200)
committerOlivier Houchard <cognet@ci0.org>
Thu, 11 Jun 2026 12:18:31 +0000 (14:18 +0200)
commit96b08e959ca1b44f5b7e0917a4b53e73858fd29d
treef6270061521f7b02b5db2056ed14aee13348245c
parent784f972a6f085c9ba61256673330cc824fc3c9c1
BUG/MEDIUM: ktls: defer enabling TLS ULP on a socket until connected

The Linux tls module requires a socket to be in TCP_ESTABLISHED state
before we can enable the TLS ULP on the socket, if the socket is in any
other state, then the setsockopt() call will fail, and we won't use
kTLS on that socket.
To make sure we're not doing it too early, defer it until the TLS
handshake is done, which means the TCP connection is established.

This should be backported up to 3.3.

Signed-off-by: Karol Kucharski <kkucharski@fastlogic.pl>
include/haproxy/ssl_sock-t.h
src/ssl_sock.c