commit 1f550f0a3aecd52747c79d064042e5a6e6b96782
Author: Emmanuel Hocdet <manu@gandi.net>
Date:   Wed May 31 17:37:10 2017 +0200

    early_data

diff --git a/include/types/listener.h b/include/types/listener.h
index 3d9ad7f7b..e9a69e3b7 100644
--- a/include/types/listener.h
+++ b/include/types/listener.h
@@ -120,6 +120,7 @@ struct ssl_bind_conf {
 #endif
 	int verify:3;              /* verify method (set of SSL_VERIFY_* flags) */
 	int no_ca_names:1;         /* do not send ca names to clients (ca_file related) */
+	int early_data:1;          /* early-data for 0-RTT (TLSv1.3) */
 	char *ca_file;             /* CAfile to use on verify */
 	char *crl_file;            /* CRLfile to use on verify */
 	char *ciphers;             /* cipher suite to use if non-null */
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index c66a4ad76..3348bd5ec 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -2189,6 +2189,8 @@ static int ssl_sock_switchctx_cbk(SSL *ssl, int *al, void *arg)
 		ssl_sock_switchctx_set(ssl, container_of(node, struct sni_ctx, name)->ctx);
 		methodVersions[conf->ssl_methods.min].ssl_set_version(ssl, SET_MIN);
 		methodVersions[conf->ssl_methods.max].ssl_set_version(ssl, SET_MAX);
+		if (s->default_ssl_conf->early_data || conf->early_data)
+			SSL_set_early_data_enabled(ctx->ssl, 1);
 		return 1;
 	}
 #if (!defined SSL_NO_GENERATE_CERTIFICATES)
@@ -6701,6 +6703,19 @@ static int bind_parse_ecdhe(char **args, int cur_arg, struct proxy *px, struct b
 	return ssl_bind_parse_ecdhe(args, cur_arg, px, &conf->ssl_conf, err);
 }
 
+/* parse the "early-data" bind keyword keyword */
+static int ssl_bind_parse_early_data(char **args, int cur_arg, struct proxy *px, struct ssl_bind_conf *conf, char **err)
+{
+	conf->early_data = 1;
+	return 0;
+}
+
+static int bind_parse_early_data(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
+{
+	conf->default_ssl_conf->early_data = 1;
+	return 0;
+}
+
 /* parse the "crt-ignore-err" and "ca-ignore-err" bind keywords */
 static int bind_parse_ignore_err(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
 {
@@ -8029,6 +8044,7 @@ static struct ssl_bind_kw ssl_bind_kws[] = {
 	{ "ciphers",               ssl_bind_parse_ciphers,          1 }, /* set SSL cipher suite */
 	{ "crl-file",              ssl_bind_parse_crl_file,         1 }, /* set certificat revocation list file use on client cert verify */
 	{ "curves",                ssl_bind_parse_curves,           1 }, /* set SSL curve suite */
+	{ "early-data",            ssl_bind_parse_early_data,       0 }, /* activate early-data for 0-RTT (TLSv1.3) */
 	{ "ecdhe",                 ssl_bind_parse_ecdhe,            1 }, /* defines named curve for elliptic curve Diffie-Hellman */
 	{ "no-ca-names",           ssl_bind_parse_no_ca_names,      0 }, /* do not send ca names to clients (ca_file related) */
 	{ "npn",                   ssl_bind_parse_npn,              1 }, /* set NPN supported protocols */
@@ -8050,6 +8066,7 @@ static struct bind_kw_list bind_kws = { "SSL", { }, {
 	{ "crt-ignore-err",        bind_parse_ignore_err,         1 }, /* set error IDs to ingore on verify depth == 0 */
 	{ "crt-list",              bind_parse_crt_list,           1 }, /* load a list of crt from this location */
 	{ "curves",                bind_parse_curves,             1 }, /* set SSL curve suite */
+	{ "early-data",            bind_parse_early_data,         0 }, /* activate early-data for 0-RTT (TLSv1.3) */
 	{ "ecdhe",                 bind_parse_ecdhe,              1 }, /* defines named curve for elliptic curve Diffie-Hellman */
 	{ "force-sslv3",           bind_parse_tls_method_options, 0 }, /* force SSLv3 */
 	{ "force-tlsv10",          bind_parse_tls_method_options, 0 }, /* force TLSv10 */