I tried it and HAProxy doesn’t build with AWS-LC when quic is turned on. There are at least two issues: 1. AWS-LC’s TLS 1.3 cipher suite names are a little different, this is easy to fix and I opened https://github.com/aws/aws-lc/pull/1175 2. ChaCha Poly and AES CCM are not usable through the EVP_CIPHER API, AWS-LC only exposes these through the AEAD API
How important is ChaCha Poly & AES CCM to HAProxy and your users? I see three options: 1. AWS-LC plumbs these two algorithms through the EVP_CIPHER API. This is useful for HAProxy and other AWS-LC customers, but is the most work 2. HAProxy adopts AWS-LC’s (and BoringSSL’s) AEAD API 3. HAProxy turns off ChaCha Poly and AES CCM support in quic when built with AWS-LC From: Илья Шипицин <[email protected]> Date: Wednesday, September 6, 2023 at 5:41 AM To: William Lallemand <[email protected]> Cc: "Hopkins, Andrew" <[email protected]>, Willy Tarreau <[email protected]>, Aleksandar Lazic <[email protected]>, "[email protected]" <[email protected]> Subject: RE: [EXTERNAL] [PATCH] BUILD: ssl: Build with new cryptographic library AWS-LC CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe. based on USE_OPENSSL_AWSLC quic may be enabled ? ср, 6 сент. 2023 г. в 14:26, William Lallemand <[email protected]<mailto:[email protected]>>: On Tue, Sep 05, 2023 at 11:56:26PM +0000, Hopkins, Andrew wrote: > I split up the remaining CI changes into 4 new attached patches. The > latest changes are still passing on my fork > https://github.com/andrewhop/haproxy/actions/runs/6090899582. > Thanks, I just merged them! > I was hoping to take advantage of the better HAProxy support in > AWS-LC's CI but I'm running into some issues in > https://github.com/aws/aws-lc/pull/1174 I was wondering if you had any > pointers of what to look at. I think this is CodeBuild specific issue > since the tests pass in HAProxy's CI and when I run AWS-LC's CI > locally. I just can't figure out what CodeBuild might be doing to mess > with the results. > > Looking at the log for mcli_start_progs.vtc the two sleep programs are > started as expected but the overall process returns the wrong exit > code (0x0 instead of 0x82). Does anything stand out to you as weird > looking? > I never used CodeBuild so I'm not aware on any timers or process limitation but that could be something like that. From what I understand from the trace, I think every processes received a SIGTERM. You can see 2 "Exiting Master process..." and the first one is before the "kill" from VTest which is suppose to send a SIGINT so it was probably sent outside the test. This test should finish like this: *** h1 debug|00000000:MASTER.accept(0008)=000e from [127.0.0.1:41542<http://127.0.0.1:41542>] ALPN=<none> *** h1 debug|00000000:MASTER.srvcls[000e:ffff] **** h1 CLI connection normally closed *** h1 CLI closing fd 9 **** h1 CLI recv|#<PID> <type> <reloads> <uptime> <version> **** h1 CLI recv|357949 master 0 [failed: 0] 0d00h00m00s 2.9-dev4-06d369-78 **** h1 CLI recv|# workers **** h1 CLI recv|357955 worker 0 0d00h00m00s 2.9-dev4-06d369-78 **** h1 CLI recv|# programs **** h1 CLI recv|357953 foo 0 0d00h00m00s - **** h1 CLI recv|357954 bar 0 0d00h00m00s - **** h1 CLI recv| *** h1 debug|00000001:MASTER.clicls[ffff:ffff] *** h1 debug|00000001:MASTER.closed[ffff:ffff] **** h1 CLI expect match ~ ".*foo.* .*bar.* " ** h1 CLI ending ** h1 Wait ** h1 Stop HAproxy pid=357949 **** h1 Kill(2)=0: Success *** h1 debug|[NOTICE] (357949) : haproxy version is 2.9-dev4-06d369-78 *** h1 debug|[NOTICE] (357949) : path to executable is /home/wla/projects/haproxy/haproxy-community-maint/haproxy *** h1 debug|[WARNING] (357949) : Exiting Master process... *** h1 debug|[ALERT] (357949) : Current program 'foo' (357953) exited with code 130 (Interrupt) *** h1 debug|[ALERT] (357949) : Current program 'bar' (357954) exited with code 130 (Interrupt) **** dT 0.076 *** h1 debug|[ALERT] (357949) : Current worker (357955) exited with code 130 (Interrupt) *** h1 debug|[WARNING] (357949) : All workers exited. Exiting... (130) **** dT 0.077 **** h1 STDOUT EOF **** dT 0.171 ** h1 WAIT4 pid=357949 status=0x8200 (user 0.058881 sys 0.026402) * top RESETTING after reg-tests/mcli/mcli_start_progs.vtc ** h1 Reset and free h1 haproxy -1 **** dT 0.172 ** s1 Waiting for server (4/-1) * top TEST reg-tests/mcli/mcli_start_progs.vtc completed * diag 0.0 /usr/bin/sleep # top TEST reg-tests/mcli/mcli_start_progs.vtc passed (0.173) 0 tests failed, 0 tests skipped, 1 tests passed -- William Lallemand
