чт, 7 сент. 2023 г. в 00:05, Hopkins, Andrew <and...@amazon.com>:
> I tried it and HAProxy doesn’t build with AWS-LC when quic is turned on. > There are at least two issues: > 1. AWS-LC’s TLS 1.3 cipher suite names are a little different, this is > easy to fix and I opened https://github.com/aws/aws-lc/pull/1175 > > 2. ChaCha Poly and AES CCM are not usable through the EVP_CIPHER API, > AWS-LC only exposes these through the AEAD API > > > > How important is ChaCha Poly & AES CCM to HAProxy and your users? I see > three options: > it is mandatory, browsers require it. accidentally "QUIC without ChaCha Poly" was implemented for LibreSSL (it was added few commits later), nothing worked from browser point of view. > 1. AWS-LC plumbs these two algorithms through the EVP_CIPHER API. This is > useful for HAProxy and other AWS-LC customers, but is the most work > 2. HAProxy adopts AWS-LC’s (and BoringSSL’s) AEAD API > > 3. HAProxy turns off ChaCha Poly and AES CCM support in quic when built > with AWS-LC > I recall there was similar usage for BoringSSL, maybe just modifying "ifdef" should work > > > > > *From: *Илья Шипицин <chipits...@gmail.com> > *Date: *Wednesday, September 6, 2023 at 5:41 AM > *To: *William Lallemand <wlallem...@haproxy.com> > *Cc: *"Hopkins, Andrew" <and...@amazon.com>, Willy Tarreau <w...@1wt.eu>, > Aleksandar Lazic <al-hapr...@none.at>, "haproxy@formilux.org" < > haproxy@formilux.org> > *Subject: *RE: [EXTERNAL] [PATCH] BUILD: ssl: Build with new > cryptographic library AWS-LC > > > > *CAUTION*: This email originated from outside of the organization. Do not > click links or open attachments unless you can confirm the sender and know > the content is safe. > > > > based on USE_OPENSSL_AWSLC quic may be enabled ? > > > > ср, 6 сент. 2023 г. в 14:26, William Lallemand <wlallem...@haproxy.com>: > > On Tue, Sep 05, 2023 at 11:56:26PM +0000, Hopkins, Andrew wrote: > > I split up the remaining CI changes into 4 new attached patches. The > > latest changes are still passing on my fork > > https://github.com/andrewhop/haproxy/actions/runs/6090899582. > > > > Thanks, I just merged them! > > > > I was hoping to take advantage of the better HAProxy support in > > AWS-LC's CI but I'm running into some issues in > > https://github.com/aws/aws-lc/pull/1174 I was wondering if you had any > > pointers of what to look at. I think this is CodeBuild specific issue > > since the tests pass in HAProxy's CI and when I run AWS-LC's CI > > locally. I just can't figure out what CodeBuild might be doing to mess > > with the results. > > > > Looking at the log for mcli_start_progs.vtc the two sleep programs are > > started as expected but the overall process returns the wrong exit > > code (0x0 instead of 0x82). Does anything stand out to you as weird > > looking? > > > > I never used CodeBuild so I'm not aware on any timers or process > limitation but that could be something like that. > > From what I understand from the trace, I think every processes received a > SIGTERM. You can see 2 "Exiting Master process..." and the first one is > before > the "kill" from VTest which is suppose to send a SIGINT so it was probably > sent > outside the test. > > This test should finish like this: > > *** h1 debug|00000000:MASTER.accept(0008)=000e from [127.0.0.1:41542] > ALPN=<none> > *** h1 debug|00000000:MASTER.srvcls[000e:ffff] > **** h1 CLI connection normally closed > *** h1 CLI closing fd 9 > **** h1 CLI recv|#<PID> <type> <reloads> > <uptime> <version> > **** h1 CLI recv|357949 master 0 [failed: 0] > 0d00h00m00s 2.9-dev4-06d369-78 > **** h1 CLI recv|# workers > **** h1 CLI recv|357955 worker 0 > 0d00h00m00s 2.9-dev4-06d369-78 > **** h1 CLI recv|# programs > **** h1 CLI recv|357953 foo 0 > 0d00h00m00s - > **** h1 CLI recv|357954 bar 0 > 0d00h00m00s - > **** h1 CLI recv| > *** h1 debug|00000001:MASTER.clicls[ffff:ffff] > *** h1 debug|00000001:MASTER.closed[ffff:ffff] > **** h1 CLI expect match ~ ".*foo.* > .*bar.* > " > ** h1 CLI ending > ** h1 Wait > ** h1 Stop HAproxy pid=357949 > **** h1 Kill(2)=0: Success > *** h1 debug|[NOTICE] (357949) : haproxy version is > 2.9-dev4-06d369-78 > *** h1 debug|[NOTICE] (357949) : path to executable is > /home/wla/projects/haproxy/haproxy-community-maint/haproxy > *** h1 debug|[WARNING] (357949) : Exiting Master process... > *** h1 debug|[ALERT] (357949) : Current program 'foo' (357953) > exited with code 130 (Interrupt) > *** h1 debug|[ALERT] (357949) : Current program 'bar' (357954) > exited with code 130 (Interrupt) > **** dT 0.076 > *** h1 debug|[ALERT] (357949) : Current worker (357955) exited with > code 130 (Interrupt) > *** h1 debug|[WARNING] (357949) : All workers exited. Exiting... (130) > **** dT 0.077 > **** h1 STDOUT EOF > **** dT 0.171 > ** h1 WAIT4 pid=357949 status=0x8200 (user 0.058881 sys 0.026402) > * top RESETTING after reg-tests/mcli/mcli_start_progs.vtc > ** h1 Reset and free h1 haproxy -1 > **** dT 0.172 > ** s1 Waiting for server (4/-1) > * top TEST reg-tests/mcli/mcli_start_progs.vtc completed > * diag 0.0 /usr/bin/sleep > # top TEST reg-tests/mcli/mcli_start_progs.vtc passed (0.173) > 0 tests failed, 0 tests skipped, 1 tests passed > > > -- > William Lallemand > >