Re: [PATCH 2 of 4] QUIC: do not use SSL_set_quic_early_data_enabled() with LibreSSL

Mon, 17 Oct 2022 07:04:50 -0700 


> On 17 Oct 2022, at 15:07, Roman Arutyunyan <a...@nginx.com> wrote:
> 
> Hi,
> 
> On Tue, Oct 11, 2022 at 02:35:51PM +0400, Sergey Kandaurov wrote:
>> # HG changeset patch
>> # User Sergey Kandaurov <pluk...@nginx.com>
>> # Date 1665442922 -14400
>> #      Tue Oct 11 03:02:02 2022 +0400
>> # Branch quic
>> # Node ID caced81ce0a9cb218ae8cdd6176c12e0614acee9
>> # Parent  82b03006a7bd93c3b5c962a3afac89e0639b0c12
>> QUIC: do not use SSL_set_quic_early_data_enabled() with LibreSSL.
>> 
>> This function is present in QuicTLS only.  After SSL_READ_EARLY_DATA_SUCCESS
>> became visible in LibreSSL together with experimental QUIC API, this required
>> to revise the conditional compilation test to use more narrow macros.
>> 
>> diff --git a/src/event/quic/ngx_event_quic_ssl.c 
>> b/src/event/quic/ngx_event_quic_ssl.c
>> --- a/src/event/quic/ngx_event_quic_ssl.c
>> +++ b/src/event/quic/ngx_event_quic_ssl.c
>> @@ -557,7 +557,7 @@ ngx_quic_init_connection(ngx_connection_
>>         return NGX_ERROR;
>>     }
>> 
>> -#ifdef SSL_READ_EARLY_DATA_SUCCESS
>> +#if (!defined LIBRESSL_VERSION_NUMBER && !defined OPENSSL_IS_BORINGSSL)
> 
> What about the macro OPENSSL_INFO_QUIC?  It's only defined in QuicTLS.
> 
>>     if (SSL_CTX_get_max_early_data(qc->conf->ssl->ctx)) {
>>         SSL_set_quic_early_data_enabled(ssl_conn, 1);
>>     }

I wonder how long will it take to use this macro in the upstream OpenSSL.
Given that QuicTLS may be considered as something interim,
I think it should be ok for now.
And it respects the no-quic QuicTLS build option.

Together with the adjusted log summary:

QUIC: using SSL_set_quic_early_data_enabled() only with QuicTLS.

This function is present in QuicTLS only.  After SSL_READ_EARLY_DATA_SUCCESS
became visible in LibreSSL together with experimental QUIC API, this required
to revise the conditional compilation test to use more narrow macros.

diff --git a/src/event/quic/ngx_event_quic_ssl.c 
b/src/event/quic/ngx_event_quic_ssl.c
--- a/src/event/quic/ngx_event_quic_ssl.c
+++ b/src/event/quic/ngx_event_quic_ssl.c
@@ -557,7 +557,7 @@ ngx_quic_init_connection(ngx_connection_
         return NGX_ERROR;
     }
 
-#ifdef SSL_READ_EARLY_DATA_SUCCESS
+#ifdef OPENSSL_INFO_QUIC
     if (SSL_CTX_get_max_early_data(qc->conf->ssl->ctx)) {
         SSL_set_quic_early_data_enabled(ssl_conn, 1);
     }

-- 
Sergey Kandaurov

_______________________________________________
nginx-devel mailing list -- nginx-devel@nginx.org
To unsubscribe send an email to nginx-devel-le...@nginx.org

Reply via email to