Re: LibreSSL 3.6.0 QUIC support with HAProxy 2.7
I sent patch to the list and reported libressl regression: https://github.com/libressl-portable/portable/issues/792 сб, 8 окт. 2022 г. в 10:26, Илья Шипицин : > unfortunately, we have a bug. I'll fix it today > > [image: image.png] > > > чт, 6 окт. 2022 г. в 14:07, Илья Шипицин : > >> >> >> чт, 6 окт. 2022 г. в 14:03, William Lallemand : >> >>> On Thu, Oct 06, 2022 at 08:46:08AM +0500, Илья Шипицин wrote: >>> > libressl-3.6.0 was released yesterday >>> > >>> > [image: image.png] >>> > >>> > >>> > hopefully, github pipeline will pick it on the next build (it tries to >>> pick >>> > latest available). >>> >>> I'm confused, the CI is switching major branches automatically? >>> >> >> yes, when LIBRESSL_VERSION=latest notation is used >> >> >>> >>> >>> > we can modify github pipeline to use quic for libressl builds >>> > >>> >>> I think that's a good idea, indeed. >>> >>> >>> >>> -- >>> William Lallemand >>> >>
Re: LibreSSL 3.6.0 QUIC support with HAProxy 2.7
unfortunately, we have a bug. I'll fix it today [image: image.png] чт, 6 окт. 2022 г. в 14:07, Илья Шипицин : > > > чт, 6 окт. 2022 г. в 14:03, William Lallemand : > >> On Thu, Oct 06, 2022 at 08:46:08AM +0500, Илья Шипицин wrote: >> > libressl-3.6.0 was released yesterday >> > >> > [image: image.png] >> > >> > >> > hopefully, github pipeline will pick it on the next build (it tries to >> pick >> > latest available). >> >> I'm confused, the CI is switching major branches automatically? >> > > yes, when LIBRESSL_VERSION=latest notation is used > > >> >> >> > we can modify github pipeline to use quic for libressl builds >> > >> >> I think that's a good idea, indeed. >> >> >> >> -- >> William Lallemand >> >
Re: LibreSSL 3.6.0 QUIC support with HAProxy 2.7
чт, 6 окт. 2022 г. в 14:03, William Lallemand : > On Thu, Oct 06, 2022 at 08:46:08AM +0500, Илья Шипицин wrote: > > libressl-3.6.0 was released yesterday > > > > [image: image.png] > > > > > > hopefully, github pipeline will pick it on the next build (it tries to > pick > > latest available). > > I'm confused, the CI is switching major branches automatically? > yes, when LIBRESSL_VERSION=latest notation is used > > > > we can modify github pipeline to use quic for libressl builds > > > > I think that's a good idea, indeed. > > > > -- > William Lallemand >
Re: LibreSSL 3.6.0 QUIC support with HAProxy 2.7
On Thu, Oct 06, 2022 at 08:46:08AM +0500, Илья Шипицин wrote: > libressl-3.6.0 was released yesterday > > [image: image.png] > > > hopefully, github pipeline will pick it on the next build (it tries to pick > latest available). I'm confused, the CI is switching major branches automatically? > we can modify github pipeline to use quic for libressl builds > I think that's a good idea, indeed. -- William Lallemand
Re: LibreSSL 3.6.0 QUIC support with HAProxy 2.7
libressl-3.6.0 was released yesterday [image: image.png] hopefully, github pipeline will pick it on the next build (it tries to pick latest available). we can modify github pipeline to use quic for libressl builds чт, 15 сент. 2022 г. в 13:54, William Lallemand : > On Thu, Sep 15, 2022 at 01:06:25AM +0200, Aleksandar Lazic wrote: > > Hi William. > > > > [...] > > How about to change this to something like > > > > Built with SSL Library version > > Running on SSL Library version > > SSL library supports ... > > > > Because it's confusing :-) > > > > Built with OpenSSL version : LibreSSL 3.6.0 > > > > I thought also something like > > > > Built with (OpenSSL|LibreSSL) version : LibreSSL 3.6.0 > > > > But this looks ugly to me. > > > > > > I get your point, but this is still a library from the OpenSSL family, a > fork which uses most of the OpenSSL API, you still have to build with > USE_OPENSSL=1. It's the same for OpenSSL, LibreSSL, quicTLS, BoringSSL. > > At some point if we add a whole new API, for example gnuTLS or wolfssl, > this would be a whole new API, and we would have to rename the defines > and probably this line in haproxy -vv. > > -- > William Lallemand > >
Re: LibreSSL 3.6.0 QUIC support with HAProxy 2.7
On Thu, Sep 15, 2022 at 01:06:25AM +0200, Aleksandar Lazic wrote: > Hi William. > > [...] > How about to change this to something like > > Built with SSL Library version > Running on SSL Library version > SSL library supports ... > > Because it's confusing :-) > > Built with OpenSSL version : LibreSSL 3.6.0 > > I thought also something like > > Built with (OpenSSL|LibreSSL) version : LibreSSL 3.6.0 > > But this looks ugly to me. > > I get your point, but this is still a library from the OpenSSL family, a fork which uses most of the OpenSSL API, you still have to build with USE_OPENSSL=1. It's the same for OpenSSL, LibreSSL, quicTLS, BoringSSL. At some point if we add a whole new API, for example gnuTLS or wolfssl, this would be a whole new API, and we would have to rename the defines and probably this line in haproxy -vv. -- William Lallemand
Re: LibreSSL 3.6.0 QUIC support with HAProxy 2.7
Hi William.
On 14.09.22 18:50, William Lallemand wrote:
Hello List,
We've just finished the portage of HAProxy for the next libreSSL
version which implements the quicTLS API.
Wow great news.
For those interested this is how you are supposed to compile everything:
The libreSSL library:
$ git clone https://github.com/libressl-portable/portable libressl
$ cd libressl
$ ./autogen.sh
// The QUIC API is not public and not available in the shared
// library for now, you have to link with the .a
$ ./configure --prefix=/opt/libressl-quic/ --disable-shared
CFLAGS=-DLIBRESSL_HAS_QUIC
$ make V=1
$ sudo make install
HAProxy:
$ git clone http://git.haproxy.org/git/haproxy.git/
$ cd haproxy
$ make TARGET=linux-glibc USE_OPENSSL=1 USE_QUIC=1
SSL_INC=/opt/libressl-quic/include/ \
SSL_LIB=/opt/libressl-quic/lib/ DEFINE='-DLIBRESSL_HAS_QUIC'
$ ./haproxy -vv
HAProxy version 2.7-dev5-7eeef9-91 2022/09/14 - https://haproxy.org/
Status: development branch - not safe for use in production.
Known bugs: https://github.com/haproxy/haproxy/issues?q=is:issue+is:open
Running on: Linux 5.15.0-47-generic #51-Ubuntu SMP Thu Aug 11 07:51:15
UTC 2022 x86_64
Build options :
TARGET = linux-glibc
CPU = generic
CC = cc
CFLAGS = -O2 -ggdb3 -Wall -Wextra -Wundef
-Wdeclaration-after-statement -Wfatal-errors -Wtype-limits
-Wshift-negative-value -Wshift-overflow=2 -Wduplicated-cond -Wnull-dereference
-fwrapv -Wno-address-of-packed-member -Wno-unused-label -Wno-sign-compare
-Wno-unused-parameter -Wno-clobbered -Wno-missing-field-initializers
-Wno-cast-function-type -Wno-string-plus-int -Wno-atomic-alignment
-DLIBRESSL_HAS_QUIC
OPTIONS = USE_PCRE=1 USE_OPENSSL=1 USE_LUA=1 USE_ZLIB=1 USE_SYSTEMD=1
USE_QUIC=1
DEBUG = -DDEBUG_MEMORY_POOLS -DDEBUG_STRICT
Feature list : +EPOLL -KQUEUE +NETFILTER +PCRE -PCRE_JIT -PCRE2
-PCRE2_JIT +POLL +THREAD -PTHREAD_EMULATION +BACKTRACE -STATIC_PCRE
-STATIC_PCRE2 +TPROXY +LINUX_TPROXY +LINUX_SPLICE +LIBCRYPT +CRYPT_H -ENGINE
+GETADDRINFO +OPENSSL +LUA +ACCEPT4 -CLOSEFROM +ZLIB -SLZ +CPU_AFFINITY +TFO
+NS +DL +RT -DEVICEATLAS -51DEGREES -WURFL +SYSTEMD -OBSOLETE_LINKER +PRCTL
-PROCCTL +THREAD_DUMP -EVPORTS -OT +QUIC -PROMEX -MEMORY_PROFILING
Default settings :
bufsize = 16384, maxrewrite = 1024, maxpollevents = 200
Built with multi-threading support (MAX_TGROUPS=16, MAX_THREADS=256,
default=8).
Built with OpenSSL version : LibreSSL 3.6.0
Running on OpenSSL version : LibreSSL 3.6.0
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3
How about to change this to something like
Built with SSL Library version
Running on SSL Library version
SSL library supports ...
Because it's confusing :-)
Built with OpenSSL version : LibreSSL 3.6.0
I thought also something like
Built with (OpenSSL|LibreSSL) version : LibreSSL 3.6.0
But this looks ugly to me.
Built with Lua version : Lua 5.4.3
Built with network namespace support.
Support for malloc_trim() is enabled.
Built with zlib version : 1.2.11
Running on zlib version : 1.2.11
Compression algorithms supported : identity("identity"), deflate("deflate"),
raw-deflate("deflate"), gzip("gzip")
Built with transparent proxy support using: IP_TRANSPARENT
IPV6_TRANSPARENT IP_FREEBIND
Built with PCRE version : 8.39 2016-06-14
Running on PCRE version : 8.39 2016-06-14
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Encrypted password support via crypt(3): yes
Built with gcc compiler version 11.2.0
Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.
Available multiplexer protocols :
(protocols marked as cannot be specified using 'proto'
keyword)
quic : mode=HTTP side=FE mux=QUIC flags=HTX|NO_UPG|FRAMED
h2 : mode=HTTP side=FE|BE mux=H2flags=HTX|HOL_RISK|NO_UPG
fcgi : mode=HTTP side=BE mux=FCGI flags=HTX|HOL_RISK|NO_UPG
: mode=HTTP side=FE|BE mux=H1flags=HTX
h1 : mode=HTTP side=FE|BE mux=H1flags=HTX|NO_UPG
: mode=TCP side=FE|BE mux=PASS flags=
none : mode=TCP side=FE|BE mux=PASS flags=NO_UPG
Available services : none
Available filters :
[BWLIM] bwlim-in
[BWLIM] bwlim-out
[CACHE] cache
[COMP] compression
LibreSSL 3.6.0 QUIC support with HAProxy 2.7
Hello List,
We've just finished the portage of HAProxy for the next libreSSL
version which implements the quicTLS API.
For those interested this is how you are supposed to compile everything:
The libreSSL library:
$ git clone https://github.com/libressl-portable/portable libressl
$ cd libressl
$ ./autogen.sh
// The QUIC API is not public and not available in the shared
// library for now, you have to link with the .a
$ ./configure --prefix=/opt/libressl-quic/ --disable-shared
CFLAGS=-DLIBRESSL_HAS_QUIC
$ make V=1
$ sudo make install
HAProxy:
$ git clone http://git.haproxy.org/git/haproxy.git/
$ cd haproxy
$ make TARGET=linux-glibc USE_OPENSSL=1 USE_QUIC=1
SSL_INC=/opt/libressl-quic/include/ \
SSL_LIB=/opt/libressl-quic/lib/ DEFINE='-DLIBRESSL_HAS_QUIC'
$ ./haproxy -vv
HAProxy version 2.7-dev5-7eeef9-91 2022/09/14 - https://haproxy.org/
Status: development branch - not safe for use in production.
Known bugs: https://github.com/haproxy/haproxy/issues?q=is:issue+is:open
Running on: Linux 5.15.0-47-generic #51-Ubuntu SMP Thu Aug 11 07:51:15
UTC 2022 x86_64
Build options :
TARGET = linux-glibc
CPU = generic
CC = cc
CFLAGS = -O2 -ggdb3 -Wall -Wextra -Wundef
-Wdeclaration-after-statement -Wfatal-errors -Wtype-limits
-Wshift-negative-value -Wshift-overflow=2 -Wduplicated-cond -Wnull-dereference
-fwrapv -Wno-address-of-packed-member -Wno-unused-label -Wno-sign-compare
-Wno-unused-parameter -Wno-clobbered -Wno-missing-field-initializers
-Wno-cast-function-type -Wno-string-plus-int -Wno-atomic-alignment
-DLIBRESSL_HAS_QUIC
OPTIONS = USE_PCRE=1 USE_OPENSSL=1 USE_LUA=1 USE_ZLIB=1 USE_SYSTEMD=1
USE_QUIC=1
DEBUG = -DDEBUG_MEMORY_POOLS -DDEBUG_STRICT
Feature list : +EPOLL -KQUEUE +NETFILTER +PCRE -PCRE_JIT -PCRE2
-PCRE2_JIT +POLL +THREAD -PTHREAD_EMULATION +BACKTRACE -STATIC_PCRE
-STATIC_PCRE2 +TPROXY +LINUX_TPROXY +LINUX_SPLICE +LIBCRYPT +CRYPT_H -ENGINE
+GETADDRINFO +OPENSSL +LUA +ACCEPT4 -CLOSEFROM +ZLIB -SLZ +CPU_AFFINITY +TFO
+NS +DL +RT -DEVICEATLAS -51DEGREES -WURFL +SYSTEMD -OBSOLETE_LINKER +PRCTL
-PROCCTL +THREAD_DUMP -EVPORTS -OT +QUIC -PROMEX -MEMORY_PROFILING
Default settings :
bufsize = 16384, maxrewrite = 1024, maxpollevents = 200
Built with multi-threading support (MAX_TGROUPS=16, MAX_THREADS=256,
default=8).
Built with OpenSSL version : LibreSSL 3.6.0
Running on OpenSSL version : LibreSSL 3.6.0
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3
Built with Lua version : Lua 5.4.3
Built with network namespace support.
Support for malloc_trim() is enabled.
Built with zlib version : 1.2.11
Running on zlib version : 1.2.11
Compression algorithms supported : identity("identity"),
deflate("deflate"), raw-deflate("deflate"), gzip("gzip")
Built with transparent proxy support using: IP_TRANSPARENT
IPV6_TRANSPARENT IP_FREEBIND
Built with PCRE version : 8.39 2016-06-14
Running on PCRE version : 8.39 2016-06-14
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Encrypted password support via crypt(3): yes
Built with gcc compiler version 11.2.0
Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.
Available multiplexer protocols :
(protocols marked as cannot be specified using 'proto'
keyword)
quic : mode=HTTP side=FE mux=QUIC flags=HTX|NO_UPG|FRAMED
h2 : mode=HTTP side=FE|BE mux=H2flags=HTX|HOL_RISK|NO_UPG
fcgi : mode=HTTP side=BE mux=FCGI flags=HTX|HOL_RISK|NO_UPG
: mode=HTTP side=FE|BE mux=H1flags=HTX
h1 : mode=HTTP side=FE|BE mux=H1flags=HTX|NO_UPG
: mode=TCP side=FE|BE mux=PASS flags=
none : mode=TCP side=FE|BE mux=PASS flags=NO_UPG
Available services : none
Available filters :
[BWLIM] bwlim-in
[BWLIM] bwlim-out
[CACHE] cache
[COMP] compression
[FCGI] fcgi-app
[SPOE] spoe
[TRACE] trace
Regards,
--
William Lallemand
