Opened 6 weeks ago

Closed 6 weeks ago

Last modified 5 weeks ago

#2246 closed enhancement (invalid)

Our QUIC implementation currently supports BoringSSL and the quictls fork of OpenSSL

Reported by: bertusdebruin@… Owned by:
Priority: minor Milestone: nginx-1.21
Component: documentation Version:
Keywords: Cc:
uname -a: 1235bg.da.ru 3.10.0-1160.42.2.el7.x86_64 #1 SMP Tue Sep 7 11:20:39 PDT 20 21 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.21.3
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-44.0.3) (GCC)
built with OpenSSL 1.1.1g FIPS 21 Apr 2020
TLS SNI support enabled
configure arguments: --prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --http-client-body-temp-path=/var/lib/nginx/tmp/client_body --http-proxy-temp-path=/var/lib/nginx/tmp/proxy --http-fastcgi-temp-path=/var/lib/nginx/tmp/fastcgi --http-uwsgi-temp-path=/var/lib/nginx/tmp/uwsgi --http-scgi-temp-path=/var/lib/nginx/tmp/scgi --pid-path=/run/nginx.pid --lock-path=/run/lock/subsys/nginx --user=nginx --group=nginx --with-compat --with-debug --with-file-aio --with-google_perftools_module --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_degradation_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module=dynamic --with-http_mp4_module --with-http_perl_module=dynamic --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-http_xslt_module=dynamic --with-mail=dynamic --with-mail_ssl_module --with-pcre --with-pcre-jit --with-stream=dynamic --with-stream_ssl_module --with-stream_ssl_preread_module --with-threads --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic' --with-ld-opt='-Wl,-z,relro -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,-E'

Description

As written on (1) compiling nginx-quic seems to be supported by the quictls fork of OpenSSL. Which doesn't work given the error below (2).

As `SSL_set_quic_method' seems to be BoringSSL specific.

What is going on.

  1. the documentation is not up to date and the quic OpenSSL fork is not supported? In that case please update your docs.
  1. the quic OpenSSL fork will be supported in the future but I'm asking this too early?

(1) https://www.nginx.com/blog/our-roadmap-quic-http-3-support-nginx/

(2) nginx-1.21.3/objs/autotest.c:7: undefined reference to `SSL_set_quic_method'
collect2: error: ld returned 1 exit status

Change History (4)

comment:1 by Sergey Kandaurov, 6 weeks ago

Resolution: invalid
Status: newclosed

To build nginx with a custom variant of the OpenSSL library, you have to properly configure it. Unfortunately, you didn't provide the traces.
Alternatively, follow the simple instructions to try the nginx-quic implementation.
If you have further questions on how to configure nginx, please consider using support options available.

comment:2 by bertusdebruin@…, 6 weeks ago

'Unfortunately, you didn't provide the trace'
Which trace do you want?

As nginx-quic cannot be built with quic-OpenSSL, there is little to show.
You can dismiss this as low hanging fruit with the 'simple instructions' term.

Show me that you're successful have built nginx-quic with quic-OpenSSL.
As your instructions link only supports BoringSSL. As I mentioned before.

Or do you not understand English well?

Last edited 6 weeks ago by bertusdebruin@… (previous) (diff)

comment:3 by Maxim Dounin, 5 weeks ago

As nginx-quic cannot be built with quic-OpenSSL, there is little to show.

You may want to provide ./configure arguments you use and the relevant output. The quictls fork of OpenSSL is supported and known to work.

Note though that --with-openssl=<source> is currently broken when building with quictls fork of OpenSSL. You have to compile it yourself and provide appropriate library and include paths, similarly to building with BoringSSL.

in reply to:  3 comment:4 by bertusdebruin@…, 5 weeks ago

Replying to Maxim Dounin:

Note though that --with-openssl=<source> is currently broken when building with quictls fork > of OpenSSL. You have to compile it yourself and provide appropriate library and include paths, > similarly to building with BoringSSL.

Aha thanks buddy! Fixed by compiling quic-OpenSSL and adding it afterwards:

--with-cc-opt="-I/root/Desktop/src/openssl/include"
--with-ld-opt="-L/root/Desktop/src/openssl
-L/root/Desktop/src/openssl/crypto" && \

Might be a good idea to add --with-openssl=<source> to the readme as currently broken and not working yet for quic-OpenSSL users on Nginx-quic.

I close with the fact that it seems to be that QUIC 0-RTT is only supported on Nginx-quic + BorringSSL but not supported on Nginx-quic + quic-OpenSSL yet.

checking for OpenSSL QUIC support ... found
checking for OpenSSL QUIC 0-RTT context ... not found

As 0-RTT compatibility is reviewed by the Nginx auto script from openssl/ssl.h.
Where 0-RTT is added to the BoringSSL <openssl/ssl.h> code (1) but not to quic-OpenSSL <openssl/ssl.h> code (2). Seems as the OpenSSL team has opted for a different solution as can be reviewed at issue 25 (3).

if [ $USE_OPENSSL_QUIC = YES ]; then
    ngx_feature="OpenSSL QUIC 0-RTT context"
    ngx_feature_incs="#include <openssl/ssl.h>"

(1) https://github.com/google/boringssl/blob/master/include/openssl/ssl.h
(2) https://github.com/quictls/openssl/blob/OpenSSL_1_1_1l%2Bquic/include/openssl/ssl.h
(3) https://github.com/quictls/openssl/issues/25

P.s. is it allowed to start new tickets in Russian?

Note: See TracTickets for help on using tickets.