#2246 closed enhancement (invalid)
Our QUIC implementation currently supports BoringSSL and the quictls fork of OpenSSL
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | minor | Milestone: | nginx-1.21 |
| Component: | documentation | Version: | |
| Keywords: | Cc: | ||
| uname -a: | 1235bg.da.ru 3.10.0-1160.42.2.el7.x86_64 #1 SMP Tue Sep 7 11:20:39 PDT 20 21 x86_64 x86_64 x86_64 GNU/Linux | ||
| nginx -V: |
nginx version: nginx/1.21.3
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-44.0.3) (GCC) built with OpenSSL 1.1.1g FIPS 21 Apr 2020 TLS SNI support enabled configure arguments: --prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --http-client-body-temp-path=/var/lib/nginx/tmp/client_body --http-proxy-temp-path=/var/lib/nginx/tmp/proxy --http-fastcgi-temp-path=/var/lib/nginx/tmp/fastcgi --http-uwsgi-temp-path=/var/lib/nginx/tmp/uwsgi --http-scgi-temp-path=/var/lib/nginx/tmp/scgi --pid-path=/run/nginx.pid --lock-path=/run/lock/subsys/nginx --user=nginx --group=nginx --with-compat --with-debug --with-file-aio --with-google_perftools_module --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_degradation_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module=dynamic --with-http_mp4_module --with-http_perl_module=dynamic --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-http_xslt_module=dynamic --with-mail=dynamic --with-mail_ssl_module --with-pcre --with-pcre-jit --with-stream=dynamic --with-stream_ssl_module --with-stream_ssl_preread_module --with-threads --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic' --with-ld-opt='-Wl,-z,relro -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,-E' |
||
Description
As written on (1) compiling nginx-quic seems to be supported by the quictls fork of OpenSSL. Which doesn't work given the error below (2).
As `SSL_set_quic_method' seems to be BoringSSL specific.
What is going on.
- the documentation is not up to date and the quic OpenSSL fork is not supported? In that case please update your docs.
- the quic OpenSSL fork will be supported in the future but I'm asking this too early?
(1) https://www.nginx.com/blog/our-roadmap-quic-http-3-support-nginx/
(2) nginx-1.21.3/objs/autotest.c:7: undefined reference to `SSL_set_quic_method'
collect2: error: ld returned 1 exit status
Change History (4)
comment:1 by , 3 years ago
| Resolution: | → invalid |
|---|---|
| Status: | new → closed |
comment:2 by , 3 years ago
'Unfortunately, you didn't provide the trace'
Which trace do you want?
As nginx-quic cannot be built with quic-OpenSSL, there is little to show.
You can dismiss this as low hanging fruit with the 'simple instructions' term.
Show that you're successful have built nginx-quic with quic-OpenSSL.
As the same instructions link only supports BoringSSL.
Or do you not understand English well?
follow-up: 4 comment:3 by , 3 years ago
As nginx-quic cannot be built with quic-OpenSSL, there is little to show.
You may want to provide ./configure arguments you use and the relevant output. The quictls fork of OpenSSL is supported and known to work.
Note though that --with-openssl=<source> is currently broken when building with quictls fork of OpenSSL. You have to compile it yourself and provide appropriate library and include paths, similarly to building with BoringSSL.
comment:4 by , 3 years ago
Replying to Maxim Dounin:
Note though that
--with-openssl=<source>is currently broken when building with quictls fork > of OpenSSL. You have to compile it yourself and provide appropriate library and include paths, > similarly to building with BoringSSL.
Aha thanks buddy! Fixed by compiling quic-OpenSSL and adding it afterwards:
--with-cc-opt="-I/root/Desktop/src/openssl/include" --with-ld-opt="-L/root/Desktop/src/openssl -L/root/Desktop/src/openssl/crypto" && \
Might be a good idea to add --with-openssl=<source> to the readme as currently broken and not working yet for quic-OpenSSL users on Nginx-quic.
I close with the fact that it seems to be that QUIC 0-RTT is only supported on Nginx-quic + BorringSSL but not supported on Nginx-quic + quic-OpenSSL yet.
checking for OpenSSL QUIC support ... found
checking for OpenSSL QUIC 0-RTT context ... not found
As 0-RTT compatibility is reviewed by the Nginx auto script from openssl/ssl.h.
Where 0-RTT is added to the BoringSSL <openssl/ssl.h> code (1) but not to quic-OpenSSL <openssl/ssl.h> code (2). Seems as the OpenSSL team has opted for a different solution as can be reviewed at issue 25 (3).
if [ $USE_OPENSSL_QUIC = YES ]; then
ngx_feature="OpenSSL QUIC 0-RTT context"
ngx_feature_incs="#include <openssl/ssl.h>"
(1) https://github.com/google/boringssl/blob/master/include/openssl/ssl.h
(2) https://github.com/quictls/openssl/blob/OpenSSL_1_1_1l%2Bquic/include/openssl/ssl.h
(3) https://github.com/quictls/openssl/issues/25
P.s. is it allowed to start new tickets in Russian?
To build nginx with a custom variant of the OpenSSL library, you have to properly configure it. Unfortunately, you didn't provide the traces.
Alternatively, follow the simple instructions to try the nginx-quic implementation.
If you have further questions on how to configure nginx, please consider using support options available.