maybe we'll join both VTest sections like that [image: image.png]
чт, 13 июл. 2023 г. в 01:45, Hopkins, Andrew <and...@amazon.com>: > > Thanks for the tip, I got the CI running and it found a minor visibility > issue that we had to fix with our shared build [1]. All but one test [2] is > now passing in the HAProxy CI while they all pass locally. Do you have any > suggestions/tips for debugging this test? > > Also the compiler and/or options used in your CI turned a warning into an > error so I had to update the patch slightly to use the correct callback > type for modern libcryptos. > > src/ssl_sock.c:1183:43: error: passing argument 2 of > ‘SSL_CTX_get_tlsext_status_cb’ from incompatible pointer type > [-Werror=incompatible-pointer-types] > 1183 | SSL_CTX_get_tlsext_status_cb(ctx, &callback); > | ^~~~~~~~~ > | | > | void (**)(void) > compilation terminated due to -Wfatal-errors. > > OpenSSL >= 1.1.1 have the same callback signature as AWS-LC: int > (*callback)(SSL *, void *). I believe this works with OpenSSL >= 1.1.1. > because their SSL_CTX_ctrl performs the cast while AWS-LC has a dedicated > function SSL_CTX_get_tlsext_status_cb with the right type. > > [1] https://github.com/aws/aws-lc/pull/1091 > [1] > https://github.com/andrewhop/haproxy/actions/runs/5537027817/jobs/10105411198?pr=1#step:15:215 > > > From: Илья Шипицин <chipits...@gmail.com> > Sent: Wednesday, July 12, 2023 12:53 AM > To: Hopkins, Andrew > Cc: haproxy@formilux.org > Subject: RE: [EXTERNAL][PATCH] BUILD: ssl: Build with new cryptographic > library AWS-LC > > > CAUTION: This email originated from outside of the organization. Do not > click links or open attachments unless you can confirm the sender and know > the content is safe. > > > > Hello, Andrew! > > > you already tried to launch CI in fork [PATCH] Minor: ssl: Build with new > cryptographic library AWS-LC by andrewhop · Pull Request #1 · > andrewhop/haproxy (github.com) > > > please make sure you've enabled GHA for fork (here: Actions · > andrewhop/haproxy (github.com)) > > > also, current trigger is set to "push" > haproxy/.github/workflows/vtest.yml at master · andrewhop/haproxy · GitHub > > > > I'd try > > > on: [ push, pull_request, workflow_dispatch ] > > > > > > ср, 12 июл. 2023 г. в 02:29, Hopkins, Andrew <and...@amazon.com>: > Hello HAProxy maintainers, I work on the AWS libcrypto (AWS-LC) project > [1]. Our goal is to improve the cryptography we use internally at AWS and > help our customers externally. In the spirit of helping people use good > crypto we know it’s important to make it easy to use AWS-LC everywhere > they use cryptography. This is why we are interested in integrating AWS-LC > into HAProxy. > > AWS-LC is a fork of BoringSSL which you already partially support. We > recently merged in several PRs (Full OCSP support [2] and custom extension > support [3]) to fully support HAProxy the same as OpenSSL. To ensure we > continue to support HAProxy long term we added HAProxy built with AWS-LC > to our CI [4]. > > In our early testing we see modest improvements in overall throughput when > compared to OpenSSL 3.1 on x86 and arm CPUs. Following a similar setup as > this blog [5] I observe a small (~2.5%) increase in requests per second for > 5 kb requests on a C6i (x86) and C6g (arm) instance using TLS 1.3 and AES > 256 GCM. For both tests I used `taskset -c 2-47 ./h1load -e -ll -P -t 46 -s > 30 -d 120 -c 500 https://[c6i or c6g ip]:[aws-lc or openssl port]/?s=5k`. > > This small difference in this symmetric crypto workload comes down to > AWS-LC and OpenSSL having similar AES implementations. We observe larger > performance improvements with our micro-benchmarks for algorithms related > to the TLS handshake such as 15% reduction for ECDH with P-256, and 40% > reduction for P-521 on a C6i. This comes from our s2n-bignum library[6], a > formally verified bignum library with a focus on performance and > correctness. > > When built with AWS-LC all current regression tests pass. I have included > a small patch to update your documentation with AWS-LC as an option and I > attempted to add AWS-LC to your CI. I need a little help figuring out how > to test that part. Lastly from your excellent contributing guide I am not > subscribed so I would like to be cc’d on all responses. > > Thanks, Andrew > > [1] https://github.com/aws/aws-lc > [2] https://github.com/aws/aws-lc/pull/1054 > [3] https://github.com/aws/aws-lc/pull/1071 > [4] https://github.com/aws/aws-lc/pull/1083 > [5] > https://www.haproxy.com/blog/haproxy-forwards-over-2-million-http-requests-per-second-on-a-single-aws-arm-instance > [6] https://github.com/awslabs/s2n-bignum > > >
