This is currently expected. AWS-LC inherited the different names from BoringSSL and AWS-LC doesn’t define OPENSSL_IS_BORINGSSL. So, in the HAProxy QUIC code here [1] we fall into the OpenSSL branch and the names don’t line up. In a follow up change we could tweak the if/def or AWS-LC could streamline the names. This also came up in the AWS-LC CI PR [2].
[1] https://github.com/haproxy/haproxy/blob/master/include/haproxy/quic_tls-t.h#L28 [2] https://github.com/aws/aws-lc/pull/1097#discussion_r1265953494 From: Илья Шипицин <chipits...@gmail.com> Date: Monday, July 17, 2023 at 3:09 PM To: Willy Tarreau <w...@1wt.eu> Cc: Aleksandar Lazic <al-hapr...@none.at>, "Hopkins, Andrew" <and...@amazon.com>, "haproxy@formilux.org" <haproxy@formilux.org> Subject: RE: [EXTERNAL][PATCH] BUILD: ssl: Build with new cryptographic library AWS-LC CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe. сб, 15 июл. 2023 г. в 10:44, Willy Tarreau <w...@1wt.eu<mailto:w...@1wt.eu>>: Hi Alex, Andrew, On Thu, Jul 13, 2023 at 11:54:44AM +0200, Aleksandar Lazic wrote: > On 2023-07-13 (Do.) 08:22, Hopkins, Andrew wrote: > > * Do you plan to add quic (Server part) faster then OpenSSL? > > > > I have not looked into quic benchmarks but it uses the same > > cryptographic primitives as TLS so I imagine we'd be faster for a lot of > > the algorithms. It might not be useful for HAProxy which is all C, but > > AWS also launched s2n-quic [1] which does have extensive testing for > > correctness and performance. s2n-quic evenuses AWS-LC's libcrypto for > > all of the cryptographic operations [2] though our rust bindings > > aws-lc-rs [3]. > > Hm, this implies a dependency for rust which increases the complexity to > build HAProxy. From my point of view isn't this very helpfull to bring the > library into haproxy. I think there was a misunderstanding between you two above. I understand Alex' question as "will you merge quic support soon", but my understanding last time I had the opportunity to discuss about AWS-LC was that it *is* already there. Alex, what Andrew mentioned above is that their own QUIC implementation, s2n-quic, uses their rust bindings, but we don't need s2n-quic (since we have our own stack) and this will not add any dependency. I tried to build with USE_QUIC=1: [ilia@fedora haproxy]$ sh go.sh CC src/quic_conn.o CC src/h3.o CC src/xprt_quic.o CC src/quic_frame.o CC src/quic_tls.o In file included from src/quic_conn.c:60: include/haproxy/quic_tls.h: In function ‘tls_aead’: include/haproxy/quic_tls.h:124:14: error: ‘TLS1_3_CK_AES_128_GCM_SHA256’ undeclared (first use in this function); did you mean ‘TLS1_CK_AES_128_GCM_SHA256’? 124 | case TLS1_3_CK_AES_128_GCM_SHA256: | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~ | TLS1_CK_AES_128_GCM_SHA256 compilation terminated due to -Wfatal-errors. make: *** [Makefile:998: src/quic_conn.o] Error 1 make: *** Waiting for unfinished jobs.... [ilia@fedora haproxy]$ > > * Will be there some packages for debian/ubuntu/RHEL/... so that the > > users of HAProxy can "just install and run" HAProxy with that SSL Lib? > > > > In the near future no. Currently AWS-LC does not support enough packages > > to fully replace libcrypto for the entire operating system, and > > balancing different programs using different library paths and libcrypto > > implementations is tricky. Eventually distributing static archives and > > shared libraries once we have more support makes sense. There is more > > context/history in this issue [4]. > > Uh that's a show stopper, at least from my point of view. This implies the > same work as HAProxy team have for wolfssl, BoringSSL and quictls and that's > a lot of work. I think that what would be important would be to find a package maintainer willing to maintain this into a distro for the whole maintenance life cycle of that distro. It also helps a lot in designing stable and durable APIs that boost adoption, because the early maintenance trouble are quickly learned during backports and everyone is more careful over time. One thing that should really be avoided would be to name the library as the regular openssl one, because while it helps with *early* adoption, it complicates everything over time and for all packages. For example, quictls adopted the .81 suffix (81 for "Q") and as such there's no conflict on the shared lib. For building, it's as simple as passing the SSL_INC/SSL_LIB during the build (and basically all software supporting openssl support this), so there's no trouble either, and all libs can coexist on the same distro. But yeah, it's really important to find someone willing to maintain such a package long enough for a distro, that fills a hole that the whole world is waiting to be plugged (since we know it will not come from openssl anyway). The partial support from various software is not a problem as long as openssl and aws-lc can coexist on the system. Some will just be built with one and others with the other. This has always existed and I would be surprised if there's no software linked against GNUtls on distros that ship it for example. So if aws-lc enters say, debian and ubuntu LTS, and common software like curl, apache, nginx, ngtcp2, haproxy can build with it, we'll basically have what users are waiting for to fully enable QUIC, and with a lib that cares about performance. For now there is only wolfSSL in that place, and while it works pretty well, it requires more porting effort from applications and a sensible set of build settings still needs to be defined for distros. In any case, the more options for package maintainers, the better. Regards, Willy
