Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

haproxy: 2.9.2 -> 2.9.3; Enable QUIC support #262401

Merged
merged 2 commits into from
Jan 19, 2024
Merged

haproxy: 2.9.2 -> 2.9.3; Enable QUIC support #262401

merged 2 commits into from
Jan 19, 2024

Conversation

vifino
Copy link
Member

@vifino vifino commented Oct 20, 2023
edited
Loading

Description of changes

This enables switching SSL Libraries.
In addition, this switches to PCRE2 and Lua 5.4 from PCRE and Lua 5.3.
Should have no functional differences, apart from the added QUIC support which needs to be configured in HAProxy.

This also adds more test cases, specifically for SSL, mutual TLS and QUIC.

According to the recent SSL Library Support Wiki Page, OpenSSL 3.X is not the best choice by far.

I would really like WolfSSL, as that seems to be the one with the best performance yet there are still many unimplemented features.
It requires a different build config, but that's the way wolfssl intends to be used.

However, in order to make this easier to merge without worrying about breakage, it still defaults to OpenSSL (3.X)
A future PR might flip the switch, though.

Things done

  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
    • sandbox = relaxed
    • sandbox = true
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 23.11 Release Notes (or backporting 23.05 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
  • Fits CONTRIBUTING.md.

@vifino
Copy link
Member Author

vifino commented Oct 20, 2023

I saw #202922, but that is IMO not the way to go.
OpenSSL 3.X is not recommended for HAProxy.
As a direct quote from SSL Library Support Wiki Page:

At this point, OpenSSL 3.x is basically only usable for personal sites. Users seeking anything serious performance-wise will need to stay on version 1.1.1 provided by their vendor or to recompile one of the alternate libraries below.

@vifino vifino changed the title haproxy: Enable QUIC support by switching to LibreSSL haproxy: Enable QUIC support by switching to WolfSSL Oct 21, 2023
@vifino
Copy link
Member Author

vifino commented Oct 21, 2023
edited
Loading

Put the effort in to make it work with WolfSSL, which is the best option at the moment and seems to be the preferred path moving forward.
Should be less user-facing breakage than LibreSSL, actually!

@vifino
Copy link
Member Author

vifino commented Oct 21, 2023

Actually, I'll rework the WolfSSL derivation first.

@vifino vifino marked this pull request as draft October 21, 2023 16:22
@vifino vifino mentioned this pull request Oct 21, 2023
Merged
13 tasks
@vifino vifino force-pushed the haproxy-quic branch 3 times, most recently from 73ae72f to fbc930a Compare October 21, 2023 20:29
@ofborg ofborg bot added the 8.has: package (new) This PR adds a new package label Oct 21, 2023
@ofborg ofborg bot requested a review from fabaff October 21, 2023 22:45
SuperSandro2000
SuperSandro2000 requested changes Oct 22, 2023
View reviewed changes
pkgs/development/libraries/wolfssl/default.nix Outdated Show resolved Hide resolved
pkgs/development/libraries/wolfssl/default.nix Outdated Show resolved Hide resolved
pkgs/development/libraries/wolfssl/default.nix Outdated Show resolved Hide resolved
pkgs/development/libraries/wolfssl/default.nix Outdated Show resolved Hide resolved
pkgs/development/libraries/wolfssl/default.nix Outdated Show resolved Hide resolved
pkgs/development/libraries/wolfssl/default.nix Outdated Show resolved Hide resolved
pkgs/development/libraries/wolfssl/default.nix Outdated Show resolved Hide resolved
pkgs/tools/networking/haproxy/default.nix Outdated Show resolved Hide resolved
pkgs/tools/networking/haproxy/default.nix Outdated Show resolved Hide resolved
pkgs/tools/networking/haproxy/default.nix Outdated Show resolved Hide resolved
@vifino
Copy link
Member Author

vifino commented Oct 22, 2023

Hey @SuperSandro2000, thank you kindly for reviewing.

The wolfssl changes are from #262594, I just needed to base the HAProxy changes on top - but I implemented your feedback (or tried, at least).

As for the sslPkgs stuff, I am not sure how to do it better as I'd need to detect if it's OpenSSL, OpenSSL with QuicTLS-compatible API (QuicTLS, BoringSSL, LibreSSL) or WolfSSL.
Do you have a suggestion?

@wlallemand
Copy link

Small update, we released haproxy 2.8.4, you can now enable USE_QUIC_OPENSSL_COMPAT=1 to have QUIC with an non-patched version of openssl.

@vifino vifino changed the title haproxy: Enable QUIC support haproxy: 2.8.4 -> 2.9.0; Enable QUIC support Dec 6, 2023
@vifino
Copy link
Member Author

vifino commented Dec 6, 2023
edited
Loading

Update on this:

  • Bumped to 2.9.0, it removes the need for some workarounds.
  • Enabled USE_QUIC_OPENSSL_COMPAT for OpenSSL. All providers enable QUIC now.
  • Default to QuicTLS, OpenSSL with QUIC compat does not seem to work nicely with mTLS, breakage of existing setups should still be zero.

@vifino vifino marked this pull request as ready for review December 6, 2023 08:23
@vifino vifino force-pushed the haproxy-quic branch 3 times, most recently from 35f103f to 4f20d3b Compare December 6, 2023 16:02
@vifino
Copy link
Member Author

vifino commented Dec 6, 2023

Hey @wlallemand.

I tried OpenSSL with USE_QUIC_OPENSSL_COMPAT=1 on 2.9.0 but it seems to not work properly with QUIC certificate auth.

I've enabled limited-quic in the global section, but my previously working testsuite (testing HTTP, HTTPS, HTTPS + Certificate Auth and QUIC + Certificate Auth) now fails on the last QUIC Cert Auth step.

The curl call going to the quic listener with verify required fails with the following:

curl: (55) sendmsg() returned -1 (errno 5); disable GSO

(Of course, I disabled GSO, but that didn't help.)

Meanwhile, the same tests run just fine with a haproxy compiled with quictls, which is the only difference between those runs.

Should I open an issue about this?

@wlallemand
Copy link

@vifino I'm not aware of any issue of this kind with the openssl compat layer, it could be a bug or a limitation of the current achitecture. Did you had the same issue with 2.8.4? Better open an issue on the haproxy github indeed! thanks.

@vifino vifino mentioned this pull request Dec 7, 2023
Closed
@vifino vifino changed the title haproxy: 2.8.4 -> 2.9.0; Enable QUIC support haproxy: 2.8.4 -> 2.9.1; Enable QUIC support Dec 19, 2023
@vifino vifino force-pushed the haproxy-quic branch 2 times, most recently from 49e9415 to a2e52a9 Compare January 19, 2024 17:43
@vifino vifino changed the title haproxy: 2.8.4 -> 2.9.1; Enable QUIC support haproxy: Enable QUIC support Jan 19, 2024
@vifino
haproxy: 2.9.2 -> 2.9.3; Enable QUIC support
6d3fd3e 
This allows switching SSL Libraries between OpenSSL, QuicTLS, LibreSSL,
and WolfSSL.
The default is changed to QuicTLS, as it is feature-compatible with
OpenSSL and not experimental.
Also switched to PCRE2 and Lua 5.4.
@vifino
nixos/tests/haproxy: Test HTTPS, QUIC and Cert Auth
0b7a56c
@vifino vifino changed the title haproxy: Enable QUIC support haproxy: 2.9.2 -> 2.9.3; Enable QUIC support Jan 19, 2024
h7x4
h7x4 approved these changes Jan 19, 2024
View reviewed changes
Copy link
Member

@h7x4 h7x4 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks really good. Thank you!

@h7x4 h7x4 merged commit aeee68c into NixOS:master Jan 19, 2024
23 of 25 checks passed
@h7x4 h7x4 mentioned this pull request Jan 19, 2024
Closed
13 tasks
@vifino vifino deleted the haproxy-quic branch January 21, 2024 01:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@h7x4 h7x4 h7x4 approved these changes

@SuperSandro2000 SuperSandro2000 SuperSandro2000 approved these changes

@LeSuisse LeSuisse Awaiting requested review from LeSuisse

@Flakebi Flakebi Awaiting requested review from Flakebi

@fabaff fabaff Awaiting requested review from fabaff

Assignees
No one assigned
Labels
6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: package (new) This PR adds a new package 10.rebuild-darwin: 1-10 10.rebuild-darwin: 1 10.rebuild-linux: 1-10 10.rebuild-linux: 1 11.by: package-maintainer This PR was created by the maintainer of the package it changes
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@vifino @wlallemand @SuperSandro2000 @h7x4