quic: update ngtcp2, openssl APIs, and use ngtcp2-crypto #138
Conversation
jasnell
force-pushed
the
ngtcp2-crypto2
branch
4 times, most recently
from
f8c519a
to
7294c65
Compare
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
jasnell
force-pushed
the
ngtcp2-crypto2
branch
3 times, most recently
from
cd20336
to
6204b14
Compare
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
|
Ok, I've narrowed it down. ngtcp2 is buffering the handshake data and exiting because the handshake keys on the client side are not installed at the right time. ngtcp2 made a change that assumes that both the rx and tx handshake keys are available at the same time, which is based on the assumption that the boringssl quic APIs are being used. The timing of the KeyCB approach we currently have is different so we're running into an issue. Very happy that I finally narrowed that down but now need to find a fix for it... |
jasnell
force-pushed
the
ngtcp2-crypto2
branch
from
6204b14
to
2e418bf
Compare
|
Ah, well, this is going to be a fun one... Digging into it... tatsuhiro-san's initial modification to openssl to support quic included adding the key callback we use the get the keying material. That version of the quic modifications would invoke the key callback once per generated secret by patching into openssl's existing |
jasnell
force-pushed
the
master
branch
2 times, most recently
from
89ce0dd
to
a529ed5
Compare
This comment has been minimized.
This comment has been minimized.
jasnell
force-pushed
the
master
branch
2 times, most recently
from
e11fefb
to
40e5be0
Compare
jasnell
force-pushed
the
ngtcp2-crypto2
branch
from
2e418bf
to
dece94e
Compare
|
Ok, progress! With the two additional commits here we get a lot further along in the TLS handshake but we're still not all the way yet. Still digging...
|
|
Testing is confirming that we are now completing the client side of the TLS handshake! The server side, however, is still not completing. I'll track that down tomorrow. |
jasnell
force-pushed
the
ngtcp2-crypto2
branch
from
578b286
to
ddc38e1
Compare
|
PROGRESS! Ok, with a couple of exceptions, things should be working. There's still work to do in this PR to get things cleaned up. The one thing that's not working is accessing the client certificate on the server side. That's what I'll be chasing down tomorrow. But, progress has been made. |
jasnell
force-pushed
the
ngtcp2-crypto2
branch
from
8816ff0
to
4e79e93
Compare
|
WOO! Ok, this should be ready to go. There are still a few pieces that need to be revisited but we need some fixes in ngtcp2 to resolve those (see ngtcp2/ngtcp2#156) |
jasnell
changed the title
|
There's one commit in here that needs to be upstreamed... ngtcp2/ngtcp2#157 |
This reverts commit 170c5d0. PR-URL: #138 Reviewed-By: Anna Henningsen <[email protected]>
This reverts commit ecda77c. PR-URL: #138 Reviewed-By: Anna Henningsen <[email protected]>
PR-URL: #138 Reviewed-By: Anna Henningsen <[email protected]>
PR-URL: #138 Reviewed-By: Anna Henningsen <[email protected]>
PR-URL: #138 Reviewed-By: Anna Henningsen <[email protected]>
This commit will need to be submitted upstream then backed out once it lands and we can update PR-URL: #138 Reviewed-By: Anna Henningsen <[email protected]>
PR-URL: #138 Reviewed-By: Anna Henningsen <[email protected]>
PR-URL: #138 Reviewed-By: Anna Henningsen <[email protected]>
PR-URL: #138 Reviewed-By: Anna Henningsen <[email protected]>
PR-URL: nodejs/quic#138 Reviewed-By: Anna Henningsen <[email protected]>
PR-URL: nodejs/quic#138 Reviewed-By: Anna Henningsen <[email protected]>
This reverts commit 170c5d0. PR-URL: nodejs#138 Reviewed-By: Anna Henningsen <[email protected]>
This reverts commit ecda77c. PR-URL: nodejs#138 Reviewed-By: Anna Henningsen <[email protected]>
PR-URL: nodejs#138 Reviewed-By: Anna Henningsen <[email protected]>
PR-URL: nodejs#138 Reviewed-By: Anna Henningsen <[email protected]>
This commit will need to be submitted upstream then backed out once it lands and we can update PR-URL: nodejs#138 Reviewed-By: Anna Henningsen <[email protected]>
PR-URL: nodejs#138 Reviewed-By: Anna Henningsen <[email protected]>
This reverts commit 170c5d0. PR-URL: nodejs#138 Reviewed-By: Anna Henningsen <[email protected]>
This reverts commit ecda77c. PR-URL: nodejs#138 Reviewed-By: Anna Henningsen <[email protected]>
PR-URL: nodejs#138 Reviewed-By: Anna Henningsen <[email protected]>
PR-URL: nodejs#138 Reviewed-By: Anna Henningsen <[email protected]>
This commit will need to be submitted upstream then backed out once it lands and we can update PR-URL: nodejs#138 Reviewed-By: Anna Henningsen <[email protected]>
PR-URL: nodejs#138 Reviewed-By: Anna Henningsen <[email protected]>
PR-URL: nodejs#138 Reviewed-By: Anna Henningsen <[email protected]>
PR-URL: nodejs#138 Reviewed-By: Anna Henningsen <[email protected]>
PR-URL: #138 Reviewed-By: Anna Henningsen <[email protected]>
PR-URL: #138 Reviewed-By: Anna Henningsen <[email protected]>
PR-URL: #138 Reviewed-By: Anna Henningsen <[email protected]>
PR-URL: #138 Reviewed-By: Anna Henningsen <[email protected]>
Adopts the BoringSSL APIs based on openssl/openssl#8797. We may need to update the license accordingly. These will need to be tracked over time.
Update the implementation to use the new ngtcp2_crypto helper.
Note: because of the need to use the BoringSSL APIs, QUIC will not be available when using shared_openssl. Still need to make sure that's disabled in the build.
Checklist
make -j4 test(UNIX), orvcbuild test(Windows) passes