Skip to content

Commit

Permalink
http3: initial support for OpenSSL 3.2 QUIC stack
Browse files Browse the repository at this point in the history 
- HTTP/3 for curl using OpenSSL's own QUIC stack together
  with nghttp3
- configure with `--with-openssl-quic` to enable curl to
  build this. This requires the nghttp3 library
- implementation with the following restrictions:
  * macOS has to use an unconnected UDP socket due to an
    issue in OpenSSL's datagram implementation
    See openssl/openssl#23251
    This makes connections to non-reponsive servers hang.
  * GET requests will send the indicator that they have
    no body in a separate QUIC packet. This may result
    in processing delays or Transfer-Encodings on proxied
    requests
  * uploads that encounter blocks will use 100% cpu as
    detection of these flow control issue is not working
    (we have not figured out to pry that from OpenSSL).

Closes #12734
  • Loading branch information
@icing @bagder
icing authored and bagder committed Jan 22, 2024
1 parent f81a335 commit 0535f6e
Show file tree
Hide file tree
Showing 15 changed files with 2,698 additions and 16 deletions.
233 changes: 233 additions & 0 deletions .github/workflows/osslq-linux.yml
View file
@@ -0,0 +1,233 @@
# Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
#
# SPDX-License-Identifier: curl

name: osslq-linux

on:
push:
branches:
- master
- '*/ci'
paths-ignore:
- '**/*.md'
- '**/CMakeLists.txt'
- '.azure-pipelines.yml'
- '.circleci/**'
- '.cirrus.yml'
- 'appveyor.*'
- 'CMake/**'
- 'packages/**'
- 'plan9/**'
- 'projects/**'
- 'winbuild/**'
pull_request:
branches:
- master
paths-ignore:
- '**/*.md'
- '**/CMakeLists.txt'
- '.azure-pipelines.yml'
- '.circleci/**'
- '.cirrus.yml'
- 'appveyor.*'
- 'CMake/**'
- 'packages/**'
- 'plan9/**'
- 'projects/**'
- 'winbuild/**'

concurrency:
# Hardcoded workflow filename as workflow name above is just Linux again
group: osslq-${{ github.event.pull_request.number || github.sha }}
cancel-in-progress: true

permissions: {}

env:
MAKEFLAGS: -j 3
openssl3-version: openssl-3.2.0
quictls-version: 3.1.4+quic
nghttp3-version: v1.1.0
ngtcp2-version: v1.1.0
nghttp2-version: master
mod_h2-version: v2.0.25

jobs:
autotools:
name: ${{ matrix.build.name }}
runs-on: 'ubuntu-latest'
timeout-minutes: 60
strategy:
fail-fast: false
matrix:
build:
- name: openssl-quic
configure: >-
PKG_CONFIG_PATH="$HOME/openssl3/lib/pkgconfig" LDFLAGS="-Wl,-rpath,$HOME/openssl3/lib"
--enable-warnings --enable-werror --enable-debug --disable-ntlm
--with-test-nghttpx="$HOME/nghttpx/bin/nghttpx"
--with-openssl=$HOME/openssl3 --with-openssl-quic
--with-nghttp3=$HOME/nghttpx
steps:
- run: |
sudo apt-get update
sudo apt-get install libtool autoconf automake pkg-config stunnel4 \
libpsl-dev libbrotli-dev libzstd-dev zlib1g-dev libev-dev libc-ares-dev \
nettle-dev libp11-kit-dev libtspi-dev libunistring-dev guile-2.2-dev libtasn1-bin \
libtasn1-6-dev libidn2-0-dev gawk gperf libtss2-dev dns-root-data bison gtk-doc-tools \
texinfo texlive texlive-extra-utils autopoint libev-dev \
apache2 apache2-dev libnghttp2-dev
name: 'install prereqs and impacket, pytest, crypto, apache2'
- name: cache openssl3
if: contains(matrix.build.install_steps, 'openssl3')
uses: actions/cache@v3
id: cache-openssl3
env:
cache-name: cache-openssl3
with:
path: /home/runner/openssl3
key: ${{ runner.os }}-build-${{ env.cache-name }}-${{ env.openssl3-version }}

- name: 'install openssl3'
if: steps.cache-openssl3.outputs.cache-hit != 'true'
run: |
git clone --quiet --depth=1 -b ${{ env.openssl3-version }} https://github.com/openssl/openssl
cd openssl
./config --prefix=$HOME/openssl3 --libdir=$HOME/openssl3/lib
make -j1 install_sw
- name: cache quictls
if: contains(matrix.build.install_steps, 'quictls')
uses: actions/cache@v3
id: cache-quictls
env:
cache-name: cache-quictls
with:
path: /home/runner/quictls
key: ${{ runner.os }}-build-${{ env.cache-name }}-quictls-${{ env.quictls-version }}

- name: cache quictls
uses: actions/cache@v3
id: cache-quictls-no-deprecated
env:
cache-name: cache-quictls-no-deprecated
with:
path: /home/runner/quictls
key: ${{ runner.os }}-build-${{ env.cache-name }}-${{ env.quictls-version }}

- if: steps.cache-quictls-no-deprecated.outputs.cache-hit != 'true'
run: |
cd $HOME
git clone --quiet --depth=1 -b openssl-${{ env.quictls-version }} https://github.com/quictls/openssl quictls
cd quictls
./config no-deprecated --prefix=$HOME/nghttpx --libdir=$HOME/nghttpx/lib
make
name: 'build quictls'

- run: |
cd $HOME/quictls
make -j1 install_sw
name: 'install quictls'
- name: cache nghttp3
uses: actions/cache@v3
id: cache-nghttp3
env:
cache-name: cache-nghttp3
with:
path: /home/runner/nghttp3
key: ${{ runner.os }}-build-${{ env.cache-name }}-${{ env.nghttp3-version }}

- if: steps.cache-nghttp3.outputs.cache-hit != 'true'
run: |
cd $HOME
git clone --quiet --depth=1 -b ${{ env.nghttp3-version }} https://github.com/ngtcp2/nghttp3
cd nghttp3
autoreconf -fi
./configure --prefix=$HOME/nghttpx PKG_CONFIG_PATH="$HOME/nghttpx/lib/pkgconfig" --enable-lib-only
make
name: 'build nghttp3'

- run: |
cd $HOME/nghttp3
make install
name: 'install nghttp3'
# depends on all other cached libs built so far
- run: |
git clone --quiet --depth=1 -b ${{ env.ngtcp2-version }} https://github.com/ngtcp2/ngtcp2
cd ngtcp2
autoreconf -fi
./configure --prefix=$HOME/nghttpx PKG_CONFIG_PATH="$HOME/nghttpx/lib/pkgconfig" --enable-lib-only --with-openssl
make install
name: 'install ngtcp2'
# depends on all other cached libs built so far
- run: |
git clone --quiet --depth=1 -b ${{ env.nghttp2-version }} https://github.com/nghttp2/nghttp2
cd nghttp2
autoreconf -fi
./configure --prefix=$HOME/nghttpx PKG_CONFIG_PATH="$HOME/nghttpx/lib/pkgconfig" --enable-http3
make install
name: 'install nghttp2'
- name: cache mod_h2
uses: actions/cache@v3
id: cache-mod_h2
env:
cache-name: cache-mod_h2
with:
path: /home/runner/mod_h2
key: ${{ runner.os }}-build-${{ env.cache-name }}-${{ env.mod_h2-version }}

- if: steps.cache-mod_h2.outputs.cache-hit != 'true'
run: |
cd $HOME
git clone --quiet --depth=1 -b ${{ env.mod_h2-version }} https://github.com/icing/mod_h2
cd mod_h2
autoreconf -fi
./configure
make
name: 'build mod_h2'

- run: |
cd $HOME/mod_h2
sudo make install
name: 'install mod_h2'
- uses: actions/checkout@v4

- run: |
sudo python3 -m pip install -r tests/requirements.txt -r tests/http/requirements.txt
name: 'install python test prereqs'
- run: autoreconf -fi
name: 'autoreconf'

- run: ./configure ${{ matrix.build.configure }}
name: 'configure'

- run: make V=1
name: 'make'

- run: make V=1 examples
name: 'make examples'

- run: make V=1 -C tests
name: 'make tests'

- run: make V=1 test-ci
name: 'run tests'
env:
# 2500 and 25002 fail atm due to fin handling
TFLAGS: "!http/3"

- run: pytest -v tests
name: 'run pytest'
env:
TFLAGS: "${{ matrix.build.tflags }}"
CURL_CI: github
81 changes: 70 additions & 11 deletions configure.ac
View file
Expand Up @@ -175,7 +175,7 @@ curl_headers_msg="enabled (--disable-headers-api)"
ssl_backends=
curl_h1_msg="enabled (internal)"
curl_h2_msg="no (--with-nghttp2)"
curl_h3_msg="no (--with-ngtcp2 --with-nghttp3, --with-quiche, --with-msh3)"
curl_h3_msg="no (--with-ngtcp2 --with-nghttp3, --with-quiche, --with-openssl-quic, --with-msh3)"

enable_altsvc="yes"
hsts="yes"
Expand Down Expand Up @@ -3001,14 +3001,53 @@ if test "x$NGTCP2_ENABLED" = "x1" -a "x$WOLFSSL_ENABLED" = "x1"; then
fi
fi

dnl **********************************************************************
dnl Check for OpenSSL QUIC
dnl **********************************************************************

OPT_OPENSSL_QUIC="no"

if test "x$disable_http" = "xyes" -o "x$OPENSSL_ENABLED" != "x1"; then
# without HTTP or without openssl, no use
OPT_OPENSSL_QUIC="no"
fi

AC_ARG_WITH(openssl-quic,
AS_HELP_STRING([--with-openssl-quic],[Enable OpenSSL QUIC usage])
AS_HELP_STRING([--without-openssl-quic],[Disable OpenSSL QUIC usage]),
[OPT_OPENSSL_QUIC=$withval])
case "$OPT_OPENSSL_QUIC" in
no)
dnl --without-openssl-quic option used
want_openssl_quic="no"
;;
yes)
dnl --with-openssl-quic option used
want_openssl_quic="yes"
;;
esac

curl_openssl_quic_msg="no (--with-openssl-quic)"
if test "x$want_openssl_quic" = "xyes"; then

if test "$NGTCP2_ENABLED" = 1; then
AC_MSG_ERROR([--with-openssl-quic and --with-ngtcp2 are mutually exclusive])
fi
if test "$HAVE_OPENSSL_QUIC" != 1; then
AC_MSG_ERROR([--with-openssl-quic requires quic support in OpenSSL])
fi
AC_DEFINE(USE_OPENSSL_QUIC, 1, [if openssl QUIC is in use])
AC_SUBST(USE_OPENSSL_QUIC, [1])
fi

dnl **********************************************************************
dnl Check for nghttp3 (HTTP/3 with ngtcp2)
dnl **********************************************************************

OPT_NGHTTP3="yes"

if test "x$NGTCP2_ENABLED" = "x"; then
# without ngtcp2, nghttp3 is of no use for us
if test "x$USE_NGTCP2" = "x" -a "$USE_OPENSSL_QUIC" = "x"; then
# without ngtcp2 or openssl quic, nghttp3 is of no use for us
OPT_NGHTTP3="no"
fi

Expand Down Expand Up @@ -3036,10 +3075,6 @@ esac
curl_http3_msg="no (--with-nghttp3)"
if test X"$want_nghttp3" != Xno; then

if test "$NGTCP2_ENABLED" != "1"; then
AC_MSG_ERROR([--with-nghttp3 also requires --with-ntcp2])
fi

dnl backup the pre-nghttp3 variables
CLEANLDFLAGS="$LDFLAGS"
CLEANCPPFLAGS="$CPPFLAGS"
Expand Down Expand Up @@ -3070,8 +3105,6 @@ if test X"$want_nghttp3" != Xno; then
AC_CHECK_LIB(nghttp3, nghttp3_conn_client_new_versioned,
[
AC_CHECK_HEADERS(nghttp3/nghttp3.h,
curl_h3_msg="enabled (ngtcp2 + nghttp3)"
NGHTTP3_ENABLED=1
AC_DEFINE(USE_NGHTTP3, 1, [if nghttp3 is in use])
AC_SUBST(USE_NGHTTP3, [1])
CURL_LIBRARY_PATH="$CURL_LIBRARY_PATH:$DIR_NGHTTP3"
Expand All @@ -3096,6 +3129,29 @@ if test X"$want_nghttp3" != Xno; then

fi

dnl **********************************************************************
dnl Check for ngtcp2 and nghttp3 (HTTP/3 with ngtcp2 + nghttp3)
dnl **********************************************************************

if test "x$NGTCP2_ENABLED" = "x1" -a "x$USE_NGHTTP3" = "x1"; then
AC_DEFINE(USE_NGTCP2_H3, 1, [if ngtcp2 + nghttp3 is in use])
AC_SUBST(USE_NGTCP2_H3, [1])
AC_MSG_NOTICE([HTTP3 support is experimental])
curl_h3_msg="enabled (ngtcp2 + nghttp3)"
fi

dnl **********************************************************************
dnl Check for OpenSSL and nghttp3 (HTTP/3 with nghttp3 using OpenSSL QUIC)
dnl **********************************************************************

if test "x$USE_OPENSSL_QUIC" = "x1" -a "x$USE_NGHTTP3" = "x1"; then
experimental="$experimental HTTP3"
AC_DEFINE(USE_OPENSSL_H3, 1, [if openssl quic + nghttp3 is in use])
AC_SUBST(USE_OPENSSL_H3, [1])
AC_MSG_NOTICE([HTTP3 support is experimental])
curl_h3_msg="enabled (openssl + nghttp3)"
fi

dnl **********************************************************************
dnl Check for quiche (QUIC)
dnl **********************************************************************
Expand Down Expand Up @@ -3245,6 +3301,9 @@ if test X"$want_msh3" != Xno; then
if test "$NGHTTP3_ENABLED" = 1; then
AC_MSG_ERROR([--with-msh3 and --with-ngtcp2 are mutually exclusive])
fi
if test "$QUICHE_ENABLED" = 1; then
AC_MSG_ERROR([--with-msh3 and --with-quiche are mutually exclusive])
fi

dnl backup the pre-msh3 variables
CLEANLDFLAGS="$LDFLAGS"
Expand Down Expand Up @@ -4575,8 +4634,8 @@ if test "x$USE_NGHTTP2" = "x1"; then
SUPPORT_FEATURES="$SUPPORT_FEATURES HTTP2"
fi

if test "x$USE_NGTCP2" = "x1" -o "x$USE_QUICHE" = "x1" \
-o "x$USE_MSH3" = "x1"; then
if test "x$USE_NGTCP2_H3" = "x1" -o "x$USE_QUICHE" = "x1" \
-o "x$USE_OPENSSL_H3" = "x1" -o "x$USE_MSH3" = "x1"; then
SUPPORT_FEATURES="$SUPPORT_FEATURES HTTP3"
fi

Expand Down

0 comments on commit 0535f6e

Please sign in to comment.