Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OpenSSL 3.2 QUIC stack based HTTP/3 #12734

Closed
wants to merge 7 commits into from
Closed

Conversation

icing
Copy link
Contributor

@icing icing commented Jan 18, 2024

  • HTTP/3 for curl using OpenSSL's own QUIC stack together with nghttp3
  • configure with --with-openssl-quic to enable curl to build this. This requires the nghttp3 library
  • implementation with the following restrictions:
    • macOS has to use an unconnected UDP socket due to an issue in OpenSSL's datagram implementation See OpenSSL 3.2.0, QUIC, macOS, error 56 on connected UDP socket openssl/openssl#23251 This makes connections to non-reponsive servers hang.
    • GET requests will send the indicator that they have no body in a separate QUIC packet. This may result in processing delays or Transfer-Encodings on proxied requests
    • uploads that encounter blocks will use 100% cpu as detection of these flow control issue is not working (we have not figured out to pry that from OpenSSL).
  • added a CI job for linux, excluding http/3 tests in suite, since 2500 and 2502 fail

@github-actions github-actions bot added tests CI Continuous Integration labels Jan 18, 2024
@bagder
Copy link
Member

bagder commented Jan 19, 2024

Can you also add a description to HTTP3.md how to build this setup?

- HTTP/3 for curl using OpenSSL's own QUIC stack together
  with nghttp3
- configure with `--with-openssl-quic` to enable curl to
  build this. This requires the nghttp3 library
- implementation with the following restrictions:
  * macOS has to use an unconnected UDP socket due to an
    issue in OpenSSL's datagram implementation
    See openssl/openssl#23251
    This makes connections to non-reponsive servers hang.
  * GET requests will send the indicator that they have
    no body in a separate QUIC packet. This may result
    in processing delays or Transfer-Encodings on proxied
    requests
  * uploads that encounter blocks will use 100% cpu as
    detection of these flow control issue is not working
    (we have not figured out to pry that from OpenSSL).
- remove no longer neede config param in building openssl3
@icing icing marked this pull request as ready for review January 22, 2024 08:19
@icing
Copy link
Contributor Author

icing commented Jan 22, 2024

Can you also add a description to HTTP3.md how to build this setup?

Done.

@icing icing requested a review from bagder January 22, 2024 08:20
@icing icing added feature-window A merge of this requires an open feature window HTTP/3 h3 or quic related labels Jan 22, 2024
@icing icing changed the title OpenSSL 3.2 QUIC stack based HTTP/3 (WIP) OpenSSL 3.2 QUIC stack based HTTP/3 Jan 22, 2024
Copy link
Member

@bagder bagder left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Otherwise I think this looks good!

docs/HTTP3.md Outdated Show resolved Hide resolved
docs/HTTP3.md Outdated Show resolved Hide resolved
docs/HTTP3.md Outdated Show resolved Hide resolved
@bagder bagder closed this in 0535f6e Jan 22, 2024
vszakats added a commit to curl/curl-for-win that referenced this pull request Jan 22, 2024
It works with some manual hacks due to nghttp3 being undetected by autotools
(a long-time issue).

When enabled, the version string is showing some duplication:
```
curl 8.6.0-DEV (x86_64-w64-mingw32) libcurl/8.6.0-DEV OpenSSL/3.2.0 (Schannel) zlib/1.3 WinIDN libssh2/1.11.1_DEV nghttp2/1.58.0 OpenSSL/3.2.0 (Schannel) nghttp3/1.1.0
Release-Date: [unreleased]
Protocols: dict file ftp ftps gopher gophers http https imap imaps ipfs ipns ldap ldaps mqtt pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp ws wss
Features: alt-svc AsynchDNS HSTS HTTP2 HTTP3 HTTPS-proxy IDN IPv6 Kerberos Largefile libz MultiSSL NTLM SPNEGO SSL SSPI threadsafe UnixSockets
```

Ref: curl/curl@0535f6e
Ref: curl/curl#12734
@vszakats
Copy link
Member

vszakats commented Jan 22, 2024

Few observations after enabling support for this in curl-for-win:

  • CMake logic is missing, so enabled it only for autotools.
  • OpenSSL 3.2.0 requires -lcrypt32 on Windows, but not added by autotools, so detection fails unless adding it to LIBS manually (pre-existing issue).
  • nghttp3 (and ngtcp2) have a long-time detection issue with autotools, so have to force-enable it. This means that HTTP/3 also needs to be force-enabled to get OpenSSL QUIC enabled. (pre-existing issue)
  • TLS backends are duplicated in the -V output:
curl 8.6.0-DEV (x86_64-w64-mingw32) libcurl/8.6.0-DEV OpenSSL/3.2.0 (Schannel) zlib/1.3 WinIDN \
  libssh2/1.11.1_DEV nghttp2/1.58.0 OpenSSL/3.2.0 (Schannel) nghttp3/1.1.0
Release-Date: [unreleased]
Protocols: dict file ftp ftps gopher gophers http https imap imaps ipfs ipns ldap ldaps mqtt pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp ws wss
Features: alt-svc AsynchDNS HSTS HTTP2 HTTP3 HTTPS-proxy IDN IPv6 Kerberos Largefile libz MultiSSL NTLM SPNEGO SSL SSPI threadsafe UnixSockets

@talregev
Copy link

talregev commented Feb 22, 2024

@icing Can you add the cmake functionality / flag to compile http3 with openssl 3.2 + nghttp3 ?

@icing
Copy link
Contributor Author

icing commented Feb 23, 2024

@talregev I must admit my cmake skills are lacking.

@talregev
Copy link

I will open an issue about it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
CI Continuous Integration feature-window A merge of this requires an open feature window HTTP/3 h3 or quic related tests
Development

Successfully merging this pull request may close these issues.

None yet

4 participants