Quic should support OpenSSL 3.x

[wfurt]

Depends on microsoft/msquic#2039

MsQuic work:

Perf/Stress/Load tests known issues:

• OpenSSL 3.0 has perf regression in throughput and Handshake per second -- OpenSSL v3 Perf Regressions (from v1.1) microsoft/msquic#3410
  • Considered fixed by updating to OpenSSL 3.1

Functional tests known issues:

• Tests that rely on resumption ticket callbacks are failing -- Support QuicTLS (OpenSSL) 3.0 microsoft/msquic#2039
  • fixed in main: fix MAC_CTX creation with OpenSSL 3 microsoft/msquic#3436

Publishing of the changes:

• We need packages posted to appropriate feeds
  • packaging does not work for OpenSSL 3 microsoft/msquic#3443
  • as this is getting fixed in main we are waiting for the next release msquic 2.2 unless we decide to port
• Make sure that the published package is usable and works with .NET runtime
  • consume it in some of our docker images
    • Manually verified on Ubuntu 22.04 Helix & Docker images
    • Ubuntu 22.04 x64 (Helix) & Arm64 (Docker) successfully running in CI on the official 2.2.1 msquic package with OpenSSL 3 support

PRs:

• Enable use of OpenSSL 3 without deprecated functions microsoft/msquic#2083
• Add support for OpenSSL 3 as alternative TLS microsoft/msquic#3387
• fix MAC_CTX creation with OpenSSL 3 microsoft/msquic#3436
• improve OpenSSL detection during build microsoft/msquic#3390
• Onboard Tests for OpenSSL 3 microsoft/msquic#3388
• Fix Manual Flag for OpenSSL3 Perf Pipeline microsoft/msquic#3418
• Use same Tls as Prep microsoft/msquic#3429 ???

Runtime

Functional

• get some docker images with libmsquic from main that contains OpenSSL 3 -- @wfurt
  • added update alpine test images #81841 to include Alpine 3.17 as extra-platform
  • update msquic for Ubuntu 22 dotnet-buildtools-prereqs-docker#808
• find the intersection between distributions with OpenSSL 3 (from list bellow) and what we use in our infrastructure, list them, and use them for the item above -- @wfurt
  • the end goal is to use libmsquic for OpenSSL 3 on all platforms / distributions in our CI that ship with OpenSSL 3 as default
  • We only test Ubuntu 22.04 (x64 & arm64). In general, runtime seems to be lacking coverage for new OS versions.

Currently there are following Linux distributions we support that use OpenSSL 3 by default:

• Alpine 3.17+
• (to be released) Debian 12+
• Fedora 36+
• RHEL 9+ (CentOS Stream 9+ etc)
• Ubuntu 22.04+

With exception of Ubuntu (and unreleased Debian) the distributions offer a compatibility OpenSSL 1.1 package.
We should strategically decide what combinations to test. (perhaps also use extra-platforms pipeline for occasional spot-check)

Stress

• run stress locally with the current libmsquic with OpenSSL 3 -- @ManickaP -- see results at Quic should support OpenSSL 3.x #81801 (comment)

We should perhaps have at least one test runs with OpenSSL 3 since that is significantly different variant.

Perf

• run perf baseline locally, confirm it's somewhat stable and run it with libmsquic main with OpenSSL 3 -- @CarnaViire

Since the perf issues mentioned above, we should perhaps have separate benchmark for Linux with OpenSSL 3.

[ghost]

Tagging subscribers to this area: @dotnet/ncl
See info in area-owners.md if you want to be subscribed.

Issue Details

---

This primarily depends on microsoft/msquic#2039
there are currently functional & performance issues:

• OpenSSL3 has worse throughput and HPS perf
  -- Onboard Tests for OpenSSL 3 microsoft/msquic#3388 (comment)
• Tests that rely on resumption ticket callbacks are failing
  In addition, we will need packages posted to appropriate feeds.

I'm opening this to also track additional work for .NET.

functional:

Currently there are following distributions we support that use OpenSSL by default

• Ubuntu 22.04
• Fedora 37+
• Alpine 3.17
• Centos/RH 9 Stream
• (to be released) Debian 12

With exception of Ubuntu (and unreleased Debian) the distributions offer compatibility 1.1 package.
We should strategically decide what combinations to test. (perhaps also use extra-plaforms pipeline for occasional spot-check)

Stress:

We should perhaps have at least one test runs with OpenSSL 3 since that is significantly different variant

Perf:

since the perf issues mentioned above, we should perhaps have separate benchmark for Linux with OpenSSL 3.

Author:	wfurt
Assignees:	-
Labels:	os-linux, os-mac-os-x, tracking-external-issue, area-System.Net.Quic
Milestone:	8.0.0

[ManickaP]

OpenSSL 3 stress test run results:

HttpStress Run Final Report

[3/10/2023 12:46:33PM] Total: 1,326,928 Runtime: 00:32:41
         0: GET                       Success: 82,594   Canceled: 5,864 Fail: 0
         1: GET Partial               Success: 82,556   Canceled: 5,903 Fail: 0
         2: GET Headers               Success: 82,396   Canceled: 6,064 Fail: 0
         3: GET Parameters            Success: 82,534   Canceled: 5,927 Fail: 0
         4: GET Aborted               Success: 82,525   Canceled: 5,937 Fail: 0
         5: POST                      Success: 82,528   Canceled: 5,935 Fail: 0
         6: POST Multipart Data       Success: 82,566   Canceled: 5,898 Fail: 0
         7: POST Duplex               Success: 82,556   Canceled: 5,909 Fail: 0
         8: POST Duplex Slow          Success: 82,621   Canceled: 5,844 Fail: 0
         9: POST Duplex Dispose       Success: 82,693   Canceled: 5,768 Fail: 0
        10: POST ExpectContinue       Success: 82,527   Canceled: 5,935 Fail: 0
        11: HEAD                      Success: 82,504   Canceled: 5,959 Fail: 0
        12: PUT                       Success: 82,684   Canceled: 5,780 Fail: 0
        13: PUT Slow                  Success: 79,764   Canceled: 8,701 Fail: 0
        14: GET Slow                  Success: 82,509   Canceled: 5,947 Fail: 0
            TOTAL                     Success: 1,235,557        Canceled: 91,371        Fail: 0

Latency(ms) : n=1326928, p50=1.83, p75=2.53, p99=329.39, p999=365.57, max=1005.92

[CarnaViire]

All points are done and verified, beside perf which will be measured separately (as it's a separate part from "support") -- filed #86516.

Closing this as completed.