-
-
Notifications
You must be signed in to change notification settings - Fork 9.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
QUIC Server Minimal Demo #24037
QUIC Server Minimal Demo #24037
Conversation
* the engine level in future when we can have multiple ports. This is not | ||
* important currently as the port list has a single entry. | ||
*/ | ||
LIST_FOREACH(port, port, &qeng->port_list) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LIST_FOREACH is generally available I think, but are we sure its available on our older platforms?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is defined in internal/list.h
and is universally available...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh, wow, thats interesting. I called attention to this because LIST_FOREACH is defiend in sys/queue.h as part of glibc. I'm kind of suprised we haven't run afoul of namespace conflicts here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would have not used those names here - but this isn't adding the names in - as Hugo points out it was done previously - so if that is an issue a separate PR could address that - as internals we can change.
Looking at the current implementation it is a mix of list/LIST/ossl_list/OSSL_LIST which seems more than a little strange in how it was done. I'd have gone for a clear prefix there across the board,
6a31d81
to
3536634
Compare
Updated, ready for review. |
Doc fix |
|
||
/* Load certificate and corresponding private key. */ | ||
if (SSL_CTX_use_certificate_chain_file(ctx, cert_path) <= 0) { | ||
fprintf(stderr, "couldn't load certificate file: %s\n", cert_path); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should be SSL_CTX_use_certificate_file ... with SSL_FILETYPE_PEM I would assume.
Using the chain_file function would be rather strange to see.
Although I see this has made it into a pile of the demos - it is really not the right approach IMHO.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
SSL_CTX_use_certificate_file() loads the first certificate stored in file into ctx. The
formatting type of the certificate must be specified from the known types SSL_FILETYPE_PEM,
SSL_FILETYPE_ASN1. SSL_use_certificate_file() loads the certificate from file into ssl. See
the NOTES section on why SSL_CTX_use_certificate_chain_file() should be preferred.
SSL_CTX_use_certificate_chain_file() should be used instead of the
SSL_CTX_use_certificate_file() function in order to allow the use of complete certificate
chains even when no trusted CA storage is used or when the CA issuing the certificate shall not
be added to the trusted CA storage.
Using SSL_CTX_use_certificate_file
would offer no way to serve intermediate certificates... basically guaranteeing incorrect behaviour when using any certificate issued by a public CA.
demos/quic/server/server.c
Outdated
int fd = -1; | ||
struct sockaddr_in6 sa = {0}; | ||
|
||
if ((fd = socket(AF_INET6, SOCK_DGRAM, IPPROTO_UDP)) < 0) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
An IPv6 only demo?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Most OSes enable v4-mapped addresses by default so this is dual-stack. There are some exceptions like OpenBSD — but handling those correctly would require multiple sockets here, significantly increasing the complexity of the demo and reducing its expository value.
I'm not massively bothered either way though.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Windows doesn't work that way ... you need two listeners to get both IPv4 and IPv6 support and as that is one of the primary platforms making this choice here wasn't what I was expecting.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It does support it from Vista onwards, though you do have to enable it explicitly.
Anyway, it doesn't really matter either way. AF_INET works for me.
Updated |
3babf1b
to
da132f7
Compare
Updated |
Updated |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, changes look good to me now. The introduction of expect_quic_*()
really improves the code readability. What I'm still struggling with is to reason about the state of the lock which is associated with SSL instance s
. I don't have answer for this and I think the answer is not simple (because of abstraction). Hence I'm approving those changes.
Just question:
If I understand things right we manipulate engine lock in expect_quic_as()
, right?
my approval holds |
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from #24037)
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from #24037)
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from #24037)
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from #24037)
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from #24037)
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from #24037)
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from #24037)
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from #24037)
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from #24037)
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from #24037)
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from #24037)
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from #24037)
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from #24037)
…unable to wait Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from #24037)
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from #24037)
…t compat Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from #24037)
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from #24037)
… closure Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from #24037)
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from #24037)
…after connection terminastion Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from #24037)
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from #24037)
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from #24037)
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from #24037)
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from #24037)
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from #24037)
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from #24037)
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from #24037)
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from #24037)
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from #24037)
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from #24037)
This PR, which incorporates all the changes in #23995, makes further refinements and refactoring sufficient to support a minimal server API usage demo in blocking mode.
A demo is included and works with
s_client
.Fixes openssl/project#523