[PATCH 2 of 4] QUIC: do not use SSL_set_quic_early_data_enabled() with LibreSSL

Roman Arutyunyan arut at nginx.com
Tue Oct 18 11:46:34 UTC 2022


Hi,

On Mon, Oct 17, 2022 at 06:04:36PM +0400, Sergey Kandaurov wrote:
> 
> > On 17 Oct 2022, at 15:07, Roman Arutyunyan <arut at nginx.com> wrote:
> > 
> > Hi,
> > 
> > On Tue, Oct 11, 2022 at 02:35:51PM +0400, Sergey Kandaurov wrote:
> >> # HG changeset patch
> >> # User Sergey Kandaurov <pluknet at nginx.com>
> >> # Date 1665442922 -14400
> >> #      Tue Oct 11 03:02:02 2022 +0400
> >> # Branch quic
> >> # Node ID caced81ce0a9cb218ae8cdd6176c12e0614acee9
> >> # Parent  82b03006a7bd93c3b5c962a3afac89e0639b0c12
> >> QUIC: do not use SSL_set_quic_early_data_enabled() with LibreSSL.
> >> 
> >> This function is present in QuicTLS only.  After SSL_READ_EARLY_DATA_SUCCESS
> >> became visible in LibreSSL together with experimental QUIC API, this required
> >> to revise the conditional compilation test to use more narrow macros.
> >> 
> >> diff --git a/src/event/quic/ngx_event_quic_ssl.c b/src/event/quic/ngx_event_quic_ssl.c
> >> --- a/src/event/quic/ngx_event_quic_ssl.c
> >> +++ b/src/event/quic/ngx_event_quic_ssl.c
> >> @@ -557,7 +557,7 @@ ngx_quic_init_connection(ngx_connection_
> >>         return NGX_ERROR;
> >>     }
> >> 
> >> -#ifdef SSL_READ_EARLY_DATA_SUCCESS
> >> +#if (!defined LIBRESSL_VERSION_NUMBER && !defined OPENSSL_IS_BORINGSSL)
> > 
> > What about the macro OPENSSL_INFO_QUIC?  It's only defined in QuicTLS.
> > 
> >>     if (SSL_CTX_get_max_early_data(qc->conf->ssl->ctx)) {
> >>         SSL_set_quic_early_data_enabled(ssl_conn, 1);
> >>     }
> 
> I wonder how long will it take to use this macro in the upstream OpenSSL.
> Given that QuicTLS may be considered as something interim,
> I think it should be ok for now.
> And it respects the no-quic QuicTLS build option.
> 
> Together with the adjusted log summary:
> 
> QUIC: using SSL_set_quic_early_data_enabled() only with QuicTLS.
> 
> This function is present in QuicTLS only.  After SSL_READ_EARLY_DATA_SUCCESS
> became visible in LibreSSL together with experimental QUIC API, this required
> to revise the conditional compilation test to use more narrow macros.
> 
> diff --git a/src/event/quic/ngx_event_quic_ssl.c b/src/event/quic/ngx_event_quic_ssl.c
> --- a/src/event/quic/ngx_event_quic_ssl.c
> +++ b/src/event/quic/ngx_event_quic_ssl.c
> @@ -557,7 +557,7 @@ ngx_quic_init_connection(ngx_connection_
>          return NGX_ERROR;
>      }
>  
> -#ifdef SSL_READ_EARLY_DATA_SUCCESS
> +#ifdef OPENSSL_INFO_QUIC
>      if (SSL_CTX_get_max_early_data(qc->conf->ssl->ctx)) {
>          SSL_set_quic_early_data_enabled(ssl_conn, 1);
>      }

Looks ok.

Other patches are ok as well.

--
Roman Arutyunyan



More information about the nginx-devel mailing list