I have read on https://www.haproxy.com/blog/announcing-haproxy-2-6/#http-3-over-quic that net/haproxy which is currently on version 2.6.6 is supporting quic4 as supported protocol. But it looks that on freebsd net/haproxy port it was compiled without such support. What i'm doing wrong?
Well, it is not enabled in FreeBSD build. According to their docs (the link you provided): """ You’ll need to compile HAProxy with a few new options, including the USE_QUIC flag, and also link to a QUIC-compatible version of OpenSSL, such as the one found here. """ The main problem for us is to get "QUIC-compatible version of OpenSSL". I'll try to investigate if it is present in ports collection and how to use it.
yeah, it looks that such "QUIC-compatible version of OpenSSL" should be openssl 3.x
Judging from the Nginx port, these might work. seucrity/boringssl security/libressl-devel security/openssl-quictls I think the Haproxy developers tested/built against OpenSSL. I'll give building and running with openssl-quictls a shot and report back if it works.
In HAProxy 2.8.4 and 2.9.0 limited support for QUIC is now possible even when using OpenSSL: - QUIC: a limited compatibility layer allowing to use OpenSSL despite its lack of QUIC support was implemented and backported to 2.8.4. It does not support 0-RTT and I think everyone agrees that we should not have to hack around this. But for a while, users didn't have the choice but to use OpenSSL, so at least these ones can have some QUIC support now. The best solution of course, is to get rid of OpenSSL which is now the last SSL stack not supporting QUIC, and with horrible performance since 3.x. Source: https://www.mail-archive.com/haproxy@formilux.org/msg44400.html https://www.mail-archive.com/haproxy@formilux.org/msg44336.html Could this "limited quic" be enabled in the FreeBSD port(s)?
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=177cd6b2364cc256456abceb989321587b74d6fa commit 177cd6b2364cc256456abceb989321587b74d6fa Author: Dmitry Sivachenko <demon@FreeBSD.org> AuthorDate: 2023-12-28 21:54:34 +0000 Commit: Dmitry Sivachenko <demon@FreeBSD.org> CommitDate: 2023-12-28 21:58:57 +0000 net/haproxy: enable limited QUIC support when OpenSSL option is on. PR: 267388 net/haproxy/Makefile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
(In reply to Frank Wall from comment #4) Hello! Done for haproxy-2.8. I'll try to import version 2.9 soon.
Broken with libressl CC src/mux_h1.o In file included from src/jwt.c:18: In file included from include/haproxy/openssl-compat.h:41: In file included from include/haproxy/quic_openssl_compat.h:8: include/haproxy/quic_openssl_compat-t.h:14:6: fatal error: redefinition of 'ssl_encryption_level_t' enum ssl_encryption_level_t { ^ /usr/local/include/openssl/ssl.h:1625:14: note: previous definition is here typedef enum ssl_encryption_level_t { ^ 1 error generated. gmake[2]: *** [Makefile:1009: src/jwt.o] Error 1 gmake[2]: *** Waiting for unfinished jobs.... In file included from src/quic_cc_newreno.c:26: In file included from include/haproxy/quic_cc.h:33: In file included from include/haproxy/quic_conn-t.h:34: In file included from include/haproxy/openssl-compat.h:41: In file included from include/haproxy/quic_openssl_compat.h:8: include/haproxy/quic_openssl_compat-t.h:14:6: fatal error: redefinition of 'ssl_encryption_level_t' enum ssl_encryption_level_t { ^ /usr/local/include/openssl/ssl.h:1625:14: note: previous definition is here typedef enum ssl_encryption_level_t { ^ 1 error generated. gmake[2]: *** [Makefile:1009: src/quic_cc_newreno.o] Error 1 In file included from src/quic_frame.c:16: In file included from include/haproxy/quic_conn-t.h:34: In file included from include/haproxy/openssl-compat.h:41: In file included from include/haproxy/quic_openssl_compat.h:8: include/haproxy/quic_openssl_compat-t.h:14:6: fatal error: redefinition of 'ssl_encryption_level_t' enum ssl_encryption_level_t { ^ /usr/local/include/openssl/ssl.h:1625:14: note: previous definition is here typedef enum ssl_encryption_level_t { ^ 1 error generated. gmake[2]: *** [Makefile:1009: src/quic_frame.o] Error 1 In file included from src/quic_cc_cubic.c:1: In file included from include/haproxy/quic_cc.h:33: In file included from include/haproxy/quic_conn-t.h:34: In file included from include/haproxy/openssl-compat.h:41: In file included from include/haproxy/quic_openssl_compat.h:8: include/haproxy/quic_openssl_compat-t.h:14:6: fatal error: redefinition of 'ssl_encryption_level_t' enum ssl_encryption_level_t { ^ /usr/local/include/openssl/ssl.h:1625:14: note: previous definition is here typedef enum ssl_encryption_level_t { ^ 1 error generated. gmake[2]: *** [Makefile:1009: src/quic_cc_cubic.o] Error 1 In file included from src/ssl_utils.c:18: In file included from include/haproxy/openssl-compat.h:41: In file included from include/haproxy/quic_openssl_compat.h:8: include/haproxy/quic_openssl_compat-t.h:14:6: fatal error: redefinition of 'ssl_encryption_level_t' enum ssl_encryption_level_t { ^ /usr/local/include/openssl/ssl.h:1625:14: note: previous definition is here typedef enum ssl_encryption_level_t { ^ 1 error generated. gmake[2]: *** [Makefile:1009: src/ssl_utils.o] Error 1 In file included from src/cfgparse-ssl.c:38: In file included from include/haproxy/openssl-compat.h:41: In file included from include/haproxy/quic_openssl_compat.h:8: include/haproxy/quic_openssl_compat-t.h:14:6: fatal error: redefinition of 'ssl_encryption_level_t' enum ssl_encryption_level_t { ^ /usr/local/include/openssl/ssl.h:1625:14: note: previous definition is here typedef enum ssl_encryption_level_t { ^ 1 error generated. gmake[2]: *** [Makefile:1009: src/cfgparse-ssl.o] Error 1 In file included from src/quic_loss.c:3: In file included from include/haproxy/quic_conn-t.h:34: In file included from include/haproxy/openssl-compat.h:41: In file included from include/haproxy/quic_openssl_compat.h:8: include/haproxy/quic_openssl_compat-t.h:14:6: fatal error: redefinition of 'ssl_encryption_level_t' enum ssl_encryption_level_t { ^ /usr/local/include/openssl/ssl.h:1625:14: note: previous definition is here typedef enum ssl_encryption_level_t { ^ 1 error generated. In file included from src/quic_tp.c:7: In file included from include/haproxy/quic_conn.h:37: In file included from include/haproxy/openssl-compat.h:41: In file included from include/haproxy/quic_openssl_compat.h:8: include/haproxy/quic_openssl_compat-t.h:14:6: fatal error: redefinition of 'ssl_encryption_level_t' enum ssl_encryption_level_t { ^ /usr/local/include/openssl/ssl.h:1625:14: note: previous definition is here typedef enum ssl_encryption_level_t { ^ 1 error generated. gmake[2]: *** [Makefile:1009: src/quic_loss.o] Error 1 gmake[2]: *** [Makefile:1009: src/quic_tp.o] Error 1 In file included from src/quic_openssl_compat.c:9: In file included from include/haproxy/openssl-compat.h:41: In file included from include/haproxy/quic_openssl_compat.h:8: include/haproxy/quic_openssl_compat-t.h:14:6: fatal error: redefinition of 'ssl_encryption_level_t' enum ssl_encryption_level_t { ^ /usr/local/include/openssl/ssl.h:1625:14: note: previous definition is here typedef enum ssl_encryption_level_t { ^
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=466d866ac89abb1884c3c3efc5d96b18e7526a2b commit 466d866ac89abb1884c3c3efc5d96b18e7526a2b Author: Dmitry Sivachenko <demon@FreeBSD.org> AuthorDate: 2023-12-29 06:04:51 +0000 Commit: Dmitry Sivachenko <demon@FreeBSD.org> CommitDate: 2023-12-29 06:10:44 +0000 net/haproxy: revert QUIC support: it does not work with non-OpenSSL SSL implementations. We need to explicitly support LibreSSL. PR: 267388 Reported by: Ivan Rozhuk <rozhuk.im@gmail.com> net/haproxy/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
I reverted QUIC support for now. I'll try to support different SSL implementation in haproxy port soon or you may send a patch :)
Created attachment 247337 [details] QUIC for all :-) Hi Dmitry, thanks for looking into this. The limited QUIC support is a workaround that will only work on OpenSSL. Most other SSL libraries may simply use the full QUIC support. I've attached a patch that enables QUIC for all SSL libs and QUIC_OPENSSL_COMPAT only for OpenSSL/base. I did two poudriere builds (LibreSSL and OpenSSL) and it seems to build fine now.
Thanks for the patch! But it can also be openssl-quictsl? What about it?
Created attachment 247339 [details] QUIC v2 I've revised the patch and tested it with the following OpenSSL settings in poudriere: DEFAULT_VERSIONS+=ssl=libressl DEFAULT_VERSIONS+=ssl=openssl111 DEFAULT_VERSIONS+=ssl=openssl-quictls And of course using the default "base" OpenSSL 3.0.12 on 14.0. All builds finished successfully (on amd64).
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=a2405c51ca2cf6f0e633f6b8cd4839e68ba1b865 commit a2405c51ca2cf6f0e633f6b8cd4839e68ba1b865 Author: Dmitry Sivachenko <demon@FreeBSD.org> AuthorDate: 2023-12-29 22:20:42 +0000 Commit: Dmitry Sivachenko <demon@FreeBSD.org> CommitDate: 2023-12-29 22:22:56 +0000 net/haproxy: enable QUIC support. PR: 267388 Submitted by: Frank Wall <freebsd@moov.de> net/haproxy/Makefile | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-)
(In reply to Frank Wall from comment #12) I committed your patch, thank you! (also changed bsd.port.mk at the bottom to bsd.port.post.mk)
^Triage: committed 20231229.