| 20 Sep 2025 |
 emily | "Three OpenSSL derivatives called LibreSSL, QUICTLS, and AWS-LC are
reported to work as well. While there are some efforts from the community to
ensure they work well, OpenSSL remains the primary target and this means that
in case of conflicting choices, OpenSSL support will be favored over other
options. Note that QUIC is not fully supported when haproxy is built with
OpenSSL < 3.5 version. In this case, QUICTLS is the preferred alternative.
As of writing this, the QuicTLS project follows OpenSSL very closely and provides
update simultaneously, but being a volunteer-driven project, its long-term future
does not look certain enough to convince operating systems to package it, so it
needs to be build locally. See the section about QUIC in this document." | 16:20:55 |
| emily | seems like a pretty explicit recommendation for OpenSSL 3.5 even for QUIC | 16:21:04 |
 Marie | As of writing this, the QuicTLS project follows OpenSSL very closely and provides
update simultaneously | 16:25:40 |
| Marie | As of writing this, the QuicTLS project follows OpenSSL very closely and provides update simultaneously
| 16:25:43 |
| Marie | thats a bit outdated from what I've heard | 16:25:55 |
| Marie | also successfully built nghttp2.override { enableHttp3 = true; } | 16:26:35 |
| emily | fwiw https://github.com/haproxy/haproxy/commit/bbe302087ccc1471a97d88ec1c24fbc55e4d1c51 | 16:27:56 |
| emily | is where they said "OpenSSL 3.5 fine" (and did not change their description of QuicTLS) | 16:28:06 |
 nim65s | zvbi is failing before that | 16:28:17 |
| nim65s | ntsc-cc.c:55:11: fatal error: 'X11/X.h' file not found | 16:28:27 |
| emily | why on earth is thrift pulling in zvbi… | 16:29:18 |
| nim65s | 
Download image.png | 16:30:17 |
| emily | the bumps need moving up above "ngtcp2: use openssl instead of quictls" to avoid intermediate broken states, and I think the curl and nghttp2 changes should be squashed into that. otherwise LGTM. can worry about HAProxy later I suppose, but we should probably get it off QuicTLS… | 16:30:38 |
| emily | aha. well, … we'll need to fix that anyway, because obviously ffmpeg-headless needs to work on Darwin | 16:31:01 |
| emily | so that's just staging noise | 16:31:05 |
| emily | as you can see, ~all of Python is broken there :) | 16:31:20 |
| Marie | alright | 16:31:57 |
| Marie | doing another build right now, since i forgot to rebase | 16:32:27 |
 aloisw | Unless something has changed in the last couple of days and GitHub search is weird, nginx also still uses quictls package. However OpenSSL seems to work there fine as well. | 16:44:58 |
| emily | rg quictls pkgs/servers/http/nginx/ returns nothing for me | 16:47:00 |
| aloisw | It's overridden in all-packages.nix. | 16:47:14 |
| emily | https://github.com/search?q=repo%3ANixOS%2Fnixpkgs%20quictls&type=code doesn't show Nginx for me either, am I missing something? | 16:47:24 |
| aloisw | (do not read the comment) | 16:47:25 |
| emily | aha. only for nginxQuic | 16:47:46 |
| emily | ok, we can punt what to do for that stuff for later. | 16:48:09 |
| emily | OpenSSL 3.5 or AWS-LC seem like the sensible options. | 16:48:17 |
| aloisw | all-packages.nix is excluded from that due to its size I guess? | 16:48:17 |
| emily | it's not even that big any more | 16:48:30 |
| emily | 15k lines | 16:48:32 |
| emily | but yeah I guess | 16:48:34 |
