| 20 Sep 2025 |
 dish [Fox/It/She] | yeah openssl quic is... rough | 16:12:06 |
| dish [Fox/It/She] | aws lc would be a good option in that case if we drop quictls | 16:12:22 |
 emily | https://github.com/haproxy/haproxy/commit/bbe302087ccc1471a97d88ec1c24fbc55e4d1c51 they do sort of imply OpenSSL 3.5 is preferred upstream though | 16:13:16 |
 Marie | I'll have a look right after this mesa build | 16:15:00 |
| emily | nix build --impure --expr 'with import (builtins.getFlake ("github:NixOS/nixpkgs/pull/435914/head")) {}; (nghttp2.override { enableHttp3 = true; }).overrideAttrs (p: {src = fetchurl {url = "https://github.com/nghttp2/nghttp2/releases/download/v1.67.1/nghttp2-1.67.1.tar.bz2"; hash = "sha256-37cg1CQ6eVBYn6JjI3i+te6a1ELpS3lLO44soowdfio=";}; buildInputs=lib.filter (d: d.pname!="quictls") p.buildInputs ++ [openssl];})'
→
configure: Requested 'libngtcp2_crypto_ossl >= 1.15.0' but version of libngtcp2_crypto_ossl is 1.14.0
🫠 | 16:15:44 |
| emily | bump ngtcp2 and nghttp2 and we should be good | 16:16:05 |
| emily | https://github.com/haproxy/haproxy/blob/34cdc5e191784cdae671a6c337fd4385522855af/INSTALL#L28-L39 | 16:19:37 |
| emily | dunno, it seems like HAProxy basically suggests people use OpenSSL 3.5 QUIC | 16:19:50 |
| emily | but AWS-LC may be the safe choice | 16:20:37 |
| emily | "Three OpenSSL derivatives called LibreSSL, QUICTLS, and AWS-LC are
reported to work as well. While there are some efforts from the community to
ensure they work well, OpenSSL remains the primary target and this means that
in case of conflicting choices, OpenSSL support will be favored over other
options. Note that QUIC is not fully supported when haproxy is built with
OpenSSL < 3.5 version. In this case, QUICTLS is the preferred alternative.
As of writing this, the QuicTLS project follows OpenSSL very closely and provides
update simultaneously, but being a volunteer-driven project, its long-term future
does not look certain enough to convince operating systems to package it, so it
needs to be build locally. See the section about QUIC in this document." | 16:20:55 |
| emily | seems like a pretty explicit recommendation for OpenSSL 3.5 even for QUIC | 16:21:04 |
| Marie | As of writing this, the QuicTLS project follows OpenSSL very closely and provides
update simultaneously | 16:25:40 |
| Marie | As of writing this, the QuicTLS project follows OpenSSL very closely and provides update simultaneously
| 16:25:43 |
| Marie | thats a bit outdated from what I've heard | 16:25:55 |
| Marie | also successfully built nghttp2.override { enableHttp3 = true; } | 16:26:35 |
| emily | fwiw https://github.com/haproxy/haproxy/commit/bbe302087ccc1471a97d88ec1c24fbc55e4d1c51 | 16:27:56 |
| emily | is where they said "OpenSSL 3.5 fine" (and did not change their description of QuicTLS) | 16:28:06 |
 nim65s | zvbi is failing before that | 16:28:17 |
| nim65s | ntsc-cc.c:55:11: fatal error: 'X11/X.h' file not found | 16:28:27 |
| emily | why on earth is thrift pulling in zvbi… | 16:29:18 |
| nim65s | 
Download image.png | 16:30:17 |
| emily | the bumps need moving up above "ngtcp2: use openssl instead of quictls" to avoid intermediate broken states, and I think the curl and nghttp2 changes should be squashed into that. otherwise LGTM. can worry about HAProxy later I suppose, but we should probably get it off QuicTLS… | 16:30:38 |
| emily | aha. well, … we'll need to fix that anyway, because obviously ffmpeg-headless needs to work on Darwin | 16:31:01 |
| emily | so that's just staging noise | 16:31:05 |
| emily | as you can see, ~all of Python is broken there :) | 16:31:20 |
| Marie | alright | 16:31:57 |
| Marie | doing another build right now, since i forgot to rebase | 16:32:27 |
 aloisw | Unless something has changed in the last couple of days and GitHub search is weird, nginx also still uses quictls package. However OpenSSL seems to work there fine as well. | 16:44:58 |
| emily | rg quictls pkgs/servers/http/nginx/ returns nothing for me | 16:47:00 |
| aloisw | It's overridden in all-packages.nix. | 16:47:14 |
