| 20 Sep 2025 |
 emily | well, they don't have a super explicit preference | 16:07:25 |
| emily | they support multiple things | 16:07:31 |
| emily | in theory they consider ngtcp2 + any TLS backend to be non-experimental I think | 16:07:41 |
 dish [Fox/It/She] | well yeah but i mean coverage in ci | 16:07:50 |
| dish [Fox/It/She] | as you mentioned in the PR comments | 16:07:57 |
| emily | but it seems like they generally want to converge on ngtcp2 + OpenSSL | 16:08:00 |
| dish [Fox/It/She] | sorry bad wording on my part | 16:08:03 |
| emily | ok, this regresses nghttp2.override { enableHttp3 = true; } | 16:09:17 |
| emily | cc Marie | 16:09:24 |
| emily | it looks like upstream supports OpenSSL backend there but maybe we need to bump version | 16:09:38 |
| emily | oh | 16:09:46 |
| emily | ++ lib.optionals (enableApp && !enableHttp3) [ openssl ]
| 16:09:47 |
| emily | or just fix this | 16:09:51 |
| emily | and drop quictls | 16:10:05 |
| emily | (arguably we should just quictls: drop, only other user than these is HAProxy and HAProxy 3.2 supports QUIC with OpenSSL 3.5 it looks like) | 16:11:27 |
| emily | (though that would be the native OpenSSL QUIC which apparently still has some weirdness, so AWS-LC is another option) | 16:11:51 |
| dish [Fox/It/She] | yeah openssl quic is... rough | 16:12:06 |
| dish [Fox/It/She] | aws lc would be a good option in that case if we drop quictls | 16:12:22 |
| emily | https://github.com/haproxy/haproxy/commit/bbe302087ccc1471a97d88ec1c24fbc55e4d1c51 they do sort of imply OpenSSL 3.5 is preferred upstream though | 16:13:16 |
 Marie | I'll have a look right after this mesa build | 16:15:00 |
| emily | nix build --impure --expr 'with import (builtins.getFlake ("github:NixOS/nixpkgs/pull/435914/head")) {}; (nghttp2.override { enableHttp3 = true; }).overrideAttrs (p: {src = fetchurl {url = "https://github.com/nghttp2/nghttp2/releases/download/v1.67.1/nghttp2-1.67.1.tar.bz2"; hash = "sha256-37cg1CQ6eVBYn6JjI3i+te6a1ELpS3lLO44soowdfio=";}; buildInputs=lib.filter (d: d.pname!="quictls") p.buildInputs ++ [openssl];})'
→
configure: Requested 'libngtcp2_crypto_ossl >= 1.15.0' but version of libngtcp2_crypto_ossl is 1.14.0
🫠 | 16:15:44 |
| emily | bump ngtcp2 and nghttp2 and we should be good | 16:16:05 |
| emily | https://github.com/haproxy/haproxy/blob/34cdc5e191784cdae671a6c337fd4385522855af/INSTALL#L28-L39 | 16:19:37 |
| emily | dunno, it seems like HAProxy basically suggests people use OpenSSL 3.5 QUIC | 16:19:50 |
| emily | but AWS-LC may be the safe choice | 16:20:37 |
| emily | "Three OpenSSL derivatives called LibreSSL, QUICTLS, and AWS-LC are
reported to work as well. While there are some efforts from the community to
ensure they work well, OpenSSL remains the primary target and this means that
in case of conflicting choices, OpenSSL support will be favored over other
options. Note that QUIC is not fully supported when haproxy is built with
OpenSSL < 3.5 version. In this case, QUICTLS is the preferred alternative.
As of writing this, the QuicTLS project follows OpenSSL very closely and provides
update simultaneously, but being a volunteer-driven project, its long-term future
does not look certain enough to convince operating systems to package it, so it
needs to be build locally. See the section about QUIC in this document." | 16:20:55 |
| emily | seems like a pretty explicit recommendation for OpenSSL 3.5 even for QUIC | 16:21:04 |
| Marie | As of writing this, the QuicTLS project follows OpenSSL very closely and provides
update simultaneously | 16:25:40 |
| Marie | As of writing this, the QuicTLS project follows OpenSSL very closely and provides update simultaneously
| 16:25:43 |
| Marie | thats a bit outdated from what I've heard | 16:25:55 |
