| 20 Sep 2025 |
 emily | should be low-risk | 16:04:18 |
| emily | some question about the appropriate choice of TLS backend on the PR but per my latest comment I don't think that there are actually sensible options other than ngtcp2 + OpenSSL here | 16:04:50 |
 hexa | overdue | 16:05:10 |
| emily | wondering whether nghttp2 will work with the switch | 16:06:30 |
| emily | looks like it builds at least | 16:06:36 |
| emily | oh, enableHttp3 ? false :) | 16:06:58 |
 dish [Fox/It/She] | In reply to @emilazy:matrix.org
some question about the appropriate choice of TLS backend on the PR but per my latest comment I don't think that there are actually sensible options other than ngtcp2 + OpenSSL here agree with this being the best option considering thats what upstream uses | 16:07:05 |
| dish [Fox/It/She] | is there info on closure size differences? | 16:07:20 |
| emily | well, they don't have a super explicit preference | 16:07:25 |
| emily | they support multiple things | 16:07:31 |
| emily | in theory they consider ngtcp2 + any TLS backend to be non-experimental I think | 16:07:41 |
| dish [Fox/It/She] | well yeah but i mean coverage in ci | 16:07:50 |
| dish [Fox/It/She] | as you mentioned in the PR comments | 16:07:57 |
| emily | but it seems like they generally want to converge on ngtcp2 + OpenSSL | 16:08:00 |
| dish [Fox/It/She] | sorry bad wording on my part | 16:08:03 |
| emily | ok, this regresses nghttp2.override { enableHttp3 = true; } | 16:09:17 |
| emily | cc Marie | 16:09:24 |
| emily | it looks like upstream supports OpenSSL backend there but maybe we need to bump version | 16:09:38 |
| emily | oh | 16:09:46 |
| emily | ++ lib.optionals (enableApp && !enableHttp3) [ openssl ]
| 16:09:47 |
| emily | or just fix this | 16:09:51 |
| emily | and drop quictls | 16:10:05 |
| emily | (arguably we should just quictls: drop, only other user than these is HAProxy and HAProxy 3.2 supports QUIC with OpenSSL 3.5 it looks like) | 16:11:27 |
| emily | (though that would be the native OpenSSL QUIC which apparently still has some weirdness, so AWS-LC is another option) | 16:11:51 |
| dish [Fox/It/She] | yeah openssl quic is... rough | 16:12:06 |
| dish [Fox/It/She] | aws lc would be a good option in that case if we drop quictls | 16:12:22 |
| emily | https://github.com/haproxy/haproxy/commit/bbe302087ccc1471a97d88ec1c24fbc55e4d1c51 they do sort of imply OpenSSL 3.5 is preferred upstream though | 16:13:16 |
 Marie | I'll have a look right after this mesa build | 16:15:00 |
| emily | nix build --impure --expr 'with import (builtins.getFlake ("github:NixOS/nixpkgs/pull/435914/head")) {}; (nghttp2.override { enableHttp3 = true; }).overrideAttrs (p: {src = fetchurl {url = "https://github.com/nghttp2/nghttp2/releases/download/v1.67.1/nghttp2-1.67.1.tar.bz2"; hash = "sha256-37cg1CQ6eVBYn6JjI3i+te6a1ELpS3lLO44soowdfio=";}; buildInputs=lib.filter (d: d.pname!="quictls") p.buildInputs ++ [openssl];})'
→
configure: Requested 'libngtcp2_crypto_ossl >= 1.15.0' but version of libngtcp2_crypto_ossl is 1.14.0
🫠 | 16:15:44 |
| emily | bump ngtcp2 and nghttp2 and we should be good | 16:16:05 |
