Add OpenSSL native QUIC backend#13186
Draft
bneradt wants to merge 2 commits into
Draft
Conversation
bneradt
force-pushed
the
openssl35-native-quic-support
branch
2 times, most recently
from
89355ac to
b8df91f
Compare
Fedora now ships OpenSSL 3.5 with the third-party QUIC TLS callback API, but quiche still links against the older quictls/BoringSSL symbols. ATS therefore could not use the system OpenSSL library for downstream HTTP/3 without dragging in a different TLS stack. This adds CMake detection for the OpenSSL callback API and provides a private compatibility layer that maps quiche's legacy hooks onto SSL_set_quic_tls_cbs. This requires static quiche in that mode so ATS resolves the shim symbols locally and links the final binaries against the system OpenSSL libraries. This also relaxes verifier-only HTTP/3 AuTest gates that do not execute curl, so those tests can run when ATS has QUIC support but the installed curl lacks HTTP/3.
bneradt
force-pushed
the
openssl35-native-quic-support
branch
7 times, most recently
from
b1e9280 to
af5fecd
Compare
OpenSSL 3.5 can terminate QUIC connections directly, but ATS only had a quiche-backed HTTP/3 listener. Operators who want to use the system OpenSSL QUIC stack needed a separate downstream backend without changing the existing quiche path or origin HTTP/3 scope. This adds an optional ENABLE_OPENSSL_QUIC backend that uses OpenSSL's native QUIC listener and stream APIs for downstream HTTP/3. This keeps the backend mutually exclusive with quiche, honors ATS stateless retry settings in the OpenSSL listener, exposes TS_HAS_OPENSSL_QUIC, and shares ATS's existing HTTP/3 stream handling above the transport. This also installs native-QUIC TLS callbacks for ALPN and SNI certificate selection before ATS has a QUIC NetVC to bind. OpenSSL native QUIC does not make a selected SSL_CTX certificate active via SSL_set_SSL_CTX alone, so this applies the selected cert, key, and chain to the connection SSL. This broadens generic client-side HTTP/3 tests to run for either QUIC backend while leaving quiche-specific internals guarded by TS_HAS_QUICHE. This also adds Proxy Verifier and curl coverage for named SNI certificate selection over HTTP/3.
bneradt
force-pushed
the
openssl35-native-quic-support
branch
from
af5fecd to
6e6cb15
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
A draft as a proof of concept. I will try this out on a box in production.
The first commit enables the existing quiche HTTP/3 transport to build against Fedora system OpenSSL 3.5 by detecting OpenSSL's third-party QUIC TLS callback API and providing a private shim for the legacy quictls/BoringSSL symbols quiche expects. It also requires static quiche in that compatibility mode so ATS resolves those symbols locally and keeps the final runtime linkage on the system OpenSSL libraries.
The second commit adds a separate optional OpenSSL-native QUIC backend for downstream HTTP/3. It uses OpenSSL 3.5 listener and stream APIs beneath ATS's existing HTTP/3 stack, keeps that backend mutually exclusive with quiche, exposes TS_HAS_OPENSSL_QUIC, and broadens generic client-side H3 tests so they run with either QUIC backend while quiche-specific internals remain quiche-only.