daniel:// stenberg://<p>Meanwhile in <a href="https://mastodon.social/tags/curl" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>curl</span></a> land, we can now do <a href="https://mastodon.social/tags/HTTP3" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>HTTP3</span></a> with <a href="https://mastodon.social/tags/ngtcp2" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ngtcp2</span></a> 1.12.0 and <a href="https://mastodon.social/tags/OpenSSL" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>OpenSSL</span></a> 3.5.</p><p>Thanks to lots of amazing people, including <span class="h-card" translate="no"><a href="https://chaos.social/@icing" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>icing</span></a></span> and Tatsuhiro of ngtcp2 of course.</p>
Recent searches
No recent searches
Search options
Only available when logged in.
fosstodon.org is one of the many independent Mastodon servers you can use to participate in the fediverse.
Fosstodon is an invite only Mastodon instance that is open to those who are interested in technology; particularly free & open source software.
If you wish to join, contact us for an invite.
Administered by:
Server stats:
9.8Kactive users
fosstodon.org: About · Status · Profiles directory · Privacy policy
Mastodon: About · Get the app · Keyboard shortcuts · View source code · v4.3.8
#ngtcp2
0 posts · 0 participants · 0 posts today
daniel:// stenberg://<p>It looks like the <a href="https://mastodon.social/tags/OpenSSL" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>OpenSSL</span></a> QUIC API might be supported in the coming <a href="https://mastodon.social/tags/ngtcp2" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ngtcp2</span></a> 1.12.0 release:</p><p><a href="https://github.com/ngtcp2/ngtcp2/pull/1582" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">github.com/ngtcp2/ngtcp2/pull/</span><span class="invisible">1582</span></a></p><p>This could be exciting for <a href="https://mastodon.social/tags/curl" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>curl</span></a> users building with <a href="https://mastodon.social/tags/OpenSSL" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>OpenSSL</span></a> ...</p>
ϺΛDИVTTΛH<p><span class="h-card" translate="no"><a href="https://fosstodon.org/@nlnetlabs" class="u-url mention">@<span>nlnetlabs</span></a></span> The build ain't as straightforward as we're used to. Why can't one just use <a href="https://fosstodon.org/tags/openssl" class="mention hashtag" rel="tag">#<span>openssl</span></a> with <a href="https://fosstodon.org/tags/ngtcp2" class="mention hashtag" rel="tag">#<span>ngtcp2</span></a> but instead need <a href="https://fosstodon.org/tags/quictls" class="mention hashtag" rel="tag">#<span>quictls</span></a>? I fear I sacrifice security by not using official OpenSSL libs for <a href="https://fosstodon.org/tags/quic" class="mention hashtag" rel="tag">#<span>quic</span></a></p>
Petr Menšík :fedora:<p><span class="h-card" translate="no"><a href="https://mastodon.social/@bagder" class="u-url mention">@<span>bagder</span></a></span> quite interesting details about quic support. It affects also DNS over QUIC, not only HTTPS/3. At least unbound and bind9 are compiled with OpenSSL on Fedora. Unbound has added recently server support via <a href="https://fosstodon.org/tags/ngtcp2" class="mention hashtag" rel="tag">#<span>ngtcp2</span></a>. But it gets weird and inappropriate, linking two different crypto stacks into single binary. The reason is similar to curl. Normal TLS from OpenSSL, quic via gnutls. If it should be enabled, then this way...</p>
daniel:// stenberg://<p>An <a href="https://mastodon.social/tags/ngtcp2" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ngtcp2</span></a> lead developer told me they have no current plans to adapt to the new <a href="https://mastodon.social/tags/OpenSSL" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>OpenSSL</span></a> <a href="https://mastodon.social/tags/QUIC" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>QUIC</span></a> API because of its lack of 0RTT support and the "pull model".</p><p>Of course someone else can go ahead and write it and ideally someone from <a href="https://mastodon.social/tags/OpenSSL" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>OpenSSL</span></a> does it, for dogfooding purposes.</p><p>I have no heard of any other QUIC stack either having adapted to it yet.</p>
daniel:// stenberg://<p>I now hope for <a href="https://mastodon.social/tags/OpenSSL" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>OpenSSL</span></a> to work with <a href="https://mastodon.social/tags/ngtcp2" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ngtcp2</span></a> to make sure <a href="https://mastodon.social/tags/QUIC" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>QUIC</span></a> works fine in that combo. Then we can leave the slow OpenSSL-QUIC implementation in its dusty corner and perhaps see rather wide HTTP/3 + curl adoption coming up.</p>
Harry Sintonen<p><a href="https://infosec.exchange/tags/OpenSSL" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>OpenSSL</span></a> <a href="https://infosec.exchange/tags/QUIC" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>QUIC</span></a> implementation performance is "abysmal" compared to competing solutions such as <a href="https://infosec.exchange/tags/ngtcp2" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ngtcp2</span></a> (ngtcp2 is 2-4x faster) and consumes tons (up to 25x in some situations) of memory. (*)</p><p>I still don't fathom why the OpenSSL project chose the path they took. It smells heavily of "Not Invented Here" to me.</p><p>Surely some future OpenSSL version will fix this mess?</p><p>*) <a href="https://lists.haxx.se/pipermail/daniel/2025-January/000096.html" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">lists.haxx.se/pipermail/daniel</span><span class="invisible">/2025-January/000096.html</span></a></p>
daniel:// stenberg://<p>Until improved, I believe the sever performance degradation and memory use compared to <a href="https://mastodon.social/tags/ngtcp2" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ngtcp2</span></a> are reasons enough for us to not recommend <a href="https://mastodon.social/tags/OpenSSL" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>OpenSSL</span></a> QUIC for use with <a href="https://mastodon.social/tags/curl" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>curl</span></a> in production.</p><p>Upload speed: ngtcp2 is 2-4x faster.</p><p>Memory use: in some tests, OpenSSL uses 25x the amount of memory.</p>
John-Mark Gurney<p>Whoa, I just got a basic Python wrapper around ngtcp2 [server only] functional. Lots of error handling and edge cases need to be implemented.</p><p>The test that is working is a client (aioquic) connects, opens a stream, both sides send some data, and confirms that the other side received the data.</p><p>I really didn't think my last set of changes would make things work, I expected to hit some unimplemented parts.</p><p>TODO:<br>```<br>$ grep NotImplementedError ngtcp2.py | wc -l<br> 15<br>```</p><p><a href="https://flyovercountry.social/tags/Python" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Python</span></a> <a href="https://flyovercountry.social/tags/ngtcp2" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ngtcp2</span></a></p>
John-Mark Gurney<p>Well, I can say that ngtcp2 is not coded very defensively. I finally got enough of a framework to call into it, and it causes a segfault.</p><p>No error on what possible pointer I messed up, not even an error that I messed up a pointer.</p><p><a href="https://flyovercountry.social/tags/ngtcp2" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ngtcp2</span></a> <a href="https://flyovercountry.social/tags/ctypes" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ctypes</span></a></p>
John-Mark Gurney<p>And in attempting to add libssl to be wrapped, I have now hit that ABI issue.</p><p>Simply loading libssl via CDLL causes other tests to break, because the new libssl overrides the symbols causing an ABI compatibility problem.</p><p>I hadn't hit that problem yet, because I never got far enough to calling an ngtcp2 function that tried to access the SSL ABI.</p><p>Now I have to decide how to handle this.</p><p><a href="https://flyovercountry.social/tags/QUIC" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>QUIC</span></a> <a href="https://flyovercountry.social/tags/ngtcp2" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ngtcp2</span></a> <a href="https://flyovercountry.social/tags/ctypes" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ctypes</span></a> <a href="https://flyovercountry.social/tags/Python" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Python</span></a> <a href="https://flyovercountry.social/tags/ABI" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ABI</span></a></p>
Petr Menšík :fedora:<p><span class="h-card" translate="no"><a href="https://fosstodon.org/@nlnetlabs" class="u-url mention">@<span>nlnetlabs</span></a></span> <span class="h-card" translate="no"><a href="https://fosstodon.org/@fedora" class="u-url mention">@<span>fedora</span></a></span> First discovery is that we do not have even <a href="https://fosstodon.org/tags/ngtcp2" class="mention hashtag" rel="tag">#<span>ngtcp2</span></a> library in Fedora yet. That man openssl-quic can already provide client connection API, but server API is not yet available via <a href="https://fosstodon.org/tags/OpenSSL" class="mention hashtag" rel="tag">#<span>OpenSSL</span></a> releases. There is openssl+quic fork, which is unlikely to ever be in Fedora. We could end with unbound linked to openssl, but libngtcp2 linked to gnutls. Definitely not as straight forward as I have expected.</p>
ExploreLive feeds
Mastodon is the best way to keep up with what's happening.
Follow anyone across the fediverse and see it all in chronological order. No algorithms, ads, or clickbait in sight.
LoginDrag & drop to upload