QUIC: adjusted OpenSSL 3.5 QUIC API feature test. #749
Conversation
|
Ok, let's postpone this change until after the fixed version is released. |
|
OpenSSL 3.5.1 was just released today. Tag seems to have the fixed code in it, but I haven't tested the actual release to see if it is in proper working order. |
|
@holow29 We will likely follow with the next nginx-1.29.1 release soon, to accommodate. |
|
Rebased post cedb855. |
src/event/quic/ngx_event_quic.h
Outdated
| #define NGX_QUIC_BORINGSSL_API 1 | ||
| #define NGX_QUIC_OPENSSL_COMPAT 1 | ||
| #endif | ||
| #if (OPENSSL_VERSION_NUMBER >= 0x3050001fL) |
There was a problem hiding this comment.
This does not seem to work with openssl 3.5.1 release.
The last f of the version is not used since openssl/openssl@26b7cc0
The relevant part of the change:
- {- $config{prerelease}
- ? << "_____"
- # define OPENSSL_VERSION_PRE_RELEASE "$config{prerelease}"
- _____
- : << "_____"
- # undef OPENSSL_VERSION_PRE_RELEASE
- _____
-}
+ # define OPENSSL_VERSION_PRE_RELEASE "{- $config{prerelease} -}"Current opensslv.h.in, _OPENSSL_VERSION_PRE_RELEASE is always 0x0L:
# define OPENSSL_VERSION_PRE_RELEASE "{- $config{prerelease} -}"
...
# ifdef OPENSSL_VERSION_PRE_RELEASE
# define _OPENSSL_VERSION_PRE_RELEASE 0x0L
# else
# define _OPENSSL_VERSION_PRE_RELEASE 0xfL
# endif
# define OPENSSL_VERSION_NUMBER \
( (OPENSSL_VERSION_MAJOR<<28) \
|(OPENSSL_VERSION_MINOR<<20) \
|(OPENSSL_VERSION_PATCH<<4) \
|_OPENSSL_VERSION_PRE_RELEASE )
There was a problem hiding this comment.
The behaviour was changed in OpenSSL 3.0.0.
Actually, building with OpenSSL starting with this release version will make OPENSSL_VERSION_NUMBER to contain 30000000 (in hex).
This is actually documented, comparing the documentation in OpenSSL 1.1.1 versus OpenSSL 3.0+:
https://docs.openssl.org/1.1.1/man3/OPENSSL_VERSION_NUMBER/
OPENSSL_VERSION_NUMBER is a numeric release version identifier:
MNNFFPPS: major minor fix patch status
The status nibble has one of the values 0 for development, 1 to e for betas 1 to 14, and f for release.
https://docs.openssl.org/3.0/man3/OpenSSL_version/
OPENSSL_VERSION_NUMBER is a combination of the major, minor and patch version into a single integer 0xMNN00PP0L
Note the status nibble is always zero.
I will update the patch.
Note that there are existing checks for OpenSSL 3.0+ in the tree, they will need to be similarly fixed.
A bug with the "quic_transport_parameters" extension and SNI described in cedb855 is now fixed in the OpenSSL 3.5.1 release, as requested in openssl/openssl#27706.
In OpenSSL 3.5.0, the "quic_transport_parameters" extension set internally by the QUIC API is cleared on the SSL context switch, which disables sending QUIC transport parameters if switching to a different server block on SNI. See the initial report in [1].
The test was narrowed down to the version number, in anticipation for the upcoming OpenSSL 3.5.1 release with the required bugfix [2]. Using OpenSSL 3.5.0 now falls back to the OpenSSL compat layer.
[1] #711
[2] openssl/openssl@45bd3c3798