On Thu, Dec 15, 2022 at 11:39:16PM -0700, Shawn Heisey wrote:
> On 12/15/22 21:49, Willy Tarreau wrote:
> > There's currently a great momentum around WolfSSL that was already
> > adopted by Apache, Curl, and Ngtcp2 (which is the QUIC stack that
> > powers most HTTP/3-compatible agents). Its support on haproxy is
> > making fast progress thanks to the efforts on the two sides, and it's
> > pleasant to speak to people who care about performance.
>
> What would be your recommendation right now for a quic-enabled library to
> use with haproxy? Are there any choices better than quictls 1.1.1?
> Is wolfSSL support far enough along that I could build and try it and have
> some hope of success, or should I stick with quictls for now?
For now I'd say that quictls 1.1.1 is the best option. 1.1.x doesn't scale
very well but doesn't collapse under load like 3.0 at least. And admittedly,
support for openssl is proven by now. Other libs are either unmaintainable
(BoringSSL with no release cycle and whose API regularly breaks the build
in the middle of our stable branches), lagging a bit behind (LibreSSL has
not caught up with 1.1.1 on everything and is measurably slower), not
supported yet (GnuTLS), or only start to be supported by haproxy (WolfSSL).
Thus I'd suggest in this order:
- if you don't want to use QUIC and have a small or personal site, use
your distro's package, even if it's 3.0, you're unlikely to notice
the performance problems.
- if you don't want to use QUIC but have a moderate to large site, use
openssl 1.1.1, which is easily achieved by staying on the current LTS
distros that still provide it. This way you won't need to build and
maintain your own package.
- if you want to use QUIC, use quictls-1.1.1. Once you have to build
something yourself, you definitely don't want to waste your time on
the performance-crippled 3.0, and 1.1.1 will change less often than
3.0 so that also means less package updates.
- if you want to experiment with QUIC and help developers, running
compatibility tests with the latest haproxy master and the latest
WolfSSL master could be useful. I just don't know if the maintainers
are ready to receive lots of uncoordinated reports yet, I'm aware
that they're still in the process of fixing a few basic integration
issues that will make things run much smoother soon. Similarly,
LibreSSL's QUIC support is very recent (3.6) and few people seem to
use LibreSSL, I don't know how well it's supported in distros these
days. More tests on this one would probably be nice and may possibly
encourage its support.
> My websites
> certainly aren't anything mission-critical, but there are people that would
> be annoyed if I have problems.
That's a good reason for staying on quictls for now. That's what we're doing
on haproxy.org as well.
> Email is more important than the websites,
> and that's directly on the Internet in my AWS instance, not going through
> haproxy.
OK. This part should definitely not be touched under any circumstance.
Hoping this helps,
Willy
