Re: [ANNOUNCE] haproxy-3.1-dev2

Fri, 26 Jul 2024 00:55:55 -0700 

Hi.

On 2024-07-25 (Do.) 23:22, Илья Шипицин wrote:




чт, 25 июл. 2024 г. в 22:00, Илья Шипицин <chipits...@gmail.com 
<mailto:chipits...@gmail.com>>:




    чт, 25 июл. 2024 г. в 14:27, William Lallemand <wlallem...@irq6.net
    <mailto:wlallem...@irq6.net>>:

        On Wed, Jul 03, 2024 at 11:51:21PM +0200, William Lallemand wrote:
         > > aws-lc implements chacha20_poly1305 in a different way than 
QuicTLS.
         > > and if that gap is eliminated, it will be a good point to declare
        aws-lc as
         > > a recommended QUIC lib.
         > >
         > > if we compare aws-lc against openssl-1.1 (not quictls), it is 
indeed
         > > matches (maybe except some niche features like async)
         > >
         >
         > BoringSSL, LibreSSL, and AWS-LC uses the EVP_AEAD API, basically we
        would need
         > to use EVP_aead_chacha20_poly1305() instead of
        EVP_chacha20_poly1305(), and
         > EVP_aead_chacha20_poly1305() instead of EVP_chacha20() and uses the
        EVP_AEAD
         > functions. IMHO this is not a huge change and this is doable, we just
        need to
         > invest some time on it.
         >
         > Regards,

        FYI I just push some patches that implements the CHACHA20_POLY1305 for
        QUIC with AWS-LC.


    nice, it passes chacha20 test!

        We now handle with AWS-LC for QUIC:
        - TLS_AES_128_GCM_SHA256
        - TLS_AES_256_GCM_SHA384
        - TLS_CHACHA20_POLY1305_SHA256

        The TLS_AES_128_CCM_SHA256 cipher is not implemented by AWS-LC, and is
        disabled by default in a lot of stack anyway.


next point: 0-RTT



Sorry for the stupid questions but as I don't maintain any QUIC based apps I'm 
curious if this really makes any differences compared to "normal" requests.


How often is this really used in the real world setup?
Have anybody seen any real benefit for users out there with 0-RTT?


according to haproxy/include/haproxy/openssl-compat.h at master · 
haproxy/haproxy (github.com) 
<https://github.com/haproxy/haproxy/blob/master/include/haproxy/openssl-compat.h#L117-L119>

0-RTT support depends on SSL_OP_NO_ANTI_REPLAY (which is not defined for AWS-LC)

thus it is not possible to satisfy that condition


haproxy/src/quic_ssl.c at master · haproxy/haproxy (github.com) 
<https://github.com/haproxy/haproxy/blob/master/src/quic_ssl.c#L765-L772>



AWS-LC (inherited from BoringSSL) supports 0-RTT in its own way not compatible 
with QuicTLS ((



        Regards,


        -- 
        William Lallemand


Regards
Alex
























					Reply via email to