Quic should support OpenSSL 3.x #81801
Description
Depends on microsoft/msquic#2039
MsQuic work:
Perf/Stress/Load tests known issues:
- OpenSSL 3.0 has perf regression in throughput and Handshake per second -- OpenSSL v3 Perf Regressions (from v1.1) microsoft/msquic#3410
- Considered fixed by updating to OpenSSL 3.1
Functional tests known issues:
- Tests that rely on resumption ticket callbacks are failing -- Support QuicTLS (OpenSSL) 3.0 microsoft/msquic#2039
- fixed in main: fix MAC_CTX creation with OpenSSL 3 microsoft/msquic#3436
Publishing of the changes:
- We need packages posted to appropriate feeds
- packaging does not work for OpenSSL 3 microsoft/msquic#3443
- as this is getting fixed in main we are waiting for the next release msquic 2.2 unless we decide to port
- Make sure that the published package is usable and works with .NET runtime
- consume it in some of our docker images
- Manually verified on Ubuntu 22.04 Helix & Docker images
- Ubuntu 22.04 x64 (Helix) & Arm64 (Docker) successfully running in CI on the official 2.2.1 msquic package with OpenSSL 3 support
- consume it in some of our docker images
PRs:
- Enable use of OpenSSL 3 without deprecated functions microsoft/msquic#2083
- Add support for OpenSSL 3 as alternative TLS microsoft/msquic#3387
- fix MAC_CTX creation with OpenSSL 3 microsoft/msquic#3436
- improve OpenSSL detection during build microsoft/msquic#3390
- Onboard Tests for OpenSSL 3 microsoft/msquic#3388
- Fix Manual Flag for OpenSSL3 Perf Pipeline microsoft/msquic#3418
- Use same Tls as Prep microsoft/msquic#3429 ???
Runtime
Functional
- get some docker images with libmsquic from main that contains OpenSSL 3 -- @wfurt
- added update alpine test images #81841 to include Alpine 3.17 as extra-platform
- update msquic for Ubuntu 22 dotnet-buildtools-prereqs-docker#808
- find the intersection between distributions with OpenSSL 3 (from list bellow) and what we use in our infrastructure, list them, and use them for the item above -- @wfurt
- the end goal is to use libmsquic for OpenSSL 3 on all platforms / distributions in our CI that ship with OpenSSL 3 as default
- We only test Ubuntu 22.04 (x64 & arm64). In general, runtime seems to be lacking coverage for new OS versions.
Currently there are following Linux distributions we support that use OpenSSL 3 by default:
- Alpine 3.17+
- (to be released) Debian 12+
- Fedora 36+
- RHEL 9+ (CentOS Stream 9+ etc)
- Ubuntu 22.04+
With exception of Ubuntu (and unreleased Debian) the distributions offer a compatibility OpenSSL 1.1 package.
We should strategically decide what combinations to test. (perhaps also use extra-platforms pipeline for occasional spot-check)
Stress
- run stress locally with the current libmsquic with OpenSSL 3 -- @ManickaP -- see results at Quic should support OpenSSL 3.x #81801 (comment)
We should perhaps have at least one test runs with OpenSSL 3 since that is significantly different variant.
Perf
- run perf baseline locally, confirm it's somewhat stable and run it with libmsquic main with OpenSSL 3 -- @CarnaViire
Since the perf issues mentioned above, we should perhaps have separate benchmark for Linux with OpenSSL 3.