Adjust the http3 demo client so it works better on dual stack hosts. This
fixes the case when DNS returns both IPv4 and IPv6 addresses for host we try to
reach. The current code just uses the first address found in DNS answer. If
things are unfortunate and the service (port number) demo client tries to reach
does not listen on the address then demo gives up and exits.
Demo can do better. The RFC 6555 suggests application should try to reach the
service on the next address returned by DNS, when the first attempt fails for
the first address returned by DNS. This change helps with situation when DNS
prefers, let' say, IPv6 address, but the service is reachable via IPv4 only.
In that case application sees the failure on the first attempt to connect to
remote server over IPv6, but the second attempt that uses IPv4 is going to
succeed.
This extra handling is required for QUIC which uses UDP protocol. For TLS
client which uses TCP all this happens inside BIO layer which tries to
establish TCP connection. There is no TCP-handshake on UDP protocol so
BIO can not see the service is not reachable on requested address.
Fixes: #28331
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28802)
The validation was checking the default 'bits' value (4096) instead of
the parsed 'bits_i' from the command line arguments, allowing invalid
key sizes to bypass the 512-bit minimum.
CLA: trivial
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/28139)
The server_running variable is declared as volatile and some comments in
the code are mentioning about implementing CTRL+C handler in the future.
In the client handling loop, the client_skt is closed at the end of the
loop if server_running is true. If (future) CTRL+C handler changes
server_running to false at this time. The next accept will not happen
and the exit clean up code will close client_skt for the second time.
This patch fixes this potential double close by setting client_skt back
to -1 after closing it.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27405)
stack. The server currently replies with HTTP 200 OK only. It provides
text/plain response body.
It only accepts GET request with any URI. Any other requests will
make server to drop stream/connection.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27508)
Several servers defer the sending of max stream frames. For instance
quic-go uses a go-routine to do the sending after sufficient existing
streams have finished, while mvfst seems to wait for all outstanding
streams to be closed before issuing a new batch. This result in the
client, if all streams are in use, getting a transient NULL return from
SSL_new_stream(). Check for the stream limit being reached and allow a
number of retries before giving up to give the server a chance to issue
us more streams. Also dead-reckon the batch count of streams we use in
parallel to be 1/4 of our total number of available streams (generally
hard coded to 100 for most servers) to avoid using all our streams at
once. It would be really nice to have an api to expose our negotiated
transport parameters so that the application can know what this limit
is, but until then we have to just guess.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26527)
On working on a rebase for the quic-server branch, I noted that the
rebase was failing on the http3 server. It occurs because the new CI
ubuntu container appears to have FORTIFY_SOURCE enabled and trips over
the call to read here. Specifically the compiler notes that in passing
an int into the read syscall (which accepts a size_t as the 3rd
argument), may interpret a negative value as a very large unsigned value
that exeeds the size allowed by a read call.
Fix it by converting the size variable to a size_t to ensure that the
signing is correct
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26368)
Normally the throughput test in the interop harness requests several
hundred very small files, resulting in lots of small stream packets from
the client, which are nominally read in a single read operation (as they
typically fit into a single stream frame), and the server was written to
expect that. However, its still possible, if a stream frame is packed
to the end of a datagram, that only part of its content is carried,
finished in a subsequent stream packet, which leads to a short read.
Augment the server to properly handle SSL_read transient failures so
that such an occurance is handled properly.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26198)
SSL_poll() without SSL_POLL_FLAG_NO_HANDLE_EVENT ticks for each stream
we have in SSL_poll() that prevents the server logic to get all events
Use SSL_poll() with SSL_POLL_FLAG_NO_HANDLE_EVENT and
SSL_handle_events() prevents the problem.
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25859)
the quic-interop-runner that we use for interop testing currently only
supports openssl client testing, as we had previously not had a server
to test with.
This PR rectifies that by doing the following:
1) Adding a quic-hq-interop-server.c file in demos/guide
2) Augmenting our interop Dockerfile and entrypoint to support our
interop containter running in a server role
With these changes we are able to do server side interop testing
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26000)
