search

cloudflare / sslconfig

Cloudflare's Internet facing SSL configuration
BSD 3-Clause "New" or "Revised" License
1.3k stars 132 forks source link

Failed hunks at nginx_http2_hpack.patch -> which nginx version? #71

Closed HansVanEijsden closed 7 years ago

HansVanEijsden commented 7 years ago

First of all, thanks for the patch! Unfortunately I get some Hunk FAILED messages. I tried applying the patch on nginx 1.13.1 and 1.12.0 - both with these failed hunks:

patching file auto/modules
patching file auto/options
patching file src/core/ngx_murmurhash.c
Hunk #1 succeeded at 48 (offset -2 lines).
patching file src/core/ngx_murmurhash.h
patching file src/http/v2/ngx_http_v2.c
Hunk #2 succeeded at 2036 (offset 16 lines).
patching file src/http/v2/ngx_http_v2.h
Hunk #5 succeeded at 393 (offset -8 lines).
patching file src/http/v2/ngx_http_v2_filter_module.c
Hunk #2 succeeded at 46 with fuzz 2 (offset -2 lines).
Hunk #3 succeeded at 129 (offset -4 lines).
Hunk #4 succeeded at 138 (offset -4 lines).
Hunk #5 succeeded at 401 (offset -4 lines).
Hunk #6 succeeded at 409 (offset -4 lines).
Hunk #7 succeeded at 429 (offset -4 lines).
Hunk #8 succeeded at 476 (offset -4 lines).
Hunk #9 succeeded at 528 with fuzz 1 (offset -4 lines).
Hunk #10 FAILED at 564.
Hunk #11 FAILED at 634.
Hunk #12 FAILED at 660.
Hunk #13 succeeded at 583 (offset -116 lines).
3 out of 13 hunks FAILED -- saving rejects to file src/http/v2/ngx_http_v2_filter_module.c.rej
patching file src/http/v2/ngx_http_v2_table.c

Am I doing something wrong? Is it for another nginx version?

vkrasnov commented 7 years ago

That patch is based on the current HEAD version.

vkrasnov commented 7 years ago

Hi @HansVanEijsden, do you mind trying https://github.com/cloudflare/sslconfig/blob/hpack_1.13.1/patches/nginx_1.13.1_http2_hpack.patch?

I didn't test it very well though.

Thanks.

HansVanEijsden commented 7 years ago

Wow @vkrasnov I didn't expect such a quick solution, thanks so much! I just wanted to go to bed but couldn't wait, so I tried the above patch for 1.13.1 but unfortunately, no luck: 

cc -c -pipe  -O -W -Wall -Wpointer-arith -Wno-unused-parameter -Werror -g -DTCP_FASTOPEN=23 -O3 -march=native -flto -DNDK_SET_VAR -DNDK_UPSTREAM_LIST -I src/core -I src/event -I src/event/modules -I src/os/unix -I /usr/local/src/ngx_brotli_module/brotli/include/ -I /usr/local/src/ngx_devel_kit/objs -I objs/addon/ndk -I /usr/local/src/openssl-1.0.2l/.openssl/include -I objs -I src/http -I src/http/modules -I src/http/v2 -I /usr/local/src/ngx_devel_kit/src -I /usr/local/src/ngx_devel_kit/src -I /usr/local/src/ngx_devel_kit/objs -I objs/addon/ndk \
    -o objs/src/http/v2/ngx_http_v2_table.o \
    src/http/v2/ngx_http_v2_table.c
src/http/v2/ngx_http_v2_table.c: In function 'hpack_get_static_index':
src/http/v2/ngx_http_v2_table.c:727:9: error: dereferencing type-punned pointer will break strict-aliasing rules [-Werror=strict-aliasing]
         if (pref != *(uint64_t *) header->val) {
         ^
src/http/v2/ngx_http_v2_table.c:741:18: error: dereferencing type-punned pointer will break strict-aliasing rules [-Werror=strict-aliasing]
                  != (*(uint64_t *) &val[i]| 0x2020202020202020) )
                  ^

This is my complete ./configure command:

./configure --prefix=/opt/nginx \
--user=www-data \
--group=www-data \
--add-module=/usr/local/src/ngx_brotli_module \
--with-http_v2_module \
--with-http_ssl_module \
--with-http_v2_hpack_enc \
--with-openssl=/usr/local/src/openssl-$OPENSSLV \
--with-openssl-opt="enable-ec_nistp_64_gcc_128 -DCFLAGS='-O3 -march=native -flto'" \
--with-pcre-jit \
--with-file-aio \
--with-http_flv_module \
--with-http_geoip_module \
--with-http_mp4_module \
--with-http_realip_module \
--with-http_stub_status_module \
--with-threads \
--add-module=/usr/local/src/headers-more-nginx-module \
--add-module=/usr/local/src/echo-nginx-module \
--add-module=/usr/local/src/ngx_http_substitutions_filter_module \
--add-module=/usr/local/src/srcache-nginx-module \
--add-module=/usr/local/src/redis2-nginx-module \
--add-module=/usr/local/src/ngx_http_redis-0.3.8 \
--add-module=/usr/local/src/ngx_devel_kit \
--add-module=/usr/local/src/set-misc-nginx-module \
--with-cc-opt="-DTCP_FASTOPEN=23 -O3 -march=native -flto" \
--with-ld-opt="-DTCP_FASTOPEN=23 -O3 -march=native -flto"

First some sleep, tomorrow another day. Can't wait to see the results, especially after reading https://blog.cloudflare.com/hpack-the-silent-killer-feature-of-http-2/ 😉

vkrasnov commented 7 years ago

Thanks for trying @HansVanEijsden, sorry it didn't work :)

I think the "problem" is the -O3 flag.

centminmod commented 7 years ago

@HansVanEijsden are you using OpenSSL 1.1.x by any chance and not OpenSSL 1.0.2 branch against Nginx ? I get this exact error when using CentOS 7.3 64bit with OpenSSL 1.1.0f https://gist.github.com/centminmod/517fd3edc61b7a7d1371e113b6461eef

but works fine with 1.13.1 version of HPACK patch with OpenSSL 1.0.2l

patch -p1 < nginx_1.13.1_http2_hpack.patch
patching file auto/modules
patching file auto/options
patching file src/core/ngx_murmurhash.c
patching file src/core/ngx_murmurhash.h
patching file src/http/v2/ngx_http_v2.c
patching file src/http/v2/ngx_http_v2.h
patching file src/http/v2/ngx_http_v2_filter_module.c
patching file src/http/v2/ngx_http_v2_table.c

nginx -V nginx version: nginx/1.13.1 built by clang 3.4.2 (tags/RELEASE_34/dot2-final) built with OpenSSL 1.0.2l 25 May 2017 TLS SNI support enabled configure arguments: --with-ld-opt='-ljemalloc -Wl,-z,relro -Wl,-rpath,/usr/local/lib' --with-cc-opt='-m64 -mtune=native -mfpmath=sse -DTCP_FASTOPEN=23 -g -O3 -fstack-protector -fuse-ld=gold --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wno-sign-compare -Wno-string-plus-int -Wno-deprecated-declarations -Wno-unused-parameter -Wno-unused-const-variable -Wno-conditional-uninitialized -Wno-mismatched-tags -Wno-sometimes-uninitialized -Wno-parentheses-equality -Wno-tautological-compare -Wno-self-assign -Wno-deprecated-register -Wno-deprecated -Wno-invalid-source-encoding -Wno-pointer-sign -Wno-parentheses -Wno-enum-conversion -Wno-c++11-compat-deprecated-writable-strings -Wno-write-strings -gsplit-dwarf' --sbin-path=/usr/local/sbin/nginx --conf-path=/usr/local/nginx/conf/nginx.conf --with-compat --with-http_stub_status_module --with-http_secure_link_module --with-libatomic --with-http_gzip_static_module --with-http_sub_module --with-http_addition_module --with-http_image_filter_module=dynamic --with-http_geoip_module --with-stream_geoip_module --with-stream_realip_module --with-stream_ssl_preread_module --with-threads --with-stream=dynamic --with-stream_ssl_module --with-http_realip_module --add-dynamic-module=../ngx-fancyindex-0.4.0 --add-module=../ngx_cache_purge-2.3 --add-module=../ngx_devel_kit-0.3.0 --add-module=../set-misc-nginx-module-0.31 --add-module=../echo-nginx-module-0.60 --add-module=../redis2-nginx-module-0.14 --add-module=../ngx_http_redis-0.3.7 --add-module=../memc-nginx-module-0.18 --add-module=../srcache-nginx-module-0.31 --add-module=../headers-more-nginx-module-0.32 --with-pcre=../pcre-8.40 --with-pcre-jit --with-zlib=../zlib-1.2.11 --with-http_ssl_module --with-http_v2_module --with-openssl=../openssl-1.0.2l

grep -C3 -rnw NGX_HTTP_V2_HPACK_ENC /svr-setup/nginx-1.13.1 | grep -v  '.patch'
/svr-setup/nginx-1.13.1/src/http/v2/ngx_http_v2_filter_module.c-416-        pos = ngx_http_v2_write_int(pos, ngx_http_v2_prefix(5),
/svr-setup/nginx-1.13.1/src/http/v2/ngx_http_v2_filter_module.c-417-                                    h2c->max_hpack_table_size);
/svr-setup/nginx-1.13.1/src/http/v2/ngx_http_v2_filter_module.c-418-        h2c->indicate_resize = 0;
/svr-setup/nginx-1.13.1/src/http/v2/ngx_http_v2_filter_module.c:419:#if (NGX_HTTP_V2_HPACK_ENC)
/svr-setup/nginx-1.13.1/src/http/v2/ngx_http_v2_filter_module.c-420-        ngx_http_v2_table_resize(h2c);
/svr-setup/nginx-1.13.1/src/http/v2/ngx_http_v2_filter_module.c-421-#endif
/svr-setup/nginx-1.13.1/src/http/v2/ngx_http_v2_filter_module.c-422-    }
--
/svr-setup/nginx-1.13.1/src/http/v2/ngx_http_v2_table.c-349-}
/svr-setup/nginx-1.13.1/src/http/v2/ngx_http_v2_table.c-350-
/svr-setup/nginx-1.13.1/src/http/v2/ngx_http_v2_table.c-351-
/svr-setup/nginx-1.13.1/src/http/v2/ngx_http_v2_table.c:352:#if (NGX_HTTP_V2_HPACK_ENC)
/svr-setup/nginx-1.13.1/src/http/v2/ngx_http_v2_table.c-353-
/svr-setup/nginx-1.13.1/src/http/v2/ngx_http_v2_table.c-354-static ngx_int_t
/svr-setup/nginx-1.13.1/src/http/v2/ngx_http_v2_table.c-355-hpack_get_static_index(ngx_http_v2_connection_t *h2c, u_char *val, size_t len);
--
/svr-setup/nginx-1.13.1/src/http/v2/ngx_http_v2.h-117-} ngx_http_v2_hpack_t;
/svr-setup/nginx-1.13.1/src/http/v2/ngx_http_v2.h-118-
/svr-setup/nginx-1.13.1/src/http/v2/ngx_http_v2.h-119-
/svr-setup/nginx-1.13.1/src/http/v2/ngx_http_v2.h:120:#if (NGX_HTTP_V2_HPACK_ENC)
/svr-setup/nginx-1.13.1/src/http/v2/ngx_http_v2.h-121-typedef struct {
/svr-setup/nginx-1.13.1/src/http/v2/ngx_http_v2.h-122-    uint64_t                         hash_val;
/svr-setup/nginx-1.13.1/src/http/v2/ngx_http_v2.h-123-    uint32_t                         index;
--
/svr-setup/nginx-1.13.1/src/http/v2/ngx_http_v2.h-197-    unsigned                         goaway:1;
/svr-setup/nginx-1.13.1/src/http/v2/ngx_http_v2.h-198-    unsigned                         indicate_resize:1;
/svr-setup/nginx-1.13.1/src/http/v2/ngx_http_v2.h-199-
/svr-setup/nginx-1.13.1/src/http/v2/ngx_http_v2.h:200:#if (NGX_HTTP_V2_HPACK_ENC)
/svr-setup/nginx-1.13.1/src/http/v2/ngx_http_v2.h-201-    ngx_http_v2_hpack_enc_t          hpack_enc;
/svr-setup/nginx-1.13.1/src/http/v2/ngx_http_v2.h-202-#endif
/svr-setup/nginx-1.13.1/src/http/v2/ngx_http_v2.h-203-};
--
--
--
--
--
--
/svr-setup/nginx-1.13.1/auto/modules-437-    fi
/svr-setup/nginx-1.13.1/auto/modules-438-
/svr-setup/nginx-1.13.1/auto/modules-439-    if [ $HTTP_V2_HPACK_ENC = YES ]; then
/svr-setup/nginx-1.13.1/auto/modules:440:        have=NGX_HTTP_V2_HPACK_ENC . auto/have
/svr-setup/nginx-1.13.1/auto/modules-441-    fi
/svr-setup/nginx-1.13.1/auto/modules-442-
/svr-setup/nginx-1.13.1/auto/modules-443-    if :; then
centminmod commented 7 years ago

k seems to work with openssl 1.1.0f

nginx -V nginx version: nginx/1.13.1 built by clang 3.4.2 (tags/RELEASE_34/dot2-final) built with OpenSSL 1.1.0f 25 May 2017 TLS SNI support enabled configure arguments: --with-ld-opt='-ljemalloc -Wl,-z,relro -Wl,-rpath,/usr/local/lib' --with-cc-opt='-m64 -mtune=native -mfpmath=sse -DTCP_FASTOPEN=23 -g -O3 -fstack-protector -fuse-ld=gold --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wno-sign-compare -Wno-string-plus-int -Wno-deprecated-declarations -Wno-unused-parameter -Wno-unused-const-variable -Wno-conditional-uninitialized -Wno-mismatched-tags -Wno-sometimes-uninitialized -Wno-parentheses-equality -Wno-tautological-compare -Wno-self-assign -Wno-deprecated-register -Wno-deprecated -Wno-invalid-source-encoding -Wno-pointer-sign -Wno-parentheses -Wno-enum-conversion -Wno-c++11-compat-deprecated-writable-strings -Wno-write-strings -gsplit-dwarf' --sbin-path=/usr/local/sbin/nginx --conf-path=/usr/local/nginx/conf/nginx.conf --with-compat --with-http_stub_status_module --with-http_secure_link_module --with-libatomic --with-http_gzip_static_module --with-http_sub_module --with-http_addition_module --with-http_image_filter_module=dynamic --with-http_geoip_module --with-stream_geoip_module --with-stream_realip_module --with-stream_ssl_preread_module --with-threads --with-stream=dynamic --with-stream_ssl_module --with-http_realip_module --add-dynamic-module=../ngx-fancyindex-0.4.0 --add-module=../ngx_cache_purge-2.3 --add-module=../ngx_devel_kit-0.3.0 --add-module=../set-misc-nginx-module-0.31 --add-module=../echo-nginx-module-0.60 --add-module=../redis2-nginx-module-0.14 --add-module=../ngx_http_redis-0.3.7 --add-module=../memc-nginx-module-0.18 --add-module=../srcache-nginx-module-0.31 --add-module=../headers-more-nginx-module-0.32 --with-pcre=../pcre-8.40 --with-pcre-jit --with-zlib=../zlib-1.2.11 --with-http_ssl_module --with-http_v2_module --with-openssl=../openssl-1.1.0f

HansVanEijsden commented 7 years ago

@vkrasnov removing -O3 made a succesful build, thanks for the suggestion. 

$ h2load https://www.hansvaneijsden.com -n 1  | tail -6 |head -1  
traffic: 60.63KB (62089) total, 473B (473) headers (space savings 23.46%), 60.04KB (61486) data
$ h2load https://www.hansvaneijsden.com -n 2  | tail -6 |head -1  
traffic: 121.16KB (124065) total, 882B (882) headers (space savings 28.64%), 120.09KB (122972) data
$ h2load https://www.hansvaneijsden.com -n 4  | tail -6 |head -1  
traffic: 242.20KB (248017) total, 1.66KB (1700) headers (space savings 31.23%), 240.18KB (245944) data
rugk commented 7 years ago

And what does -O3 do?

HansVanEijsden commented 7 years ago

-O3 enables various sorts of optimizations, making the compiler attempt to improve the performance and/or code size at the expense of compilation time and possibly the ability to debug the program. More information: https://gcc.gnu.org/onlinedocs/gcc/Optimize-Options.html

rugk commented 7 years ago

But removing it for a patch, which also just is about optimizing performance, is not good IMHO. Does it at least work with -02 or so?

HansVanEijsden commented 7 years ago

Nope, unfortunately also the same error with -O2. See https://github.com/cloudflare/sslconfig/issues/72#issuecomment-310659418 for the related discussion.

HansVanEijsden commented 7 years ago

Currently I'm running it with the patch and with -O3 without problems, after enabling -Wno-error=strict-aliasing. I'm monitoring and all seems just fine, but I will keep an eye on it, @centminmod can you please test too?

$ /opt/nginx/sbin/nginx -V nginx version: nginx/1.13.1 built by gcc 4.9.2 (Debian 4.9.2-10) built with OpenSSL 1.0.2l 25 May 2017 TLS SNI support enabled configure arguments: --prefix=/opt/nginx --user=www-data --group=www-data --add-module=/usr/local/src/ngx_brotli_module --with-http_v2_module --with-http_ssl_module --with-http_v2_hpack_enc --with-openssl=/usr/local/src/openssl-1.0.2l --with-openssl-opt='enable-ec_nistp_64_gcc_128 -DCFLAGS='-march=native -O3 -flto'' --with-pcre-jit --with-file-aio --with-http_flv_module --with-http_geoip_module --with-http_mp4_module --with-http_realip_module --with-http_stub_status_module --with-threads --add-module=/usr/local/src/headers-more-nginx-module --add-module=/usr/local/src/echo-nginx-module --add-module=/usr/local/src/ngx_http_substitutions_filter_module --add-module=/usr/local/src/srcache-nginx-module --add-module=/usr/local/src/redis2-nginx-module --add-module=/usr/local/src/ngx_http_redis-0.3.8 --add-module=/usr/local/src/ngx_devel_kit --add-module=/usr/local/src/set-misc-nginx-module --with-cc-opt='-DTCP_FASTOPEN=23 -march=native -flto -O3 -Wno-error=strict-aliasing -fstack-protector-strong -fuse-ld=gold --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -gsplit-dwarf' --with-ld-opt=-Wl,-z,relro

vkrasnov commented 7 years ago

@HansVanEijsden the compression ratio you get is pretty bad. For some reason I get much better compression (60%) when I proxy your website (which is awesome!) on my computer. Any chance you could send me the debug log from nginx when you run "h2load -n 2" ?

centminmod commented 7 years ago

@HansVanEijsden can confirm -Wno-error=strict-aliasing fixes -O3 usage with this patch

nginx -V nginx version: nginx/1.13.1 built by gcc 6.2.1 20160916 (Red Hat 6.2.1-3) (GCC) built with OpenSSL 1.1.0f 25 May 2017 TLS SNI support enabled configure arguments: --with-ld-opt='-ljemalloc -Wl,-z,relro -Wl,-rpath,/usr/local/lib' --with-cc-opt='-m64 -march=native -DTCP_FASTOPEN=23 -g -O3 -Wno-error=strict-aliasing -fstack-protector-strong -flto -fuse-ld=gold --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -gsplit-dwarf' --sbin-path=/usr/local/sbin/nginx --conf-path=/usr/local/nginx/conf/nginx.conf --with-compat --with-http_stub_status_module --with-http_secure_link_module --with-libatomic --with-http_gzip_static_module --with-http_sub_module --with-http_addition_module --with-http_image_filter_module=dynamic --with-http_geoip_module --with-stream_geoip_module --with-stream_realip_module --with-stream_ssl_preread_module --with-threads --with-stream=dynamic --with-stream_ssl_module --with-http_realip_module --add-dynamic-module=../ngx-fancyindex-0.4.0 --add-module=../ngx_cache_purge-2.3 --add-module=../ngx_devel_kit-0.3.0 --add-module=../set-misc-nginx-module-0.31 --add-module=../echo-nginx-module-0.60 --add-module=../redis2-nginx-module-0.14 --add-module=../ngx_http_redis-0.3.7 --add-module=../memc-nginx-module-0.18 --add-module=../srcache-nginx-module-0.31 --add-module=../headers-more-nginx-module-0.32 --with-pcre=../pcre-8.40 --with-pcre-jit --with-zlib=../zlib-1.2.11 --with-http_ssl_module --with-http_v2_module --with-http_v2_hpack_enc --with-openssl=../openssl-1.1.0f

HansVanEijsden commented 7 years ago

@vkrasnov I will recompile nginx with --with-debug later today and I will send you the debug log. I have those "pretty bad" results on all the sites and all the dev servers. I see I'm not the only one, see https://community.centminmod.com/threads/nginx-http-2-openssl-1-1-0-patch-updates.12043/#post-51101 (thanks @centminmod). ;)

vkrasnov commented 7 years ago

I suspect the 1.13.1 patch didn't apply that well after all. I will check.

HansVanEijsden commented 7 years ago

@vkrasnov here's the debug log: https://gist.github.com/HansVanEijsden/4dfd88e8b5b744477c90c958f4855c5e I checked it for sensitive information, it's fine like this. I hope it helps you! 😃

centminmod commented 7 years ago

getting better results

with OpenSSL 1.1.1-dev TLS v1.3 draft-18 branch

url=https://domain.com
for i in $(seq 1 8); do echo "h2load run $i"; h2load $url -n $i | tail -6 | head -1; done
h2load run 1
traffic: 4.02KB (4117) total, 249B (249) headers (space savings 34.99%), 3.71KB (3801) data
h2load run 2
traffic: 7.76KB (7951) total, 264B (264) headers (space savings 65.54%), 7.42KB (7602) data
h2load run 3
traffic: 11.51KB (11785) total, 279B (279) headers (space savings 75.72%), 11.14KB (11403) data
h2load run 4
traffic: 15.25KB (15619) total, 294B (294) headers (space savings 80.81%), 14.85KB (15204) data
h2load run 5
traffic: 18.00KB (19453) total, 309B (309) headers (space savings 83.86%), 18.56KB (19005) data
h2load run 6
traffic: 22.74KB (23287) total, 324B (324) headers (space savings 85.90%), 22.27KB (22806) data
h2load run 7
traffic: 26.49KB (27121) total, 339B (339) headers (space savings 87.36%), 25.98KB (26607) data
h2load run 8
traffic: 30.23KB (30955) total, 354B (354) headers (space savings 88.45%), 29.70KB (30408) data

nginx -V nginx version: nginx/1.13.1 built by gcc 6.2.1 20160916 (Red Hat 6.2.1-3) (GCC) built with OpenSSL 1.1.1-dev xx XXX xxxx TLS SNI support enabled configure arguments: --with-ld-opt='-ljemalloc -Wl,-z,relro -Wl,-rpath,/usr/local/lib' --with-cc-opt='-m64 -march=native -DTCP_FASTOPEN=23 -g -O3 -Wno-error=strict-aliasing -fstack-protector-strong -flto -fuse-ld=gold --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -gsplit-dwarf' --sbin-path=/usr/local/sbin/nginx --conf-path=/usr/local/nginx/conf/nginx.conf --with-compat --with-http_stub_status_module --with-http_secure_link_module --with-libatomic --with-http_gzip_static_module --with-http_sub_module --with-http_addition_module --with-http_image_filter_module=dynamic --with-http_geoip_module --with-stream_geoip_module --with-stream_realip_module --with-stream_ssl_preread_module --with-threads --with-stream=dynamic --with-stream_ssl_module --with-http_realip_module --add-dynamic-module=../ngx-fancyindex-0.4.0 --add-module=../ngx_cache_purge-2.3 --add-module=../ngx_devel_kit-0.3.0 --add-module=../set-misc-nginx-module-0.31 --add-module=../echo-nginx-module-0.60 --add-module=../redis2-nginx-module-0.14 --add-module=../ngx_http_redis-0.3.7 --add-module=../memc-nginx-module-0.18 --add-module=../srcache-nginx-module-0.31 --add-module=../headers-more-nginx-module-0.32 --with-pcre=../pcre-8.40 --with-pcre-jit --with-zlib=../zlib-1.2.11 --with-http_ssl_module --with-http_v2_module --with-http_v2_hpack_enc --with-openssl=../openssl-tls1.3 --with-openssl-opt='enable-tls1_3'

with OpenSSL 1.1.0f

for i in $(seq 1 8); do echo "h2load run $i"; h2load $url -n $i | tail -6 | head -1; done
h2load run 1
traffic: 4.02KB (4116) total, 248B (248) headers (space savings 35.25%), 3.71KB (3801) data
h2load run 2
traffic: 7.76KB (7950) total, 263B (263) headers (space savings 65.67%), 7.42KB (7602) data
h2load run 3
traffic: 11.51KB (11784) total, 278B (278) headers (space savings 75.81%), 11.14KB (11403) data
h2load run 4
traffic: 15.25KB (15618) total, 293B (293) headers (space savings 80.87%), 14.85KB (15204) data
h2load run 5
traffic: 18.00KB (19452) total, 308B (308) headers (space savings 83.92%), 18.56KB (19005) data
h2load run 6
traffic: 22.74KB (23286) total, 323B (323) headers (space savings 85.94%), 22.27KB (22806) data
h2load run 7
traffic: 26.48KB (27120) total, 338B (338) headers (space savings 87.39%), 25.98KB (26607) data
h2load run 8
traffic: 30.23KB (30954) total, 353B (353) headers (space savings 88.48%), 29.70KB (30408) data

nginx -V nginx version: nginx/1.13.1 built by gcc 6.2.1 20160916 (Red Hat 6.2.1-3) (GCC) built with OpenSSL 1.1.0f 25 May 2017 TLS SNI support enabled configure arguments: --with-ld-opt='-ljemalloc -Wl,-z,relro -Wl,-rpath,/usr/local/lib' --with-cc-opt='-m64 -march=native -DTCP_FASTOPEN=23 -g -O3 -Wno-error=strict-aliasing -fstack-protector-strong -flto -fuse-ld=gold --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -gsplit-dwarf' --sbin-path=/usr/local/sbin/nginx --conf-path=/usr/local/nginx/conf/nginx.conf --with-compat --with-http_stub_status_module --with-http_secure_link_module --with-libatomic --with-http_gzip_static_module --with-http_sub_module --with-http_addition_module --with-http_image_filter_module=dynamic --with-http_geoip_module --with-stream_geoip_module --with-stream_realip_module --with-stream_ssl_preread_module --with-threads --with-stream=dynamic --with-stream_ssl_module --with-http_realip_module --add-dynamic-module=../ngx-fancyindex-0.4.0 --add-module=../ngx_cache_purge-2.3 --add-module=../ngx_devel_kit-0.3.0 --add-module=../set-misc-nginx-module-0.31 --add-module=../echo-nginx-module-0.60 --add-module=../redis2-nginx-module-0.14 --add-module=../ngx_http_redis-0.3.7 --add-module=../memc-nginx-module-0.18 --add-module=../srcache-nginx-module-0.31 --add-module=../headers-more-nginx-module-0.32 --with-pcre=../pcre-8.40 --with-pcre-jit --with-zlib=../zlib-1.2.11 --with-http_ssl_module --with-http_v2_module --with-http_v2_hpack_enc --with-openssl=../openssl-1.1.0f --with-openssl-opt='enable-ec_nistp_64_gcc_128'

HansVanEijsden commented 7 years ago

Thanks for trying that, @centminmod - I tried OpenSSL 1.1.0 3 weeks ago but I received an error on SSLLabs: "Session resumption (caching)" not supported, so I went back to OpenSSL 1.0.2. What do you get? Does session resumption work there with OpenSSL 1.1.0? If yes then I will give it a try again.

vkrasnov commented 7 years ago

Apparently the 1.13.1 patch skipped some lines. Can you try the patch again? (I amended the same commit, so you have to redownload).

centminmod commented 7 years ago

@vkrasnov that might explain my results as my script will auto download latest version of your patch with each nginx compile. So i must of grabbed your updated patch :)

@HansVanEijsden with Nginx 1.13.1 + openssl 1.1.0f dev.ssllabs.com i get

Session resumption (caching)    Yes
Session resumption (tickets)    Yes
HansVanEijsden commented 7 years ago

I will close this issue, as I have everything working with absolutely great and stunning results. I'm very happy now, don't forget to check https://github.com/cloudflare/sslconfig/issues/72 for a related discussion.