GHA/http3-linux: add OpenSSL 4 beta jobs, with ECH

Closes #21118
2026-04-14 18:11:40 +03:00 · 2026-03-27 11:03:27 +01:00 · 2026-03-27 11:03:27 +01:00 · 7523de760d
commit 7523de760d
parent c025082967
1 changed files with 86 additions and 0 deletions
--- a/.github/workflows/http3-linux.yml
+++ b/.github/workflows/http3-linux.yml
@ -37,6 +37,8 @@ env:
  CURL_TEST_MIN: 1600
  # handled in renovate.json
  OPENSSL_VERSION: 3.6.1
+  # manually bumped
+  OPENSSL4_VERSION: 4.0.0-beta1
  # renovate: datasource=github-tags depName=libressl/portable versioning=semver registryUrl=https://github.com
  LIBRESSL_VERSION: 4.2.1
  # renovate: datasource=github-tags depName=awslabs/aws-lc versioning=semver registryUrl=https://github.com
@ -73,6 +75,15 @@ jobs:
          path: ~/openssl/build
          key: ${{ runner.os }}-http3-build-${{ env.cache-name }}-${{ env.OPENSSL_VERSION }}

+      - name: 'cache openssl4'
+        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
+        id: cache-openssl4-http3-no-deprecated
+        env:
+          cache-name: cache-openssl4-http3-no-deprecated
+        with:
+          path: ~/openssl4/build
+          key: ${{ runner.os }}-http3-build-${{ env.cache-name }}-${{ env.OPENSSL_VERSION }}
+
      - name: 'cache libressl'
        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
        id: cache-libressl
@ -146,6 +157,15 @@ jobs:
          key: "${{ runner.os }}-http3-build-${{ env.cache-name }}-${{ env.NGTCP2_VERSION }}-${{ env.OPENSSL_VERSION }}-\
            ${{ env.LIBRESSL_VERSION }}-${{ env.AWSLC_VERSION }}-${{ env.NETTLE_VERSION }}-${{ env.GNUTLS_VERSION }}-${{ env.WOLFSSL_VERSION }}"

+      - name: 'cache ngtcp2 openssl4'
+        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
+        id: cache-ngtcp2-openssl4
+        env:
+          cache-name: cache-ngtcp2-openssl4
+        with:
+          path: ~/ngtcp2-openssl4/build
+          key: ${{ runner.os }}-http3-build-${{ env.cache-name }}-${{ env.NGTCP2_VERSION }}-${{ env.BORINGSSL_VERSION }}
+
      - name: 'cache ngtcp2 boringssl'
        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
        id: cache-ngtcp2-boringssl
@ -168,6 +188,7 @@ jobs:
      - id: settings
        if: >-
          ${{ steps.cache-openssl-http3-no-deprecated.outputs.cache-hit != 'true' ||
+              steps.cache-openssl4-http3-no-deprecated.outputs.cache-hit != 'true' ||
              steps.cache-libressl.outputs.cache-hit != 'true' ||
              steps.cache-awslc.outputs.cache-hit != 'true' ||
              steps.cache-boringssl.outputs.cache-hit != 'true' ||
@ -176,6 +197,7 @@ jobs:
              steps.cache-wolfssl.outputs.cache-hit != 'true' ||
              steps.cache-nghttp3.outputs.cache-hit != 'true' ||
              steps.cache-ngtcp2.outputs.cache-hit != 'true' ||
+              steps.cache-ngtcp2-openssl4.outputs.cache-hit != 'true' ||
              steps.cache-ngtcp2-boringssl.outputs.cache-hit != 'true' ||
              steps.cache-nghttp2.outputs.cache-hit != 'true' }}

@ -206,6 +228,16 @@ jobs:
          make
          make -j1 install_sw

+      - name: 'build openssl4'
+        if: ${{ steps.cache-openssl4-http3-no-deprecated.outputs.cache-hit != 'true' }}
+        run: |
+          cd ~
+          git clone --quiet --depth 1 -b "openssl-${OPENSSL4_VERSION}" https://github.com/openssl/openssl openssl4
+          cd openssl4
+          ./config --prefix="$PWD"/build --libdir=lib no-makedepend no-apps no-docs no-tests no-deprecated
+          make
+          make -j1 install_sw
+
      - name: 'build libressl'
        if: ${{ steps.cache-libressl.outputs.cache-hit != 'true' }}
        run: |
@ -317,6 +349,18 @@ jobs:
            BORINGSSL_CFLAGS='-I/home/runner/awslc/build/include'
          make install

+      - name: 'build ngtcp2 openssl4'
+        if: ${{ steps.cache-ngtcp2-openssl4.outputs.cache-hit != 'true' }}
+        run: |
+          cd ~
+          git clone --quiet --depth 1 -b "v${NGTCP2_VERSION}" https://github.com/ngtcp2/ngtcp2 ngtcp2-openssl4
+          cd ngtcp2-openssl4
+          autoreconf -fi
+          ./configure --disable-dependency-tracking --prefix="$PWD"/build --enable-lib-only \
+            PKG_CONFIG_PATH=/home/runner/openssl4/build/lib/pkgconfig \
+            --with-openssl
+          make install
+
      - name: 'build ngtcp2 boringssl'
        if: ${{ steps.cache-ngtcp2-boringssl.outputs.cache-hit != 'true' }}
        run: |
@ -376,6 +420,26 @@ jobs:
              -DCURL_DISABLE_LDAP=ON
              -DCMAKE_UNITY_BUILD=ON

+          - name: 'openssl4'
+            install_steps: skipall
+            LDFLAGS: -Wl,-rpath,/home/runner/openssl4/build/lib
+            PKG_CONFIG_PATH: "/home/runner/openssl4/build/lib/pkgconfig:\
+              /home/runner/nghttp3/build/lib/pkgconfig:\
+              /home/runner/nghttp2-openssl4/build/lib/pkgconfig"
+            configure: >-
+              --with-openssl=/home/runner/openssl4/build --with-ngtcp2=/home/runner/ngtcp2-openssl4/build --enable-ech --enable-ssls-export
+
+          - name: 'openssl4'
+            tflags: '--min=1640'
+            PKG_CONFIG_PATH: "/home/runner/openssl4/build/lib/pkgconfig:\
+              /home/runner/nghttp3/build/lib/pkgconfig:\
+              /home/runner/ngtcp2-openssl4/build/lib/pkgconfig:\
+              /home/runner/nghttp2/build/lib/pkgconfig"
+            generate: >-
+              -DOPENSSL_ROOT_DIR=/home/runner/openssl4/build -DUSE_NGTCP2=ON
+              -DCURL_DISABLE_LDAP=ON
+              -DUSE_ECH=ON
+
          - name: 'libressl'
            install_steps: skipall
            LDFLAGS: -Wl,-rpath,/home/runner/libressl/build/lib
@ -509,6 +573,17 @@ jobs:
          key: ${{ runner.os }}-http3-build-${{ env.cache-name }}-${{ env.OPENSSL_VERSION }}
          fail-on-cache-miss: true

+      - name: 'cache openssl4'
+        if: ${{ contains(matrix.build.name, 'openssl4') }}
+        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
+        id: cache-openssl4-http3-no-deprecated
+        env:
+          cache-name: cache-openssl4-http3-no-deprecated
+        with:
+          path: ~/openssl4/build
+          key: ${{ runner.os }}-http3-build-${{ env.cache-name }}-${{ env.OPENSSL_VERSION }}
+          fail-on-cache-miss: true
+
      - name: 'cache libressl'
        if: ${{ contains(matrix.build.name, 'libressl') }}
        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
@ -596,6 +671,17 @@ jobs:
            ${{ env.LIBRESSL_VERSION }}-${{ env.AWSLC_VERSION }}-${{ env.NETTLE_VERSION }}-${{ env.GNUTLS_VERSION }}-${{ env.WOLFSSL_VERSION }}"
          fail-on-cache-miss: true

+      - name: 'cache ngtcp2 openssl4'
+        if: ${{ contains(matrix.build.name, 'openssl4') }}
+        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
+        id: cache-ngtcp2-openssl4
+        env:
+          cache-name: cache-ngtcp2-openssl4
+        with:
+          path: ~/ngtcp2-openssl4/build
+          key: ${{ runner.os }}-http3-build-${{ env.cache-name }}-${{ env.NGTCP2_VERSION }}-${{ env.BORINGSSL_VERSION }}
+          fail-on-cache-miss: true
+
      - name: 'cache ngtcp2 boringssl'
        if: ${{ contains(matrix.build.name, 'boringssl') }}
        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3