neqo icon indicating copy to clipboard operation
neqo copied to clipboard
verified publisher icon mozilla

Make the experimental APIs we use permanent fixtures

Open larseggert opened this issue 8 months ago • 5 comments

Something to consider is asking NSS to make the experimental APIs we use permanent fixtures, so that we don't need this at all. A lot of the functions we originally had as experimental were barely experimental 5 years ago, which means that they probably aren't any more.

There's a bit of trickiness to the migration for those for the rust interface, but as long as SSL_GetExperimentalAPI retains knowledge of the string (mapping it to the public function rather than a private one), the migration should be seamless:

  1. NSS switches to a public function, retaining the string in SSL_GetExperimentalAPI and removing the macro from sslexp.h.
  2. neqo is updated to include the function in bindings. neqo updates the minimum NSS version it depends on.
  3. At some later date, the string is removed from the list that SSL_GetExperimentalAPI uses.

Do you think you could compile a list of functions for which this makes sense to do?

Originally posted by @martinthomson in https://github.com/mozilla/neqo/pull/2618#pullrequestreview-2826624392

larseggert avatar May 09 '25 13:05 larseggert

Here are the experimental functions called during the test suite, which should be all:

SSL_AeadDecrypt
SSL_AeadEncrypt
SSL_CreateAntiReplayContext
SSL_DestroyAead
SSL_DestroyResumptionTokenInfo
SSL_EncodeEchConfigId
SSL_GetEchRetryConfigs
SSL_GetResumptionTokenInfo
SSL_HelloRetryRequestCallback
SSL_HkdfExpandLabel
SSL_HkdfExpandLabelWithMech
SSL_HkdfExtract
SSL_InstallExtensionHooks
SSL_MakeAead
SSL_PeerCertificateChainDER
SSL_RecordLayerData
SSL_RecordLayerWriteCallback
SSL_ReleaseAntiReplayContext
SSL_SecretCallback
SSL_SendSessionTicket
SSL_SetAntiReplayContext
SSL_SetClientEchConfigs
SSL_SetMaxEarlyDataSize
SSL_SetResumptionToken
SSL_SetResumptionTokenCallback
SSL_SetServerEchConfigs
SSL_SetTimeFunc

@dennisjackson @jschanck would you be able to add those to the normal NSS API in the way @martinthomson suggested?

@Frosne will #2592 add to the list above?

larseggert avatar May 09 '25 13:05 larseggert

Filed as Bug 1965496.

dennisjackson avatar May 09 '25 14:05 dennisjackson

Yes! It's the function "SSL_SetCertificateCompressionAlgorithm" that's experimental

Frosne avatar May 12 '25 11:05 Frosne

We could keep some, like SSL_SetCertificateCompressionAlgorithm, for now. It's still quite new. Those other ones are no longer experiments though.

martinthomson avatar May 12 '25 12:05 martinthomson

A new one to add: SSL_CallExtensionWriterOnEchInner, which I just started to use.

martinthomson avatar May 26 '25 06:05 martinthomson