Skip to content

quic: gate mbedtls_ssl_get_alpn_protocol on LWS_HAVE probe#3598

Closed
vikramdattu wants to merge 5 commits into
warmcat:mainfrom
vikramdattu:fix/quic-alpn-guard
Closed

quic: gate mbedtls_ssl_get_alpn_protocol on LWS_HAVE probe#3598
vikramdattu wants to merge 5 commits into
warmcat:mainfrom
vikramdattu:fix/quic-alpn-guard

Conversation

@vikramdattu

@vikramdattu vikramdattu commented Jun 4, 2026

Copy link
Copy Markdown
Contributor

crypto-quic.c calls mbedtls_ssl_get_alpn_protocol() unconditionally
under LWS_WITH_MBEDTLS, but ssl_pm.c:1054 already guards the same
call behind LWS_HAVE_mbedtls_ssl_get_alpn_protocol. With an mbedtls
build that lacks the symbol (e.g. mbedtls 4.x where ALPN access
changed), QUIC linking fails with an undefined-symbol error.

Mirror the ssl_pm.c pattern so prot stays NULL and the
surrounding if (plen) branch is a clean no-op when the probe says
the symbol is unavailable. Two-line patch.

lws-team and others added 5 commits May 31, 2026 19:35
@lws-team
gnutls-h3
08a725d
@lws-team
mbedtls4
3079d31
@lws-team
libuv-event: clean fail path
915ed0f 
context.c:1375, lws_plat_init return false because
 not enough memory,then call elops_destroy_context1_uv will crash.
@lws-team
sai-fixes
7726361
@vikramdattu
quic: gate mbedtls_ssl_get_alpn_protocol on LWS_HAVE probe
6b07d2c 
crypto-quic.c calls mbedtls_ssl_get_alpn_protocol() unconditionally
under LWS_WITH_MBEDTLS, but ssl_pm.c already guards the same call
behind LWS_HAVE_mbedtls_ssl_get_alpn_protocol. With an mbedtls build
that lacks the symbol (e.g. mbedtls 4.x where ALPN access changed),
QUIC linking fails.

Mirror the ssl_pm.c pattern so prot stays NULL and the surrounding
if (plen) branch is a clean no-op when the probe says the symbol
is unavailable.
@vikramdattu

vikramdattu commented Jun 4, 2026

Copy link
Copy Markdown
Contributor Author

@lws-team PTAL, would it make sense to add a CI entry just for this? Let me know if needed.

@lws-team lws-team force-pushed the main branch 24 times, most recently from c6ac0b1 to a564cf6 Compare June 8, 2026 03:56
@lws-team lws-team force-pushed the main branch 2 times, most recently from 3e8ec88 to 46886c8 Compare June 9, 2026 14:54
@lws-team

lws-team commented Jun 9, 2026

Copy link
Copy Markdown
Member

Thanks, this is on main now.

FWIW AFAIK no upstream mbedtls can do quic / h3. However I have a patch series

https://libwebsockets.org/git/mbedtls/log?h=development

which adds the missing pieces to upstream development branch, and it's tested in Linux + lws main branch and seems functional.

I plan to look into your new idf-6 with this next week, if you're interested you're very welcome to try it first.

@lws-team lws-team closed this Jun 9, 2026
@vikramdattu

vikramdattu commented Jun 9, 2026
edited
Loading

Copy link
Copy Markdown
Contributor Author

Thanks for getting these onto main, Andy! For ESP-IDF v6 we're on stock IDF mbedTLS 4 and only use lws for the WSS signaling channel (plain TLS, no QUIC/H3).
All these fixes should unblock mbedtls support on Amazon KVS SDK as well IMO. PR link

So the quic/h3 mbedtls series isn't in the path, and hence, I would not be able to have useful contributions there. My related changes mostly on quic were to guard the usage properly.
Happy to get your feedback on espressif/esp-protocols#1070

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@vikramdattu @lws-team