]>
Commit | Line | Data |
---|---|---|
514430c3 HL |
1 | Using OpenSSL with QUIC |
2 | ======================= | |
3 | ||
4 | From OpenSSL 3.2, OpenSSL features support for making QUIC connections as a | |
5 | client. | |
6 | ||
7 | Users interested in using the new QUIC functionality are encouraged to look at | |
8 | some of the following resources: | |
9 | ||
10 | - The [openssl-quic(7) manual page], which provides a basic reference overview | |
11 | of QUIC functionality and how use of QUIC differs from use of TLS with regard | |
12 | to our API; | |
13 | - The new [OpenSSL Guide], which provides introductory guides | |
14 | on the use of TLS, QUIC, and other OpenSSL functionality. See the | |
15 | [ossl-guide-introduction(7) manual page][OpenSSL Guide] for the index. | |
16 | - The [Demo-Driven Design (DDD)][DDD] demos, which demonstrate the use of QUIC | |
17 | using simple examples. These can be [found in the source tree under | |
18 | `doc/designs/ddd`]. | |
19 | - The [demo found in `demos/http3`], which provides an HTTP/3 client example | |
20 | using the nghttp3 HTTP/3 library. | |
21 | ||
22 | FAQ | |
23 | --- | |
24 | ||
25 | ### Why would I want to use QUIC, and what functionality does QUIC offer relative to TLS or DTLS? | |
26 | ||
27 | QUIC is a state-of-the-art secure transport protocol carried over UDP. It can | |
28 | serve many of the use cases of TLS as well as those of DTLS. QUIC delivers | |
29 | a number of advantages: | |
30 | ||
31 | - It supports multiple streams of communication, allowing application protocols | |
32 | built on QUIC to create arbitrarily many bytestreams for communication between | |
33 | a client and server. This allows an application protocol to avoid head-of-line | |
34 | blocking and allows an application to open additional logical streams without | |
35 | any round trip penalty, unlike opening an additional TCP connection. | |
36 | ||
37 | - Since QUIC is the basis of HTTP/3, support for QUIC also enables applications | |
38 | to use HTTP/3 using a suitable third-party library. | |
39 | ||
40 | - Future versions of OpenSSL will offer support for 0-RTT connection | |
41 | initiation, allowing a connection to be initiated to a server and application | |
42 | data to be transmitted without any waiting time. This is similar to TLS 1.3's | |
43 | 0-RTT functionality but also avoids the round trip needed to open a TCP | |
44 | socket; thus, it is similar to a combination of TLS 1.3 0-RTT and TCP Fast | |
45 | Open. | |
46 | ||
47 | - Future versions of OpenSSL will offer support for connection | |
48 | migration, allowing connections to seamlessly survive IP address changes. | |
49 | ||
50 | - Future versions of OpenSSL will offer support for the QUIC | |
51 | datagram extension, allowing support for both TLS and DTLS-style use cases on | |
52 | a single connection. | |
53 | ||
54 | - Because most QUIC implementations, including OpenSSL's implementation, are | |
55 | implemented as an application library rather than by an operating system, an | |
56 | application can gain the benefit of QUIC without needing to wait for an OS | |
57 | update to be deployed. Future evolutions and enhancements to the QUIC protocol | |
58 | can be delivered as quickly as an application can be updated without | |
59 | dependency on an OS update cadence. | |
60 | ||
61 | - Because QUIC is UDP-based, it is possible to multiplex a QUIC connection | |
62 | on the same UDP socket as some other UDP-based protocols, such as RTP. | |
63 | ||
64 | For more background information on OpenSSL's QUIC implementation, see the | |
65 | [openssl-quic(7) manual page]. | |
66 | ||
67 | ### How can I use HTTP/3 with OpenSSL? | |
68 | ||
69 | There are many HTTP/3 implementations in C available. The use of one such HTTP/3 | |
70 | library with OpenSSL QUIC is demonstrated via the [demo found in `demos/http3`]. | |
71 | ||
72 | ### How can I use OpenSSL QUIC in my own application for a different protocol? | |
73 | ||
74 | The [OpenSSL Guide] provides introductory examples for how to make use of | |
75 | OpenSSL QUIC. | |
76 | ||
77 | The [openssl-quic(7) manual page] and the [Demo-Driven Design (DDD)][DDD] demos | |
78 | may also be helpful to illustrate the changes needed if you are trying to adapt | |
79 | an existing application. | |
80 | ||
81 | ### How can I test QUIC using `openssl s_client`? | |
82 | ||
83 | There is basic support for single-stream QUIC using `openssl s_client`: | |
84 | ||
85 | ```shell | |
86 | $ openssl s_client -quic -alpn ossltest -connect www.example.com:12345 | |
87 | ``` | |
88 | ||
89 | This connects to a QUIC server using the specified ALPN protocol name and opens | |
90 | a single bidirectional stream. Data can be passed via stdin/stdout as usual. | |
91 | This allows test usage of QUIC using simple TCP/TLS-like usage. | |
92 | ||
93 | [openssl-quic(7) manual page]: https://www.openssl.org/docs/manmaster/man7/openssl-quic.html | |
94 | [OpenSSL guide]: https://www.openssl.org/docs/manmaster/man7/ossl-guide-introduction.html | |
95 | [DDD]: https://github.com/openssl/openssl/tree/master/doc/designs/ddd | |
96 | [found in the source tree under `doc/designs/ddd`]: ./doc/designs/ddd/ | |
97 | [demo found in `demos/http3`]: ./demos/http3/ | |
98 | [openssl-quic-background(7) manual page]: https://www.openssl.org/docs/manmaster/man7/openssl-quic-background.html |