1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
|
Using OpenSSL with QUIC
=======================
From OpenSSL 3.2, OpenSSL features support for making QUIC connections as a
client.
Users interested in using the new QUIC functionality are encouraged to look at
some of the following resources:
- The [openssl-quic(7) manual page], which provides a basic reference overview
of QUIC functionality and how use of QUIC differs from use of TLS with regard
to our API;
- The new [OpenSSL Guide], which provides introductory guides
on the use of TLS, QUIC, and other OpenSSL functionality. See the
[ossl-guide-introduction(7) manual page][OpenSSL Guide] for the index.
- The [Demo-Driven Design (DDD)][DDD] demos, which demonstrate the use of QUIC
using simple examples. These can be [found in the source tree under
`doc/designs/ddd`].
- The [demo found in `demos/http3`], which provides an HTTP/3 client example
using the nghttp3 HTTP/3 library.
FAQ
---
### Why would I want to use QUIC, and what functionality does QUIC offer relative to TLS or DTLS?
QUIC is a state-of-the-art secure transport protocol carried over UDP. It can
serve many of the use cases of TLS as well as those of DTLS. QUIC delivers
a number of advantages:
- It supports multiple streams of communication, allowing application protocols
built on QUIC to create arbitrarily many bytestreams for communication between
a client and server. This allows an application protocol to avoid head-of-line
blocking and allows an application to open additional logical streams without
any round trip penalty, unlike opening an additional TCP connection.
- Since QUIC is the basis of HTTP/3, support for QUIC also enables applications
to use HTTP/3 using a suitable third-party library.
- Future versions of OpenSSL will offer support for 0-RTT connection
initiation, allowing a connection to be initiated to a server and application
data to be transmitted without any waiting time. This is similar to TLS 1.3's
0-RTT functionality but also avoids the round trip needed to open a TCP
socket; thus, it is similar to a combination of TLS 1.3 0-RTT and TCP Fast
Open.
- Future versions of OpenSSL will offer support for connection
migration, allowing connections to seamlessly survive IP address changes.
- Future versions of OpenSSL will offer support for the QUIC
datagram extension, allowing support for both TLS and DTLS-style use cases on
a single connection.
- Because most QUIC implementations, including OpenSSL's implementation, are
implemented as an application library rather than by an operating system, an
application can gain the benefit of QUIC without needing to wait for an OS
update to be deployed. Future evolutions and enhancements to the QUIC protocol
can be delivered as quickly as an application can be updated without
dependency on an OS update cadence.
- Because QUIC is UDP-based, it is possible to multiplex a QUIC connection
on the same UDP socket as some other UDP-based protocols, such as RTP.
For more background information on OpenSSL's QUIC implementation, see the
[openssl-quic(7) manual page].
### How can I use HTTP/3 with OpenSSL?
There are many HTTP/3 implementations in C available. The use of one such HTTP/3
library with OpenSSL QUIC is demonstrated via the [demo found in `demos/http3`].
### How can I use OpenSSL QUIC in my own application for a different protocol?
The [OpenSSL Guide] provides introductory examples for how to make use of
OpenSSL QUIC.
The [openssl-quic(7) manual page] and the [Demo-Driven Design (DDD)][DDD] demos
may also be helpful to illustrate the changes needed if you are trying to adapt
an existing application.
### How can I test QUIC using `openssl s_client`?
There is basic support for single-stream QUIC using `openssl s_client`:
```shell
$ openssl s_client -quic -alpn ossltest -connect www.example.com:12345
```
This connects to a QUIC server using the specified ALPN protocol name and opens
a single bidirectional stream. Data can be passed via stdin/stdout as usual.
This allows test usage of QUIC using simple TCP/TLS-like usage.
[openssl-quic(7) manual page]: https://www.openssl.org/docs/manmaster/man7/openssl-quic.html
[OpenSSL guide]: https://www.openssl.org/docs/manmaster/man7/ossl-guide-introduction.html
[DDD]: https://github.com/openssl/openssl/tree/master/doc/designs/ddd
[found in the source tree under `doc/designs/ddd`]: ./doc/designs/ddd/
[demo found in `demos/http3`]: ./demos/http3/
[openssl-quic-background(7) manual page]: https://www.openssl.org/docs/manmaster/man7/openssl-quic-background.html
|
