4.5 KiB
Using OpenSSL with QUIC
From OpenSSL 3.2, OpenSSL features support for making QUIC connections as a client.
Users interested in using the new QUIC functionality are encouraged to look at some of the following resources:
- The openssl-quic(7) manual page, which provides a basic reference overview of QUIC functionality and how use of QUIC differs from use of TLS with regard to our API;
- The new OpenSSL Guide, which provides introductory guides on the use of TLS, QUIC, and other OpenSSL functionality. See the ossl-guide-introduction(7) manual page for the index.
- The Demo-Driven Design (DDD) demos, which demonstrate the use of QUIC
using simple examples. These can be found in the source tree under
doc/designs/ddd
. - The demo found in
demos/http3
, which provides an HTTP/3 client example using the nghttp3 HTTP/3 library.
FAQ
Why would I want to use QUIC, and what functionality does QUIC offer relative to TLS or DTLS?
QUIC is a state-of-the-art secure transport protocol carried over UDP. It can serve many of the use cases of TLS as well as those of DTLS. QUIC delivers a number of advantages:
-
It supports multiple streams of communication, allowing application protocols built on QUIC to create arbitrarily many bytestreams for communication between a client and server. This allows an application protocol to avoid head-of-line blocking and allows an application to open additional logical streams without any round trip penalty, unlike opening an additional TCP connection.
-
Since QUIC is the basis of HTTP/3, support for QUIC also enables applications to use HTTP/3 using a suitable third-party library.
-
Future versions of OpenSSL will offer support for 0-RTT connection initiation, allowing a connection to be initiated to a server and application data to be transmitted without any waiting time. This is similar to TLS 1.3's 0-RTT functionality but also avoids the round trip needed to open a TCP socket; thus, it is similar to a combination of TLS 1.3 0-RTT and TCP Fast Open.
-
Future versions of OpenSSL will offer support for connection migration, allowing connections to seamlessly survive IP address changes.
-
Future versions of OpenSSL will offer support for the QUIC datagram extension, allowing support for both TLS and DTLS-style use cases on a single connection.
-
Because most QUIC implementations, including OpenSSL's implementation, are implemented as an application library rather than by an operating system, an application can gain the benefit of QUIC without needing to wait for an OS update to be deployed. Future evolutions and enhancements to the QUIC protocol can be delivered as quickly as an application can be updated without dependency on an OS update cadence.
-
Because QUIC is UDP-based, it is possible to multiplex a QUIC connection on the same UDP socket as some other UDP-based protocols, such as RTP.
For more background information on OpenSSL's QUIC implementation, see the openssl-quic(7) manual page.
How can I use HTTP/3 with OpenSSL?
There are many HTTP/3 implementations in C available. The use of one such HTTP/3
library with OpenSSL QUIC is demonstrated via the demo found in demos/http3
.
How can I use OpenSSL QUIC in my own application for a different protocol?
The OpenSSL Guide provides introductory examples for how to make use of OpenSSL QUIC.
The openssl-quic(7) manual page and the Demo-Driven Design (DDD) demos may also be helpful to illustrate the changes needed if you are trying to adapt an existing application.
How can I test QUIC using openssl s_client
?
There is basic support for single-stream QUIC using openssl s_client
:
$ openssl s_client -quic -alpn ossltest -connect www.example.com:12345
This connects to a QUIC server using the specified ALPN protocol name and opens a single bidirectional stream. Data can be passed via stdin/stdout as usual. This allows test usage of QUIC using simple TCP/TLS-like usage.