Add QUIC + HTTP/3 with OpenSSL or LIbreSSL in available mainline (1.25.0+)

Question

Add QUIC + HTTP/3 with OpenSSL or LIbreSSL in available mainline (1.25.0+)

frankpanduh opened this issue a year ago · 4 comments

Feature Request add QUIC + HTTP/3 in NGINX Mainline

Add QUIC + HTTP/3 Support with LibreSSL.
Support was officially added to the mainline branch in 1.25.0 with LibreSSL.

(source: https://nginx.org/en/docs/quic.html )

Add early support for HTTP/3 with OpenSSL in mainline.
Offical support without patches in mainline. Note that 0-RTT over QUIC is not supported at the moment with OpenSSL.

Cloudflare does offer a patch to NGINX for QUIC with respect to 425 (too early) requests.
NGINX (1.16.1) + Quiche + BoringSSL (experimental):
https://blog.cloudflare.com/experiment-with-http-3-using-nginx-and-quiche/ .
https://blog.cloudflare.com/even-faster-connection-establishment-with-quic-0-rtt-resumption/

Describe the solution you'd like

A bump to support HTTP/3 and QUIC. I know the builder only uses OpenSSL and LibreSSL but would be neat to add future support for optional build with BoringSSL for use with Cloudflare quiche.

According to NGINX "Support for QUIC and HTTP/3 protocols is available since 1.25.0. Also, since 1.25.0, the QUIC and HTTP/3 support is available in Linux binary packages."

Alternatively, nginx can be configured with a modern version of LibreSSL:
(source: nginx.org - https://nginx.org/en/docs/quic.html)

    ./configure
        --with-debug
        --with-http_v3_module
        --with-cc-opt="-I../libressl/build/include"
        --with-ld-opt="-L../libressl/build/lib"

A note on early support using OpenSSL with 0-RTT:
Should be able to build natively in mainline however no support for 0-RTT over QUIC with OpenSSL.

(source: https://www.nginx.com/blog/quic-http3-support-openssl-nginx/ )

But this is likely okay for most projects considering 425 requests require extra setup and reading for security. See Replay Attacks on 0-RTT in further reading.

Some notes / further reading on this:

https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_early_data - NGINX SSL early data
https://datatracker.ietf.org/doc/html/rfc8470 - Using Early Data in HTTP by ietf.org
https://blog.cloudflare.com/even-faster-connection-establishment-with-quic-0-rtt-resumption/ - Cloudflare QUIC + 0-RTT Article outlines some attack examples
https://news.ycombinator.com/item?id=16667036 - Replay Attacks on 0-RTT (Thread)
https://ieeexplore.ieee.org/document/7961952 - Replay Attacks on Zero Round-Trip Time: The Case of the TLS 1.3 Handshake Candidates (ieee.org)
https://www.nginx.com/blog/primer-quic-networking-encryption-in-nginx/ - A Primer on QUIC Networking and Encryption in NGINX

Answer 1 · 2023-11-30T06:52:07.000Z

Hello @frankpanduh,
yes QUIC + HTTP/3 support is planned. I will try with LibreSSLL at first, because it's already supported by my script and I already tried without success with BoringSSL.

Answer 2 · 2023-12-02T06:19:01.000Z

Hello @frankpanduh,
yes QUIC + HTTP/3 support is planned. I will try with LibreSSLL at first, because it's already supported by my script and I already tried without success with BoringSSL.

Awesome news!, yes. Go with LibreSSL.

Thanks for keeping this script active and updated and be improved with new stuff or optimizations.

Answer 3 · 2024-04-23T23:50:10.000Z

HTTP/3 is now available !

Answer 4 · 2024-05-05T19:19:06.000Z

HTTP/3 is now available !

TYSM!!