1=pod 2 3=head1 NAME 4 5ossl-guide-quic-introduction 6- OpenSSL Guide: An introduction to QUIC in OpenSSL 7 8=head1 INTRODUCTION 9 10This page will provide an introduction to some basic QUIC concepts and 11background and how it is used within OpenSSL. It assumes that you have a basic 12understanding of UDP/IP and sockets. It also assumes that you are familiar with 13some OpenSSL and TLS fundamentals (see L<ossl-guide-libraries-introduction(7)> 14and L<ossl-guide-tls-introduction(7)>). 15 16=head1 WHAT IS QUIC? 17 18QUIC is a general purpose protocol for enabling applications to securely 19communicate over a network. It is defined in RFC9000 (see 20L<https://datatracker.ietf.org/doc/rfc9000/>). QUIC integrates parts of the 21TLS protocol for connection establishment but independently protects packets. 22It provides similar security guarantees to TLS such as confidentiality, 23integrity and authentication (see L<ossl-guide-tls-introduction(7)>). 24 25QUIC delivers a number of advantages: 26 27=over 4 28 29=item Multiple streams 30 31It supports multiple streams of communication (see L</QUIC STREAMS> below), 32allowing application protocols built on QUIC to create arbitrarily many 33bytestreams for communication between a client and server. This allows an 34application protocol to avoid problems where one packet of data is held up 35waiting on another packet being delivered (commonly referred to as 36"head-of-line blocking"). It also enables an application to open additional 37logical streams without requiring a round-trip exchange of packets between the 38client and server as is required when opening an additional TLS/TCP 39connection. 40 41=item HTTP/3 42 43Since QUIC is the basis of HTTP/3, support for QUIC also enables applications 44to use HTTP/3 using a suitable third-party library. 45 46=item Fast connection initiation 47 48Future versions of OpenSSL will offer support for 0-RTT connection initiation, 49allowing a connection to be initiated to a server and application data to be 50transmitted without any waiting time. This is similar to TLS 1.3's 0-RTT 51functionality but also avoids the round trip needed to open a TCP socket; thus, 52it is similar to a combination of TLS 1.3 0-RTT and TCP Fast Open. 53 54=item Connection migration 55 56Future versions of OpenSSL will offer support for connection migration, allowing 57connections to seamlessly survive IP address changes. 58 59=item Datagram based use cases 60 61Future versions of OpenSSL will offer support for the QUIC datagram extension, 62allowing support for both TLS and DTLS-style use cases on a single connection. 63 64=item Implemented as application library 65 66Because most QUIC implementations, including OpenSSL's implementation, are 67implemented as an application library rather than by an operating system, an 68application can gain the benefit of QUIC without needing to wait for an OS 69update to be deployed. Future evolutions and enhancements to the QUIC protocol 70can be delivered as quickly as an application can be updated without dependency 71on an OS update cadence. 72 73=item Multiplexing over a single UDP socket 74 75Because QUIC is UDP-based, it is possible to multiplex a QUIC connection on the 76same UDP socket as some other UDP-based protocols, such as RTP. 77 78=back 79 80=head1 QUIC TIME BASED EVENTS 81 82A key difference between the TLS implementation and the QUIC implementation in 83OpenSSL is how time is handled. The QUIC protocol requires various actions to be 84performed on a regular basis regardless of whether application data is being 85transmitted or received. 86 87OpenSSL introduces a new function L<SSL_handle_events(3)> that will 88automatically process any outstanding time based events that must be handled. 89Alternatively calling any I/O function such as L<SSL_read_ex(3)> or 90L<SSL_write_ex(3)> will also process these events. There is also 91L<SSL_get_event_timeout(3)> which tells an application the amount of time that 92remains until L<SSL_handle_events(3)> (or any I/O function) must be called. 93 94Fortunately a blocking application that does not leave the QUIC connection idle, 95and is regularly calling I/O functions does not typically need to worry about 96this. However if you are developing a nonblocking application or one that may 97leave the QUIC connection idle for a period of time then you will need to 98arrange to call these functions. 99 100OpenSSL provides an optional "thread assisted mode" that will automatically 101create a background thread and will regularly call L<SSL_handle_events(3)> in a 102thread safe manner. This provides a simple way for an application to satisfy the 103QUIC requirements for time based events without having to implement special 104logic to accomplish it. 105 106=head1 QUIC AND TLS 107 108QUIC reuses parts of the TLS protocol in its implementation. Specifically the 109TLS handshake also exists in QUIC. The TLS handshake messages are wrapped up in 110QUIC protocol messages in order to send them to the peer. Once the TLS handshake 111is complete all application data is sent entirely using QUIC protocol messages 112without using TLS - although some TLS handshake messages may still be sent in 113some circumstances. 114 115This relationship between QUIC and TLS means that many of the API functions in 116OpenSSL that apply to TLS connections also apply to QUIC connections and 117applications can use them in exactly the same way. Some functions do not apply 118to QUIC at all, and others have altered semantics. You should refer to the 119documentation pages for each function for information on how it applies to QUIC. 120Typically if QUIC is not mentioned in the manual pages then the functions apply 121to both TLS and QUIC. 122 123=head1 QUIC STREAMS 124 125QUIC introduces the concept of "streams". A stream provides a reliable 126mechanism for sending and receiving application data between the endpoints. The 127bytes transmitted are guaranteed to be received in the same order they were sent 128without any loss of data or reordering of the bytes. A TLS application 129effectively has one bi-directional stream available to it per TLS connection. A 130QUIC application can have multiple uni-directional or bi-directional streams 131available to it for each connection. 132 133In OpenSSL an B<SSL> object is used to represent both connections and streams. 134A QUIC application creates an initial B<SSL> object to represent the connection 135(known as the connection B<SSL> object). Once the connection is complete 136additional B<SSL> objects can be created to represent streams (known as stream 137B<SSL> objects). Unless configured otherwise, a "default" stream is also 138associated with the connection B<SSL> object so you can still write data and 139read data to/from it. Some OpenSSL API functions can only be used with 140connection B<SSL> objects, and some can only be used with stream B<SSL> objects. 141Check the documentation for each function to confirm what type of B<SSL> object 142can be used in any particular context. A connection B<SSL> object that has a 143default stream attached to it can be used in contexts that require a connection 144B<SSL> object or in contexts that require a stream B<SSL> object. 145 146=head1 SOCKETS AND BLOCKING 147 148TLS assumes "stream" type semantics for its underlying transport layer protocol 149(usually achieved by using TCP). However QUIC assumes "datagram" type semantics 150by using UDP. An OpenSSL application using QUIC is responsible for creating a 151BIO to represent the underlying transport layer. This BIO must support datagrams 152and is typically L<BIO_s_datagram(3)>, but other B<BIO> choices are available. 153See L<bio(7)> for an introduction to OpenSSL's B<BIO> concept. 154 155A significant difference between OpenSSL TLS applications and OpenSSL QUIC 156applications is the way that blocking is implemented. In TLS if your application 157expects blocking behaviour then you configure the underlying socket for 158blocking. Conversely if your application wants nonblocking behaviour then the 159underlying socket is configured to be nonblocking. 160 161With an OpenSSL QUIC application the underlying socket must always be configured 162to be nonblocking. Howevever the B<SSL> object will, by default, still operate 163in blocking mode. So, from an application's perspective, calls to functions such 164as L<SSL_read_ex(3)>, L<SSL_write_ex(3)> and other I/O functions will still 165block. OpenSSL itself provides that blocking capability for QUIC instead of the 166socket. If nonblocking behaviour is desired then the application must call 167L<SSL_set_blocking_mode(3)>. 168 169=head1 FURTHER READING 170 171See L<ossl-guide-quic-client-block(7)> to see an example of applying these 172concepts in order to write a simple blocking QUIC client. 173 174=head1 SEE ALSO 175 176L<ossl-guide-introduction(7)>, L<ossl-guide-libraries-introduction(7)>, 177L<ossl-guide-libssl-introduction(7)>, L<ossl-guide-tls-introduction(7)>, 178L<ossl-guide-tls-client-block(7)>, L<ossl-guide-quic-client-block(7)>, L<bio(7)> 179 180=head1 COPYRIGHT 181 182Copyright 2023 The OpenSSL Project Authors. All Rights Reserved. 183 184Licensed under the Apache License 2.0 (the "License"). You may not use 185this file except in compliance with the License. You can obtain a copy 186in the file LICENSE in the source distribution or at 187L<https://www.openssl.org/source/license.html>. 188 189=cut 190
