Join the community today
Register Now

OpenSSL HTTP/3 QUIC Support Not Landing In OpenSSL Until 3.1

Discussion in 'CentOS, Redhat & Oracle Linux News' started by eva2000, Feb 8, 2020.

  1. eva2000

    eva2000 Administrator Staff Member

    44,457
    10,158
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,716
    Local Time:
    5:37 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    An OpenSSL pull request discussion at WIP: master QUIC support by tmshort · Pull Request #8797 · openssl/openssl reveals that OpenSSL folks have no plans to add HTTP/3 QUIC support into OpenSSL until at least OpenSSL 3.1 which would be due in 2021. This means most likely Nginx 1.17 mainline HTTP/3 QUIC development on their Nginx roadmap isn't going to progress anytime soon as Nginx only lands features supported in OpenSSL historically. So that means only current Nginx implementation of HTTP/3 QUIC out there we can use right now or test with at least is Cloudflare's Quiche BoringSSL HTTP/3 QUIC Nginx patches I started testing for Centmin Mod Nginx at https://community.centminmod.com/threads/centmin-mod-nginx-with-cloudflare-http-3-nginx-patch.18482/. However, such Quiche + BoringSSL library doesn't support OCSP stapling for better HTTPS performance like OpenSSL does out of the box. This means for sites to get HTTP/3 QUIC support right now, best to use Cloudflare proxy and Cloudflare SSL in front of your Centmin Mod Nginx sites.

    OpenSSL folks posted a blog in November 2019 about currently state of OpenSSL 3.0 development which is the next major OpenSSL version after the current OpenSSL 1.1.1 (which Centmin Mod Nginx uses by default).

    Regarding OpenSSL 3.0
    From OpenSSL pull request latest comment at WIP: master QUIC support by tmshort · Pull Request #8797 · openssl/openssl
    WIP: master QUIC support by tmshort · Pull Request #8797 · openssl/openssl
    curl's main developer Daniel Stenberg is for adding HTTP/3 QUIC support to OpenSSL sooner and his comments WIP: master QUIC support by tmshort · Pull Request #8797 · openssl/openssl
     
  2. eva2000

    eva2000 Administrator Staff Member

    44,457
    10,158
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,716
    Local Time:
    5:37 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    For folks wanting to know more about HTTP/3 Daniel Stenberg (main curl developer) gave a talk at FOSDEM 2020 in Brussels below

     
  3. Xon

    Xon Active Member

    169
    61
    28
    Nov 16, 2015
    Ratings:
    +223
    Local Time:
    3:37 AM
    1.15.x
    MariaDB 10.3.x
    To be honest; this has been OpenSSL for the longest time for any contributions from the wider community
     
  4. eva2000

    eva2000 Administrator Staff Member

    44,457
    10,158
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,716
    Local Time:
    5:37 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    Yeah it was the same when they were developing OpenSSL 1.1.1 and TLSv1.3 IIRC. I sort of understand being a developer of my own open source Centmin Mod project though :) One thing I am amazed to observe with popular open source projects is how they deal with the issues of having too many cooks in the kitchen :D

    Though I am not at that stage where I get alot of code level/feature contributions yet. But probably something to juggle further down the road - if I am lucky enough :D
     
  5. buik

    buik “Winners never quit, and quitters never win.” Premium Member

    1,276
    343
    83
    Apr 29, 2016
    Ratings:
    +1,032
    Local Time:
    9:37 PM
    One of the real few drawbacks of open source feature project management. Various companies make employees available (in working hours).

    Because each company has its own interest and not always a common interest.
    you'll quickly get a mess. (conflict of interest.)
     
  6. eva2000

    eva2000 Administrator Staff Member

    44,457
    10,158
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,716
    Local Time:
    5:37 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    Ah overlooked that factor too. Though I can't see any company not wanting HTTP/3 QUIC support.
     
  7. buik

    buik “Winners never quit, and quitters never win.” Premium Member

    1,276
    343
    83
    Apr 29, 2016
    Ratings:
    +1,032
    Local Time:
    9:37 PM
    Simple. The priority is with FIPS at this version 3 release.
    OpenSSL is sponsored by large American company's like. Akamai Technologies (making developers available)
    et al.
    As FIPS is a U.S. government computer security standard.

    FIPS gets priority.
    Because it's a pretty thingy in the US.

    It looks like there is just no more room for HTTP / 3, to get the job done for release 3.0.

    Daniel Stenberg is from Europe, FIPS has 0 weight in Europe so it makes sense that he has other priorities.
     
  8. Xon

    Xon Active Member

    169
    61
    28
    Nov 16, 2015
    Ratings:
    +223
    Local Time:
    3:37 AM
    1.15.x
    MariaDB 10.3.x
    From memory; a large chunk of the OpenSSL's core development team are employees of an OpenSSL FIPS consulting company.

    FIPS is basically a security standard which chooses really fucking horrible defaults; but is the one certified for US government contracting.
     
  9. eva2000

    eva2000 Administrator Staff Member

    44,457
    10,158
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,716
    Local Time:
    5:37 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    Yeah I guess the fact is priorities and agendas will dictate when and what is added eventually.

    2021 isn't that long away though so who knows :)
     
  10. buik

    buik “Winners never quit, and quitters never win.” Premium Member

    1,276
    343
    83
    Apr 29, 2016
    Ratings:
    +1,032
    Local Time:
    9:37 PM
    We can see it as a bit positive because HTTP/3 is not yet a definitive standard.
    Until then it does not matter what OpenSSL does and even does not matter what Nginx does.

    Given the history with other standards (for example TLS 1.3) it can take a while before HTTP/3 is final as IETF standard and later before it is available in Nginx, OpenSSL, even in the browser, and later again before it is switched on by default in the browser.
    I suspect it won't even matter much in time before all links in the chain are ready.