Issue 4283 (https://github.com/openssl/openssl/issues/4283) has caused me to take a close look at QUIC. This seems to have been getting a *lot* of attention just recently. See the IDs below for details:
https://tools.ietf.org/html/draft-ietf-quic-transport-05 https://tools.ietf.org/html/draft-ietf-quic-tls-05 https://tools.ietf.org/html/draft-ietf-quic-recovery-05 For the uninitiated QUIC is a new general-purpose transport protocol built on top of UDP. It provides applications with a secure stream abstraction (like TLS over TCP) with reliable, in-order delivery, as well as the ability to multiplex many streams over a single connection (without head-of-line blocking). It is *very* closely integrated with TLSv1.3. It uses the TLSv1.3 handshake for agreeing various QUIC parameters (via extensions) as well as for agreeing keying material and providing an "early data" capability. The actual packet protection is done by QUIC itself (so it doesn't use TLS application data) using a QUIC ciphersuite that matches the negotiated TLS ciphersuite. Effectively you can think of QUIC as a modernised rival to TLS over TCP. I've spent some time today reading through the IDs. It has become clear to me that in order for OpenSSL to be used to implement QUIC there are a number of new requirements/issues we would need to address: - We need to provide the server half of the TLSv1.3 cookie mechanism. At the moment an OpenSSL client will echo a TLSv1.3 cookie it receives back to the server, but you cannot generate a cookie on the server side. - We need to be able to support *stateless* operation for the ClientHello->HelloRetryRequest exchange. This is very much in the same vein as the stateless way that DTLSv1_listen() works now for DTLS in the ClientHello->HelloVerifyRequest exchange. This is quite a significant requirement. - A QUIC server needs to be able to issue a NewSessionTicket on demand - Ticket PSKs need to be able to have an embedded QUIC layer token (the equivalent of the cookie - but embedded inside the PSK). - We need to extend the "exporter" API to allow early_secret based exports. At the moment you can only export based on the final 1-RTT key. - TLS PSKs are transferable between TLS-TCP and QUIC/TLS-UDP. There are some special rules around ALPN for this that may impact our current logic in this area. - Possibly a QUIC implementation will need to have knowledge of the TLSv1.3 state machine because different TLSv1.3 handshake records need to go into different types of QUIC packets (ClientHello needs to go into "Client Initial" packet, HelloRetryRequest needs to go into a "Server Stateless Retry" packet and everything else goes into "Client Cleartext" or "Server Cleartext" packets). It may be possible for a QUIC implementation to infer the required information without additional APIs, but I'm not sure. - QUIC places size limits on the allowed size of a ClientHello. Possibly we may want some way of failing gracefully if we attempt to exceed that (or maybe we just leave that to the QUIC implementation to detect). I'm going to start working through this list of requirements, but if anyone fancies picking some of it up then let me know. Also, did I miss anything from the above list? Matt -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev