quiche icon indicating copy to clipboard operation
quiche copied to clipboard

Published 20 hours ago • verified publisher icon cloudflare

openssl/quictls support

Open brbzull0 opened this issue 1 year ago • 4 comments

Apache Traffic Server uses this library for handling the QUIC side of things of H3, as a part of this effort we plan to use quictls as the cryptography library, this is an effort(I work for Yahoo) to support that.

This PR includes all the previous work done in the openssl branch.

Design Notes

As some of the API are different between vendors, I have added two sub-modules to handle the specifics, for both, tls and the crypto module. The specifics of course are coded inside each submodule: BoringSSL:

  • borinssl_crypto.rs
  • borinssl_tls.rs

OpenSSL/quictls:

  • openssl_quictls_crypto.rs
  • openssl_quictls_tls.rs

Each sub-module will be compiled depending on the feature you use (openssl or boringssl vendor) from the main module(tls, crypto).

Features

0-RTT Is not supported in this PR. It will be added afterwards. This is reflected in the README.

CI

  • we need to work around having openssl/quitls build and let quiche use it.
  • pkg-config seems not to be installed as build-dependency

Building notes for testing.

  • Make sure you have the openssl library in your LD_LIBRARY_PATH and the right path inside the PKG_CONFIG_PATH
  • Add openssl in the cargo --features list

I am using openssl/quictls 3 for this implementation.

brbzull0 avatar Aug 29 '23 10:08 brbzull0

CI need to include openssl/quictls so we know we are passing all build/tests with the each vendor.

brbzull0 avatar Nov 13 '23 12:11 brbzull0

Hello,

I am working on a mobile application which allows to use encrypted DNS (Android for the moment, iOS right after). I tested quiche with a little proto on Android, it works great (thanks!). So I wanted to integrate quiche into my application to develop DoQ and DoH3, but I got compilation errors due to conflicts with OpenSSL. Yes, I use OpenSSL 3.2 to enable DoT and DoH.

It would be great if we can have a pluggable TLS vendor.

@brbzull0 As OpenSSL 3.2 supports now QUIC (not all features), your PR will support legacy OpenSSL > 3.2 or only quictls? Thanks for your work.

Eimji avatar Jan 06 '24 05:01 Eimji

Hello,

I am working on a mobile application which allows to use encrypted DNS (Android for the moment, iOS right after). I tested quiche with a little proto on Android, it works great (thanks!). So I wanted to integrate quiche into my application to develop DoQ and DoH3, but I got compilation errors due to conflicts with OpenSSL. Yes, I use OpenSSL 3.2 to enable DoT and DoH.

It would be great if we can have a pluggable TLS vendor.

@brbzull0 As OpenSSL 3.2 supports now QUIC (not all features), your PR will support legacy OpenSSL > 3.2 or only quictls? Thanks for your work.

Hello @Eimji . The plan is only quictls for now. Thanks for having a look

brbzull0 avatar Jan 11 '24 13:01 brbzull0

Making this ready for review so we can gather some input. Thanks.

cc: @ghedo

brbzull0 avatar Jan 11 '24 13:01 brbzull0

I think is worth having this link here, in case we want to discuss about it.

brbzull0 avatar Mar 04 '24 19:03 brbzull0

Saw that we need to rebase, I do not know if you guys are doing anything with this branch so I do not want to force push a and break anything on your side. Can I go ahead and rebae & force push?

Thanks.

brbzull0 avatar Mar 14 '24 12:03 brbzull0

@brbzull0 I was going to do it, just got delayed by travel. Thanks for your work, this is merged now!

ghedo avatar Mar 16 '24 05:03 ghedo

@brbzull0 I was going to do it, just got delayed by travel. Thanks for your work, this is merged now!

great stuff! @ghedo @LPardue Thanks a lot gents!

brbzull0 avatar Mar 18 '24 09:03 brbzull0