Add support for QUIC and HTTP/3 #230
Comments
|
No, but PRs are welcome to add this. |
|
The complicated part is not client support, but rather server support. Nowadays it's still mostly experimental, behind forked modules, custom OpenSSL 3.2+QUIC builds etc. — so at the moment it's not a matter of a config flag to enable — it usually means some elbow grease to manually build your complete environment with the h3-enabled TLS stack in mind, often via BoringSSL or alternatives like QuicTLS. One of the main advantages of QUIC design is that it's not deeply tied to the host OSes and kernels and is mostly designed to live in the userspace to be more easily updated for new features etc., so there's a paradigm shift the traditional crypto/TLS provides can't seem to navigate effectively. It's slowly getting implemented at clients, APIs for servers are further down the roadmaps to stabilize… and we're barely out of draft revision and incompatibilities like when TLSv1.3 gradually made its way to final RFC version. Even cURL don't want to make any stability promises until any of the libraries needed exit experimental stage. Most products need to implement QUIC in a custom fashion to benefit from the likes of UDP connectionlessness, QPACK streams, 0-RTT, CID, BBR and other HTTP/3 changes so general use in server software without close ties to the actual application level is rather slow, and many wait for OpenSSL to build their own stack (since the way to just enable API integration from a few years ago hit a wall when OpenSSL clearly stated they won't integrate with existing QUIC stacks: openssl/openssl#8797 (comment) …) Further reading to get the idea:
From the perspective of @mozilla/ssl-config-generator or @mozilla/server-side-tls there's currently no need to tweak the TLS settings and turn configuration knobs, not unlike with TLSv1.3 "modern" config using basically the defaults, as it was designed to use only the better parts of the TLS world from "lessons learned". I don't think (and honestly only hope!) we won't need to fine tune any TLSv1.3 or HTTP/3 configuration outputs in the near future. Then, when you have some lovely h3 support like in Caddy, it's just there by default; nothing to configure. 🚀 |
|
@charescape TL;DR right now it's slightly painful to provide config lines for h3 upgrades when you need to compile experimental features hidden behind flags or in non-mainline binaries and link against alternative TLS implementations outside of main distros to get any meaningful QUIC support in the first place. 🤷 (I can imagine the h3 upgrade lines inactive behind |
janbrasna
added
enhancement
|
One more further reading to get the idea: https://nginx.org/en/docs/http/ngx_http_v3_module.html |
|
My two cents: as @charescape has pointed out, Assuming you already have a working https configuration, the steps are (roughly)
Would contributions be accepted that add http3 support solely for |
I think we would accept support incrementally, though I would prefer entries in |
|
Generally h3 config is out of scope here, unless it's relevant to the guidelines. If/when battle tested enough, it can be added as part of the boilerplate, similar to h2 additions here, preferably relative to tls13 presence in the outputs — but unless real world usage shows otherwise, the authors still treat it as experimental: https://nginx.org/en/docs/http/ngx_http_v3_module.html
(Once again, this would be a nice addition if the necessary rules were simple, neat and universal; but right now there's a lot of ifs and whens needed, and that's hard to convey inside a config template output without long explanations and commented-out variants, esp. with different listen directives — that sounds more like a UI checkbox to opt-in into a h3–enabled config, when you know you can support the necessary prerequisites.) The compat layer is a great effort from the nginx folks, so it would be worth supporting it here as the most straightforward path, but it still sounds like a lot explainers would need to be added to the output config though. There's no equivalent of Apache's ifmodule to place the extras behind a feature check unfortunately. https://github.com/digitalocean/nginxconfig.io has it opt-in, too: (NB: I don't see them a) add the alt-svc header, b) use the present day style of h2 config instead of the listen directive, so that may not be even up to date for current syntax fwiw…) @gstrauss Feature support that doesn't have impact on config output feasibility is only in the conditional logic inside hbs version checks. But if the addition of reuseport may or may not be relevant to the consumer based on h3 interest/feasibility or not, that's not something to easily just comment out or provide based on server version, that's something based on an extra decision — and if we should introduce this extra decision (as compared to h2 rules scattered around, that have basically no compatibility impact, and can be included always) — is it worth the extra layers of complexity added, right now, when it can't really be used by folks who don't have the necessary background to actually make sure such config would work for them out of the box and not just error out? (Or worse, wholesale advertise h3 alt-svc and then not really provide it…) I think the most important bit that's out of our config scope is the UDP support necessary, besides verifying the module is actually available. FYI @Lordfirespeed, TLSv1.3 cipher suites are not configured there, see #124. That said, it would be a welcome addition if the configs don't cease to work for some consumers thanks to such change. Feel free to chime in with more real world experience, I think we'd be happy to start adding h3 support on per-server basis if the change is simple enough not to warrant an app-wide impact first, and/or if it turns out to be feasible without an explicit opt-in feature switch to make sure we're not breaking anyone downstream to start with. |
Perhaps I didn't quite communicate my point: OpenSSL has supported the TLS1.3-specific ciphersuites since version 1.1.1, 2018. OpenSSL includes features necessary for making |
|
@janbrasna Thankyou for the comprehensive write-up :) Yes, I see what you're getting at - even if the module is included by default, it's still advertised experimental, so not ideal from that standpoint. Re lack of The
in practise, this means that you must select one 'special' server block that includes the That's obviously not ideal for a config template that people expect to 'just work' in any scenario; whether or not it works is dependent on their existing configuration. |
|
Since Sept 2024, HTTP3 is enabled for all users of Safari 16 and newer. Before then, it was enabled for a subset of users. |
Is there any plan to add support for HTTP/3 since it is now supported in all major browsers?
The text was updated successfully, but these errors were encountered: