How HTTP/3 differs from 1 and 2How HTTP/3 differs from 1 and 2
Build curl to enable HTTP/3Build curl to enable HTTP/3
The TLS situationThe TLS situation
HTTP/3 with the curl toolHTTP/3 with the curl tool
HTTP/3 with libcurlHTTP/3 with libcurl
Remaining issuesRemaining issues
WhenWhen
@bagder@bagder
This is not my HTTP/3 explanation talk
HTTP/3 for everyone (FOSDEM 2020)
https://daniel.haxx.se/videos/
@bagder@bagder
Improvements in QUICImprovements in QUIC
TCP head of line blockingTCP head of line blocking
Faster handshakesFaster handshakes
Earlier dataEarlier data
More encryption, alwaysMore encryption, always
Future developmentFuture development
@bagder@bagder
QUIC on top of UDP
TCP and UDP remain “the ones”TCP and UDP remain “the ones”
Use UDP instead of IPUse UDP instead of IP
Reliable transport protocol - inReliable transport protocol - in
user-spaceuser-space
A little like TCP + TLSA little like TCP + TLS
@bagder@bagder
Streams!
QUIC provides streamsQUIC provides streams
Many logical flows within a single connectionMany logical flows within a single connection
Similar to HTTP/2 but in the transport layerSimilar to HTTP/2 but in the transport layer
IndependentIndependent streamsstreams
@bagder@bagder
Stacks: old vs new
TCP
TLS 1.2+
HTTP/2
UDP
HTTP/3
QUIC
TLS 1.3
IP
HTTP/1
@bagder@bagder
streams
@bagder@bagder
HTTPS is TCP?
HTTPS:// URLs are everywhereHTTPS:// URLs are everywhere
TCP (and TLS) on TCP port 443TCP (and TLS) on TCP port 443
@bagder@bagder
This service - over there!
The Alt-Svc: response header
Another host, protocol or port number is the
same “origin”
This site also runs on HTTP/3 “over there”, for
the next NNNN seconds
@bagder@bagder
HTTP/3 challenges
3-7% something of all QUIC attempts fail
Clients need “fall back” algorithms
CPU intensive
Unoptimized UDP stacks
“Funny” TLS layer
All QUIC stacks are user-land
No standard QUIC API
Lack of tooling
@bagder@bagder
Work in progress
Early days – your help is appreciated
HTTP/3 and QUIC support is experimental
Things might will change
Code is in git master and shipped
Only HTTP/3 (not QUIC) is exposed in curl
@bagder@bagder
Build curl
Early support aids the protocol community
Requires 3rd party libraries for low level
Selectable backend, use one out of several choices
Quiche or ngtcp2 for now
- Different TLS requirements
- Very different APIs
@bagder@bagder
@bagder@bagder
Build curl with quiche
https://github.com/cloudflare/quiche
Uses BoringSSL
(Look at docs/HTTP3.md)
You want alt-svc support as well
@bagder@bagder
@bagder@bagder
Build curl with ngtcp2 (and nghttp3)
https://github.com/ngtcp2/ngtcp2
https://github.com/ngtcp2/nghttp3
Uses a patched OpenSSL or GnuTLS from git
(Look at docs/HTTP3.md)
You want alt-svc support as well
@bagder@bagder
@bagder@bagder
Why is it called ngtcp2?
Jana Iyengar (then at Google) did a QUIC presentation in the HTTP
Workshop Stockholm in July 2016
In that presentation, he showed...
The TLS situation (1/2)
TLS was made for TCP
TLS is sent over TCP as records containing
individual messages
QUIC uses TLS messages
No TLS library support(ed) TLS messages
QUIC also needs additional secrets
@bagder@bagder
@bagder@bagder
OpenSSL
No support in any release, nor git
“once the 3.0 release is done, QUIC will become a significant
focus of our effort” + “final [3.0] release in early Q4 2020”
PR #8797 OpenSSL offers an API similar to the BoringSSL one.
https://github.com/openssl/openssl/pull/8797
ngtcp2 uses OpenSSL+8797
… and so does msquic, node.js and more
@bagder@bagder
It looks like HTTP/1
As for HTTP/2, HTTP/3 in curl is made to lookmade to look
like HTTP/1like HTTP/1 when curl shows requests,
headers and similar. For consistency and easy
of use.
@bagder@bagder
Run curl
--http3
Forces curl to try QUIC and HTTP/3 on the given host name
No fallback!
--alt-svc <filename>
Bootstraps into HTTP/3 the “standard way”
Requires alt-svc: response headers (several dev servers don’t do those)
Takes an additional round-trip
Makes the initial request HTTP/1 or HTTP/2 the “usual way”
The alt-svc file format: https://curl.haxx.se/docs/alt-svc.html
@bagder@bagder
Works now with HTTP/3
@bagder@bagder
HTTP/3 draft-27
Connecting over IPv4 and IPv6 and “Happy eyeballs”
Direct or via alt-svc
Funny host name/DNS tricks like --resolve and friends
HTTP GET and POST requests
HTTP header parsing, adding and removing headers
Cookies, connection caching, connection re-use etc
SSLKEYLOGFILE
HTTP/3 in the curl CI
We verify the HTTP/3 builds in every curl commit
and PR
Both quiche and ngtcp2
Builds only, they don’t run tests yet
@bagder@bagder
HTTP/3 is still “experimental” in curl
Fallback
(happy
eyeballs?)
https://github.com/curl/curl/wiki/HTTP3
Multiplexing Certificates
Trailers Stability Tests
Push
qlog
@bagder@bagder
Upgrading to h3 - long term
Tricky
HTTP/2 reuses the same
connection - easier
alt-svc needs cache on disk to be
effective
Happy eyeballs...
@bagder@bagder