The Features of 3.5: External QUIC library interface

This is the second in a series of posts about the features of OpenSSL 3.5. Its target audience is people who are curious about internet security, but who don’t recognize the acronyms in that list.

1. QUIC server
2. External QUIC library interface
3. Post-quantum cryptography

When software developers want to avoid reinventing the wheel, they look for a software library, such as OpenSSL.¹ Software libraries function like physical libraries in that people may freely borrow material for their own use. (Unlike a physical library, you don’t have to return code for someone else to use it!) Libraries have other books, such as encyclopedias and reference material, that aren’t allowed to be used outside of the library. In the same way, software libraries have code that’s not intended for external use, so there must be a way for programmers to know what can be reused. An API (application programming interface) defines what’s safe to borrow.

The previous post explained what QUIC is and how OpenSSL provides the tools needed to build a QUIC server. But there’s a separate item on the feature list that’s called “external QUIC library interface”. To give you an idea of what that involves, take a look at a rough sketch of the OpenSSL QUIC implementation:

Other implementations of QUIC are likely to have their own versions of that diagram. Developers of these applications will inevitably build the parts of the system that are core to their business. However, there are other parts of the system that don’t need to be reinvented. When it comes to secure network protocols, such as the Transport Layer Security (TLS), many developers would just prefer to reuse OpenSSL’s code.

Before QUIC, reusing TLS was relatively straightforward. It’s a standard layer in the HTTP/2 stack. But QUIC doesn’t treat TLS as a separate layer. Instead it uses specific parts of the TLS protocol that aren’t part of the existing API. To use the library analogy, QUIC needs to borrow material that’s normally reserved for internal use.

In particular, QUIC reuses the TLS handshake. Just like it sounds, a handshake is a way for two computers to greet each other.² The handshake process allows the two parties to agree on how to communicate with each other, verify their identities and generate the keys that will unlock the coded messages they send to each other. As you can imagine, getting this right is critical to keeping the rest of the communication secure.

Developers who want to use TLS, can go to the OpenSSL library and checkout the TLS “book”. The first chapter is the TLS handshake. Since the 3.2 release, developers of QUIC clients have been able to checkout the QUIC “book”, which also has a TLS handshake chapter. But before 3.5 there was no effective way for developers of third-party QUIC implementations to get just the TLS handshake chapter.

To make things more complicated, the messages sent between the two computers, including the messages that make up the handshake, use a specific format called a record layer. Think of it as an envelope that indicates some details about the messages inside. TLS has one type of record layer and QUIC has a different variant. So to help other programmers implement their own QUIC applications, OpenSSL now includes code to replace the standard TLS record layer with a custom record layer. That way TLS handshake messages can be sent in QUIC-compatible “envelopes”.

OpenSSL implemented its QUIC client and server using the same API that it provides to external QUIC implementations. Not only does that demonstrate that the approach works, it also serves as a reference implementation for other projects that want to use OpenSSL for their QUIC software. And because 3.5 is a long term stable release this API will be supported for at least 5 years.

To learn more, see:

• HTTP/3 Demo using OpenSSL QUIC and nghttp3
• QUIC-TLS Handshake Integration
• Add an API for other QUIC stacks to use our TLS implementation
• A pull request to add OpenSSL to MsQuic, Microsoft’s QUIC implementation.
• SSL_set_quic_tls_cbs manual page

The OpenSSL Foundation thanks everyone who contributed to this feature.

Next time: a potential threat to classical cryptography.