Home Explore Help
Sign In
SMusatov
/
ydb
mirror of https://github.com/ydb-platform/ydb.git
1
0
Fork 0
Files
Tree: 18686b50ca
Branches Tags
ydb
/
contrib
/
libs
/
ngtcp2
/
README.rst

README.rst 11 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357 
  1. ngtcp2
    2. 

  2. ======
    3. 

  3. 

  4. "Call it TCP/2.  One More Time."
    5. 

  5. 

  6. ngtcp2 project is an effort to implement `RFC9000
    7. 

  7. <https://datatracker.ietf.org/doc/html/rfc9000>`_ QUIC protocol.
    8. 

  8. 

  9. Documentation
    10. 

  10. -------------
    11. 

  11. 

  12. `Online documentation <https://nghttp2.org/ngtcp2/>`_ is available.
    13. 

  13. 

  14. Public test server
    15. 

  15. ------------------
    16. 

  16. 

  17. The following endpoints are available to try out ngtcp2
    18. 

  18. implementation:
    19. 

  19. 

  20. - https://nghttp2.org:4433
    21. 

  21. - https://nghttp2.org:4434 (requires address validation token)
    22. 

  22. - https://nghttp2.org (powered by `nghttpx
    23. 

  23.   <https://nghttp2.org/documentation/nghttpx.1.html>`_)
    24. 

  24. 

  25.   This endpoints sends Alt-Svc header field to clients if it is
    26. 

  26.   accessed via HTTP/1.1 or HTTP/2 to tell them that HTTP/3 is
    27. 

  27.   available at UDP 443.
    28. 

  28. 

  29. Requirements
    30. 

  30. ------------
    31. 

  31. 

  32. The libngtcp2 C library itself does not depend on any external
    33. 

  33. libraries.  The example client, and server are written in C++20, and
    34. 

  34. should compile with the modern C++ compilers (e.g., clang >= 11.0, or
    35. 

  35. gcc >= 11.0).
    36. 

  36. 

  37. The following packages are required to configure the build system:
    38. 

  38. 

  39. - pkg-config >= 0.20
    40. 

  40. - autoconf
    41. 

  41. - automake
    42. 

  42. - autotools-dev
    43. 

  43. - libtool
    44. 

  44. 

  45. To build sources under the examples directory, libev and nghttp3 are
    46. 

  46. required:
    47. 

  47. 

  48. - libev
    49. 

  49. - `nghttp3 <https://github.com/ngtcp2/nghttp3>`_ for HTTP/3
    50. 

  50. 

  51. To enable `TLS Certificate Compression
    52. 

  52. <https://datatracker.ietf.org/doc/html/rfc8879>`_ in bsslclient and
    53. 

  53. bsslserver (BoringSSL (aws-lc) examples client and server), the
    54. 

  54. following library is required:
    55. 

  55. 

  56. - libbrotli-dev >= 1.0.9
    57. 

  57. 

  58. ngtcp2 crypto helper library, and client and server under examples
    59. 

  59. directory require at least one of the following TLS backends:
    60. 

  60. 

  61. - `quictls
    62. 

  62.   <https://github.com/quictls/openssl/tree/OpenSSL_1_1_1w+quic>`_
    63. 

  63. - GnuTLS >= 3.7.5
    64. 

  64. - BoringSSL (commit c361e279402ec359834b7eaa7d737462d02675e1);
    65. 

  65.   or aws-lc >= 1.39.0
    66. 

  66. - Picotls (commit 402544bb65b35c3231a8912f25919de7e7922659)
    67. 

  67. - wolfSSL >= 5.5.0
    68. 

  68. - LibreSSL >= v3.9.2
    69. 

  69. 

  70. Before building from git
    71. 

  71. ------------------------
    72. 

  72. 

  73. When build from git, run the following command to pull submodules:
    74. 

  74. 

  75. .. code-block:: shell
    76. 

  76. 

  77.    $ git submodule update --init
    78. 

  78. 

  79. Build with wolfSSL
    80. 

  80. ------------------
    81. 

  81. 

  82. .. code-block:: shell
    83. 

  83. 

  84.    $ git clone --depth 1 -b v5.7.4-stable https://github.com/wolfSSL/wolfssl
    85. 

  85.    $ cd wolfssl
    86. 

  86.    $ autoreconf -i
    87. 

  87.    $ # For wolfSSL < v5.6.6, append --enable-quic.
    88. 

  88.    $ ./configure --prefix=$PWD/build \
    89. 

  89.        --enable-all --enable-aesni --enable-harden --enable-keylog-export \
    90. 

  90.        --disable-ech
    91. 

  91.    $ make -j$(nproc)
    92. 

  92.    $ make install
    93. 

  93.    $ cd ..
    94. 

  94.    $ git clone --recursive https://github.com/ngtcp2/nghttp3
    95. 

  95.    $ cd nghttp3
    96. 

  96.    $ autoreconf -i
    97. 

  97.    $ ./configure --prefix=$PWD/build --enable-lib-only
    98. 

  98.    $ make -j$(nproc) check
    99. 

  99.    $ make install
    100. 

  100.    $ cd ..
    101. 

  101.    $ git clone --recursive https://github.com/ngtcp2/ngtcp2
    102. 

  102.    $ cd ngtcp2
    103. 

  103.    $ autoreconf -i
    104. 

  104.    $ # For Mac users who have installed libev with MacPorts, append
    105. 

  105.    $ # LIBEV_CFLAGS="-I/opt/local/include" LIBEV_LIBS="-L/opt/local/lib -lev"
    106. 

  106.    $ ./configure PKG_CONFIG_PATH=$PWD/../wolfssl/build/lib/pkgconfig:$PWD/../nghttp3/build/lib/pkgconfig \
    107. 

  107.        --with-wolfssl
    108. 

  108.    $ make -j$(nproc) check
    109. 

  109. 

  110. Build with BoringSSL
    111. 

  111. --------------------
    112. 

  112. 

  113. .. code-block:: shell
    114. 

  114. 

  115.    $ git clone https://boringssl.googlesource.com/boringssl
    116. 

  116.    $ cd boringssl
    117. 

  117.    $ git checkout c361e279402ec359834b7eaa7d737462d02675e1
    118. 

  118.    $ cmake -B build -DCMAKE_POSITION_INDEPENDENT_CODE=ON
    119. 

  119.    $ make -j$(nproc) -C build
    120. 

  120.    $ cd ..
    121. 

  121.    $ git clone --recursive https://github.com/ngtcp2/nghttp3
    122. 

  122.    $ cd nghttp3
    123. 

  123.    $ autoreconf -i
    124. 

  124.    $ ./configure --prefix=$PWD/build --enable-lib-only
    125. 

  125.    $ make -j$(nproc) check
    126. 

  126.    $ make install
    127. 

  127.    $ cd ..
    128. 

  128.    $ git clone --recursive  https://github.com/ngtcp2/ngtcp2
    129. 

  129.    $ cd ngtcp2
    130. 

  130.    $ autoreconf -i
    131. 

  131.    $ # For Mac users who have installed libev with MacPorts, append
    132. 

  132.    $ # LIBEV_CFLAGS="-I/opt/local/include" LIBEV_LIBS="-L/opt/local/lib -lev"
    133. 

  133.    $ ./configure PKG_CONFIG_PATH=$PWD/../nghttp3/build/lib/pkgconfig \
    134. 

  134.        BORINGSSL_LIBS="-L$PWD/../boringssl/build/ssl -lssl -L$PWD/../boringssl/build/crypto -lcrypto" \
    135. 

  135.        BORINGSSL_CFLAGS="-I$PWD/../boringssl/include" \
    136. 

  136.        --with-boringssl
    137. 

  137.    $ make -j$(nproc) check
    138. 

  138. 

  139. Build with aws-lc
    140. 

  140. -----------------
    141. 

  141. 

  142. .. code-block:: shell
    143. 

  143. 

  144.    $ git clone --depth 1 -b v1.41.1 https://github.com/aws/aws-lc
    145. 

  145.    $ cd aws-lc
    146. 

  146.    $ cmake -B build -DDISABLE_GO=ON
    147. 

  147.    $ make -j$(nproc) -C build
    148. 

  148.    $ cd ..
    149. 

  149.    $ git clone --recursive https://github.com/ngtcp2/nghttp3
    150. 

  150.    $ cd nghttp3
    151. 

  151.    $ autoreconf -i
    152. 

  152.    $ ./configure --prefix=$PWD/build --enable-lib-only
    153. 

  153.    $ make -j$(nproc) check
    154. 

  154.    $ make install
    155. 

  155.    $ cd ..
    156. 

  156.    $ git clone --recursive  https://github.com/ngtcp2/ngtcp2
    157. 

  157.    $ cd ngtcp2
    158. 

  158.    $ autoreconf -i
    159. 

  159.    $ # For Mac users who have installed libev with MacPorts, append
    160. 

  160.    $ # LIBEV_CFLAGS="-I/opt/local/include" LIBEV_LIBS="-L/opt/local/lib -lev"
    161. 

  161.    $ ./configure PKG_CONFIG_PATH=$PWD/../nghttp3/build/lib/pkgconfig \
    162. 

  162.        BORINGSSL_CFLAGS="-I$PWD/../aws-lc/include" \
    163. 

  163.        BORINGSSL_LIBS="-L$PWD/../aws-lc/build/ssl -lssl -L$PWD/../aws-lc/build/crypto -lcrypto" \
    164. 

  164.        --with-boringssl
    165. 

  165.    $ make -j$(nproc) check
    166. 

  166. 

  167. Build with libressl
    168. 

  168. -----------------
    169. 

  169. 

  170. .. code-block:: shell
    171. 

  171. 

  172.    $ git clone --depth 1 -b v4.0.0 https://github.com/libressl/portable.git libressl
    173. 

  173.    $ cd libressl
    174. 

  174.    $ # Workaround autogen.sh failure
    175. 

  175.    $ export LIBRESSL_GIT_OPTIONS="-b libressl-v4.0.0"
    176. 

  176.    $ ./autogen.sh
    177. 

  177.    $ ./configure --prefix=$PWD/build
    178. 

  178.    $ make -j$(nproc) install
    179. 

  179.    $ cd ..
    180. 

  180.    $ git clone --recursive https://github.com/ngtcp2/nghttp3
    181. 

  181.    $ cd nghttp3
    182. 

  182.    $ autoreconf -i
    183. 

  183.    $ ./configure --prefix=$PWD/build --enable-lib-only
    184. 

  184.    $ make -j$(nproc) check
    185. 

  185.    $ make install
    186. 

  186.    $ cd ..
    187. 

  187.    $ git clone --recursive  https://github.com/ngtcp2/ngtcp2
    188. 

  188.    $ cd ngtcp2
    189. 

  189.    $ autoreconf -i
    190. 

  190.    $ # For Mac users who have installed libev with MacPorts, append
    191. 

  191.    $ # LIBEV_CFLAGS="-I/opt/homebrew/Cellar/libev/4.33/include" LIBEV_LIBS="-L/opt/homebrew/Cellar/libev/4.33/lib -lev"
    192. 

  192.    $ ./configure PKG_CONFIG_PATH=$PWD/../nghttp3/build/lib/pkgconfig:$PWD/../libressl/build/lib/pkgconfig
    193. 

  193.    $ make -j$(nproc) check
    194. 

  194. 

  195. Client/Server
    196. 

  196. -------------
    197. 

  197. 

  198. After successful build, the client and server executable should be
    199. 

  199. found under examples directory.  They talk HTTP/3.
    200. 

  200. 

  201. Client
    202. 

  202. ~~~~~~
    203. 

  203. 

  204. .. code-block:: shell
    205. 

  205. 

  206.    $ examples/wsslclient [OPTIONS] <HOST> <PORT> [<URI>...]
    207. 

  207. 

  208. The notable options are:
    209. 

  209. 

  210. - ``-d``, ``--data=<PATH>``: Read data from <PATH> and send it to a
    211. 

  211.   peer.
    212. 

  212. 

  213. Server
    214. 

  214. ~~~~~~
    215. 

  215. 

  216. .. code-block:: shell
    217. 

  217. 

  218.    $ examples/wsslserver [OPTIONS] <ADDR> <PORT> <PRIVATE_KEY_FILE> <CERTIFICATE_FILE>
    219. 

  219. 

  220. The notable options are:
    221. 

  221. 

  222. - ``-V``, ``--validate-addr``: Enforce stateless address validation.
    223. 

  223. 

  224. H09wsslclient/H09wsslserver
    225. 

  225. ---------------------------
    226. 

  226. 

  227. There are h09wsslclient and h09wsslserver which speak HTTP/0.9.  They
    228. 

  228. are written just for `quic-interop-runner
    229. 

  229. <https://github.com/marten-seemann/quic-interop-runner>`_.  They share
    230. 

  230. the basic functionalities with HTTP/3 client and server but have less
    231. 

  231. functions (e.g., h09wsslclient does not have a capability to send
    232. 

  232. request body, and h09wsslserver does not understand numeric request
    233. 

  233. path, like /1000).
    234. 

  234. 

  235. Resumption and 0-RTT
    236. 

  236. --------------------
    237. 

  237. 

  238. In order to resume a session, a session ticket, and a transport
    239. 

  239. parameters must be fetched from server.  First, run
    240. 

  240. examples/wsslclient with --session-file, and --tp-file options which
    241. 

  241. specify a path to session ticket, and transport parameter files
    242. 

  242. respectively to save them locally.
    243. 

  243. 

  244. Once these files are available, run examples/wsslclient with the same
    245. 

  245. arguments again.  You will see that session is resumed in your log if
    246. 

  246. resumption succeeds.  Resuming session makes server's first Handshake
    247. 

  247. packet pretty small because it does not send its certificates.
    248. 

  248. 

  249. To send 0-RTT data, after making sure that resumption works, use -d
    250. 

  250. option to specify a file which contains data to send.
    251. 

  251. 

  252. Token (Not something included in Retry packet)
    253. 

  253. ----------------------------------------------
    254. 

  254. 

  255. QUIC server might send a token to client after connection has been
    256. 

  256. established.  Client can send this token in subsequent connection to
    257. 

  257. the server.  Server verifies the token and if it succeeds, the address
    258. 

  258. validation completes and lifts some restrictions on server which might
    259. 

  259. speed up transfer.  In order to save and/or load a token,
    260. 

  260. use --token-file option of examples/wsslclient.  The given file is
    261. 

  261. overwritten if it already exists when storing a token.
    262. 

  262. 

  263. Crypto helper library
    264. 

  264. ---------------------
    265. 

  265. 

  266. In order to make TLS stack integration less painful, we provide a
    267. 

  267. crypto helper library which offers the basic crypto operations.
    268. 

  268. 

  269. The header file exists under crypto/includes/ngtcp2 directory.
    270. 

  270. 

  271. Each library file is built for a particular TLS backend.  The
    272. 

  272. available crypto helper libraries are:
    273. 

  273. 

  274. - libngtcp2_crypto_quictls: Use quictls and libressl as TLS backend
    275. 

  275. - libngtcp2_crypto_gnutls: Use GnuTLS as TLS backend
    276. 

  276. - libngtcp2_crypto_boringssl: Use BoringSSL and aws-lc as TLS backend
    277. 

  277. - libngtcp2_crypto_picotls: Use Picotls as TLS backend
    278. 

  278. - libngtcp2_crypto_wolfssl: Use wolfSSL as TLS backend
    279. 

  279. 

  280. Because BoringSSL and Picotls are an unversioned product, we only
    281. 

  281. tested their particular revision.  See Requirements section above.
    282. 

  282. 

  283. We use Picotls with OpenSSL as crypto backend.
    284. 

  284. 

  285. The examples directory contains client and server that are linked to
    286. 

  286. those crypto helper libraries and TLS backends.  They are only built
    287. 

  287. if their corresponding crypto helper library is built:
    288. 

  288. 

  289. - qtlsclient: quictls(libressl) client
    290. 

  290. - qtlsserver: quictls(libressl) server
    291. 

  291. - gtlsclient: GnuTLS client
    292. 

  292. - gtlsserver: GnuTLS server
    293. 

  293. - bsslclient: BoringSSL(aws-lc) client
    294. 

  294. - bsslserver: BoringSSL(aws-lc) server
    295. 

  295. - ptlsclient: Picotls client
    296. 

  296. - ptlsserver: Picotls server
    297. 

  297. - wsslclient: wolfSSL client
    298. 

  298. - wsslserver: wolfSSL server
    299. 

  299. 

  300. QUIC protocol extensions
    301. 

  301. -------------------------
    302. 

  302. 

  303. The library implements the following QUIC protocol extensions:
    304. 

  304. 

  305. - `An Unreliable Datagram Extension to QUIC
    306. 

  306.   <https://datatracker.ietf.org/doc/html/rfc9221>`_
    307. 

  307. - `Greasing the QUIC Bit
    308. 

  308.   <https://datatracker.ietf.org/doc/html/rfc9287>`_
    309. 

  309. - `Compatible Version Negotiation for QUIC
    310. 

  310.   <https://datatracker.ietf.org/doc/html/rfc9368>`_
    311. 

  311. - `QUIC Version 2
    312. 

  312.   <https://datatracker.ietf.org/doc/html/rfc9369>`_
    313. 

  313. 

  314. Configuring Wireshark for QUIC
    315. 

  315. ------------------------------
    316. 

  316. 

  317. `Wireshark <https://www.wireshark.org/download.html>`_ can be configured to
    318. 

  318. analyze QUIC traffic using the following steps:
    319. 

  319. 

  320. 1. Set *SSLKEYLOGFILE* environment variable:
    321. 

  321. 

  322.    .. code-block:: shell
    323. 

  323. 

  324.       $ export SSLKEYLOGFILE=quic_keylog_file
    325. 

  325. 

  326. 2. Set the port that QUIC uses
    327. 

  327. 

  328.    Go to *Preferences->Protocols->QUIC* and set the port the program
    329. 

  329.    listens to.  In the case of the example application this would be
    330. 

  330.    the port specified on the command line.
    331. 

  331. 

  332. 3. Set Pre-Master-Secret logfile
    333. 

  333. 

  334.    Go to *Preferences->Protocols->TLS* and set the *Pre-Master-Secret
    335. 

  335.    log file* to the same value that was specified for *SSLKEYLOGFILE*.
    336. 

  336. 

  337. 4. Choose the correct network interface for capturing
    338. 

  338. 

  339.    Make sure you choose the correct network interface for
    340. 

  340.    capturing. For example, if using localhost choose the *loopback*
    341. 

  341.    network interface on macos.
    342. 

  342. 

  343. 5. Create a filter
    344. 

  344. 

  345.    Create A filter for the udp.port and set the port to the port the
    346. 

  346.    application is listening to. For example:
    347. 

  347. 

  348.    .. code-block:: text
    349. 

  349. 

  350.       udp.port == 7777
    351. 

  351. 

  352. License
    353. 

  353. -------
    354. 

  354. 

  355. The MIT License
    356. 

  356. 

  357. Copyright (c) 2016 ngtcp2 contributors
    358.