Support HTTP/3 - QUIC protocol

[fpietrosanti]

Current behavior Following technological upgrade of GlobaLeaks with TLS 1.3, Onion V3 and HTTP/2, this ticket is to introduce support for HTTP/3 .

QUIC is now supported by Cloudflare, Firefox Nightly and Chrome Canary: https://www.zdnet.com/article/cloudflare-google-chrome-and-firefox-add-http3-support/

Expected behavior GlobaLeaks should support HTTP/3, and it's support should be able to be enabled/disabled on a global basis or on a per-tenant.

QUIC protocol is based on UDP, so it will not work over Tor.

[evilaliv3]

Actually HTTP3 is still in draft: https://tools.ietf.org/html/draft-ietf-quic-http-23 and there are still no implementations in linux.

I'm in favour of this addition but there is actually no necessity to make it possible to enable /disable it both at global and at tenant level. ALPN is the tech that naturally make it possible for a client and a server to establish the best supported protocol and definitely should not be configurable at application level. It would just complicate the usability for unknown reasons.

[fpietrosanti]

There's this python implementation actually https://github.com/aiortc/aioquic

Btw it's UDP based, so it canno work on Tor, worthwhile giving the possibility to enable/disable, btw i don't know what's the technical different ways browser understand or try to decide which version of HTTP to use?

[evilaliv3]

Yes, ALPN, the protocol mentioned able.

We already support It and It what is currently used by browser and backend to implement both the SNI and the selection along h1 and h2.