Fizz is a TLS 1.3 implementation.
Fizz currently supports TLS 1.3 drafts 28, 26 (both wire-compatible with the final specification), and 23. All major handshake modes are supported, including PSK resumption, early data, client authentication, and HelloRetryRequest.
More background and details are available on the Facebook Code Blog.
Fizz largely depends on three libraries: folly, OpenSSL, and libsodium.
fizz/crypto
: Cryptographic primitive implementations (most are wrapping OpenSSL or libsodium)fizz/record
: TLS 1.3 record layer parsingfizz/protocol
: Common protocol code shared between client and serverfizz/client
: Client protocol implementationfizz/server
: Server protocol implementationfizz/tool
: Example CLI app source
The core protocol implementations are in ClientProtocol
and ServerProtocol
.
FizzClientContext
and FizzServerContext
provide configuration options.
FizzClient
and FizzServer
(which both inherit from FizzBase
) provide
applications with an interface to interact with the state machine.
FizzClient
/FizzServer
receives events from the application layer, invokes the
correct event handler, and invokes the application ActionVisitor
to process the
actions.
AsyncFizzClient
and AsyncFizzServer
provide implementations of the folly
AsyncTransportWrapper
interface. They own an underlying transport (for example
AsyncSocket
) and perform the TLS handshake and encrypt/decrypt application
data.
Fizz has several important features needed from a modern TLS library.
Fizz supports scatter/gather IO by default via folly's IOBufs, and will encrypt data in-place whenever possible, saving memcpys. Due to this and several other optimizations, we found in our load balancer benchmarks that Fizz has 10% higher throughput than our prior SSL library which uses folly's AsyncSSLSocket. Fizz also consumes less memory per connection than AsyncSSLSocket.
Fizz has asynchronous APIs to be able to offload functions like certificate signing and ticket decryption. The API is based on folly's Futures for painless async programming.
Fizz supports APIs like exported keying material as well as zero-copy APIs needed to use TLS in other protocols like QUIC.
Fizz is built on a custom state machine which uses the power of the C++ type system to treat states and actions as types of their own. As the code changes, this allows us to catch invalid state transitions as compilation errors instead of runtime errors and helps us move fast.
Fizz includes an example program that showcases the basic client/server functionality
supported by Fizz. The binary is called fizz
and it has similar usage to the
openssl
or bssl
commands.
For example, to start a TLS server on port 443 with a specified cert:
fizz server -accept 443 -cert foo.pem -key foo.key
Then, on the same host, you can connect with:
fizz client -connect localhost:443
Both ends will echo whatever data they receive and send any terminal input to the peer. Hitting CTRL+D on either end will terminate the connection.
The source code for this program can be found under fizz/tool
.
getdeps.py is a script that many fbcode OSS projects use which will automatically download dependencies for a project and build the project. This is what CI uses as its main entry point.
python3 build/fbcode_builder/getdeps.py --allow-system-packages build
Fizz is a typical CMake project. In order to build Fizz, you must configure
CMake such that Fizz's dependencies can be found (e.g. using the CMAKE_PREFIX_PATH
variable)
For example:
cmake \
-GNinja
-DCMAKE_PREFIX_PATH=/path/to/prefix \
-DCMAKE_INSTALL_PREFIX=/path/to/prefix \
-B/build/fizz \
/path/to/checkout/fizz
cmake --build /path/to/checkout/fizz
cmake --install /atph/to/checkout/fizz
We'd love to have your help in making Fizz better. If you're interested, please read our guide to guide to contributing
Fizz is BSD licensed, as found in the LICENSE file.
Please do not open GitHub issues or pull requests - this makes the problem immediately visible to everyone, including malicious actors. Security issues in Fizz can be safely reported via Facebook's Whitehat Bug Bounty program:
https://www.facebook.com/whitehat
Facebook's security team will triage your report and determine whether or not is it eligible for a bounty under our program.