Don't fallback from H3 connection for cert errors
Categories
(Core :: Networking: HTTP, task, P2)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox131 | --- | fixed |
People
(Reporter: kershaw, Assigned: kershaw)
References
(Blocks 1 open bug)
Details
(Whiteboard: [necko-triaged])
Attachments
(1 file)
Since most web servers use the same TLS certificate for all versions of HTTP, it makes no sense to fallback from HTTP/3 to HTTP/2 when encountering certificate errors.
| Assignee | ||
Comment 1•1 year ago
|
||
Updated•1 year ago
|
(In reply to Kershaw Chang [:kershaw] from comment #0)
Since most web servers use the same TLS certificate for all versions of HTTP, it makes no sense to fallback from HTTP/3 to HTTP/2 when encountering certificate errors.
To make sure I am not missing something, Lars do you have any objections skipping the fallback to HTTP/2 after HTTP/3 certificate error?
The attached patch simplifies connecting with Firefox to an HTTP/3 only server with a self-signed certificate (see related issue on Neqo https://github.com/mozilla/neqo/pull/1992). Instead of falling back to HTTP/3, the certificate error is presented to the user directly, with an option to trust the self-signed certificate.
Comment 3•1 year ago
|
||
I think it makes sense to not fall back to H2 here. The fallback is meant for when H3 isn't working, because QUIC is blocked or the server doesn't support it. A cert failure is a server misconfiguration that we should IMO not hide from the user.
Description
•