Closed Bug 1908658 Opened 1 year ago Closed 1 year ago

Don't fallback from H3 connection for cert errors

Categories

(Core :: Networking: HTTP, task, P2)

task

Tracking

()

RESOLVED FIXED
131 Branch
Tracking Status
firefox131 --- fixed

People

(Reporter: kershaw, Assigned: kershaw)

References

(Blocks 1 open bug)

Details

(Whiteboard: [necko-triaged])

Attachments

(1 file)

Since most web servers use the same TLS certificate for all versions of HTTP, it makes no sense to fallback from HTTP/3 to HTTP/2 when encountering certificate errors.

Assignee: nobody → kershaw
Status: NEW → ASSIGNED

(In reply to Kershaw Chang [:kershaw] from comment #0)

Since most web servers use the same TLS certificate for all versions of HTTP, it makes no sense to fallback from HTTP/3 to HTTP/2 when encountering certificate errors.

To make sure I am not missing something, Lars do you have any objections skipping the fallback to HTTP/2 after HTTP/3 certificate error?

The attached patch simplifies connecting with Firefox to an HTTP/3 only server with a self-signed certificate (see related issue on Neqo https://github.com/mozilla/neqo/pull/1992). Instead of falling back to HTTP/3, the certificate error is presented to the user directly, with an option to trust the self-signed certificate.

Flags: needinfo?(leggert)

I think it makes sense to not fall back to H2 here. The fallback is meant for when H3 isn't working, because QUIC is blocked or the server doesn't support it. A cert failure is a server misconfiguration that we should IMO not hide from the user.

Flags: needinfo?(leggert)
Pushed by kjang@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/a65d0d12e760 Don't fallback to H2 for NSS errors, r=mxinden
Status: ASSIGNED → RESOLVED
Closed: 1 year ago
Resolution: --- → FIXED
Target Milestone: --- → 131 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: