Why my browser does not use HTTP/3 with my server?

Question

I have add support of HTTP/3 to my server with embedded Jetty. But the browser does not use it. In the dev console of the browser I see only HTTP/2 requests to my server.

• It is a Chrome browser which use HTTP/3 with the Google side that this can't be a browser problem. Today in the year 2023 most browsers should support HTTP/3.
• It run on port 443. It can't be a problem with the port number ober 1000.
• I see the HTTP header: Alt-Svc: h3=":443" in the request. Looks ok for me.
• The Jetty server is also listen on UDP port 443.
• The certificate is a valid Let's Encrypt certificate

Which causes can be there that Chrome does not use HTTP/3?

How can I test the HTTP/3 feature on a non public server because it is under development?

Answer 1

With curl from a docker image I get some diagnostics. I run:

docker run --rm --add-host=my.domain.com:10.10.7.13 ymuski/curl-http3 curl --http3 --verbose https://my.domain.com/

And compare it with google:

docker run --rm ymuski/curl-http3 curl --http3 --verbose https://www.google.com/

My output is:

*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: none
*   Trying 10.10.7.13:443...
* Connected to my.domaine.com (10.10.7.13) port 443
* ALPN: offers h2,http/1.1
} [5 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: none
{ [5 bytes data]
* TLSv1.2 (IN), TLS handshake, Server hello (2):
{ [122 bytes data]
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
{ [45 bytes data]
* TLSv1.3 (IN), TLS handshake, Certificate (11):
{ [4030 bytes data]
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
{ [264 bytes data]
* TLSv1.3 (IN), TLS handshake, Finished (20):
{ [36 bytes data]
* TLSv1.3 (OUT), TLS handshake, Finished (20):
} [36 bytes data]
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=*.internal.inetsoftware.de
*  start date: Oct  3 10:15:24 2023 GMT
*  expire date: Jan  1 10:15:23 2024 GMT
*  subjectAltName: host "my.domaine.com" matched cert's "*.domaine.com"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
} [5 bytes data]
* using HTTP/2
* h2 [:method: GET]
* h2 [:scheme: https]
* h2 [:authority: my.domaine.com]
* h2 [:path: /]
* h2 [user-agent: curl/8.2.1-DEV]
* h2 [accept: */*]
* Using Stream ID: 1
} [5 bytes data]
> GET / HTTP/2
> Host: my.domaine.com
> User-Agent: curl/8.2.1-DEV
> Accept: */*

The output from Google is:

*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: none
*  subjectAltName: host "www.google.com" matched cert's "*.google.com"
* Connected to www.google.com (142.250.184.196) port 443
* using HTTP/3
* Using HTTP/3 Stream ID: 0
> GET / HTTP/3
> Host: www.google.com
> User-Agent: curl/8.2.1-DEV
> Accept: */*

Seems a problem with ALPN.

Edit: The problem was the missing quiche library. The Jetty then simple not responding.