Cannot connect from UDP-blocking networks due to forced QUIC usage

[kleinesfilmroellchen]

Describe the bug

Nheko forces the use of HTTP3/QUIC. Some networks, such as the University of Stuttgart‘s eduroam implementation, block all UDP traffic, which QUIC relies on. Therefore, Nheko cannot connect from these networks, since there is no fallback to HTTP2/TCP which would succeed; other clients can connect from these networks just fine.

To Reproduce

1. Be in a network that blocks all UDP traffic (I’m confident even local firewall configuration can create a test setup for this relatively easily)
2. Try to connect to a relatively up-to-date Synapse server that supports HTTP3
3. See that Nheko cannot connect; a “no network connection” message is visible

What happened?

No connection to Matrix homeserver; see above.

Expected behavior

Nheko should be able to connect to a homeserver using either HTTP2 or HTTP3, using the former as a fallback for (honestly stupid) networks where UDP is blocked and QUIC connections fail.

Screenshots

No response

Version

0.11.3

Operating system

Linux

Installation method

Some repository (AUR, homebrew, distribution repository, PPA, etc)

Qt version

No response

C++ compiler

No response

Desktop Environment

KDE Plasma 6

Did you use profiles?

• [ ] Profiles used?

Relevant log output

[2024-05-06 15:11:55.835] [net] [warning] Failed to retrieve backup version
[2024-05-06 15:11:55.858] [crypto] [warning] failed to update one-time keys: (connection: Couldn't connect to server)
[2024-05-06 15:11:55.881] [net] [warning] failed to retrieve profile info for @filmroellchen:chat.upi.li
[2024-05-06 15:11:55.904] [net] [warning] failed to query device keys: M_UNRECOGNIZED,0
[2024-05-06 15:11:55.904] [net] [warning] failed to query device keys: (connection: Couldn't connect to server)

Backtrace

No response

[deepbluev7]

Nheko doesn't force the usage of QUIC though. It only enables it, if a server claims to support it. However, that it doesn't fall back on connection issues is a problem, yes. But that seems to be a curl issue and it only happens on distros, that enable http/3 support in curl.

[deepbluev7]

See https://github.com/curl/curl/issues/13162 for example.

[Kimiblock]

cURL seems to have issues connecting to QUIC-enabled server. Firefox connects just fine.

➜  ~ curl --http3-only https://moechat.kimiblock.top/versions -Lvv
14:53:15.596527 [0-0] * Host moechat.kimiblock.top:443 was resolved.
14:53:15.596615 [0-0] * IPv6: (none)
14:53:15.596637 [0-0] * IPv4: 8.210.222.108, 8.218.96.243
14:53:15.596674 [0-0] * [HTTPS-CONNECT] added
14:53:15.596711 [0-0] * [HTTPS-CONNECT] connect, init
14:53:15.596762 [0-0] *   Trying 8.210.222.108:443...
14:53:15.598977 [0-0] * [HTTP/3] QUIC tls init -> 0
14:53:15.599432 [0-0] * [HTTP/3] QUIC SSL_connect() -> WANT_RECV
14:53:15.599460 [0-0] * [HTTP/3] populate_x509_store, path=/etc/ssl/certs/ca-certificates.crt, blob=0
14:53:15.608619 [0-0] *  CAfile: /etc/ssl/certs/ca-certificates.crt
14:53:15.608650 [0-0] *  CApath: none
14:53:15.608678 [0-0] * [HTTP/3] QUIC expiry in 989ms
14:53:15.608710 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
14:53:15.608749 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 1 socks
14:53:15.608814 [0-0] * [HTTP/3] QUIC SSL_connect() -> WANT_RECV
14:53:15.608874 [0-0] * [HTTP/3] QUIC expiry in 989ms
14:53:15.608906 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
14:53:15.608939 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 1 socks
14:53:15.670916 [0-0] * [HTTP/3] QUIC SSL_connect() -> WANT_RECV
14:53:15.670954 [0-0] * [HTTP/3] QUIC expiry in 998ms
14:53:15.670975 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
14:53:15.671002 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 1 socks
14:53:15.739810 [0-0] * [HTTP/3] QUIC SSL_connect() -> WANT_RECV
14:53:15.739864 [0-0] * [HTTP/3] QUIC expiry in 205ms
14:53:15.739894 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
14:53:15.739929 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 1 socks
14:53:15.747562 [0-0] * [HTTP/3] handshake complete after 145ms
14:53:15.747607 [0-0] * Server certificate:
14:53:15.747641 [0-0] *  subject: CN=kimiblock.top
14:53:15.747673 [0-0] *  start date: Jul 31 02:42:05 2024 GMT
14:53:15.747730 [0-0] *  expire date: Oct 29 02:42:04 2024 GMT
14:53:15.747778 [0-0] *  subjectAltName: host "moechat.kimiblock.top" matched cert's "*.kimiblock.top"
14:53:15.747830 [0-0] *  issuer: C=US; O=Let's Encrypt; CN=E5
14:53:15.747879 [0-0] *  SSL certificate verify ok.
14:53:15.747926 [0-0] *   Certificate level 0: Public key type EC/prime256v1 (256/128 Bits/secBits), signed using ecdsa-with-SHA384
14:53:15.747980 [0-0] *   Certificate level 1: Public key type EC/secp384r1 (384/192 Bits/secBits), signed using sha256WithRSAEncryption
14:53:15.748043 [0-0] *   Certificate level 2: Public key type RSA (4096/152 Bits/secBits), signed using sha256WithRSAEncryption
14:53:15.748103 [0-0] * [HTTP/3] peer verified
14:53:15.748163 [0-0] * [HTTP/3] QUIC expiry in 204ms
14:53:15.748223 [0-0] * [HTTP/3] connect -> 0, done=1
14:53:15.748283 [0-0] * Connected to moechat.kimiblock.top () port 443
14:53:15.748346 [0-0] * [HTTPS-CONNECT] connect+handshake h3: 151ms, 1st data: 73ms
14:53:15.748403 [0-0] * using HTTP/3
14:53:15.748461 [0-0] * [HTTPS-CONNECT] connect -> 0, done=1
14:53:15.748550 [0-0] * [HTTP/3] progress_ingress -> 0
14:53:15.748644 [0-0] * [HTTP/3] [2] send 16 bytes to QUIC ok
14:53:15.748704 [0-0] * [HTTP/3] [2] forwarded 16/16 h3 bytes to QUIC, eos=0
14:53:15.748784 [0-0] * [HTTP/3] [10] send 1 bytes to QUIC ok
14:53:15.748846 [0-0] * [HTTP/3] [10] forwarded 1/1 h3 bytes to QUIC, eos=0
14:53:15.748933 [0-0] * [HTTP/3] [6] send 1 bytes to QUIC ok
14:53:15.748991 [0-0] * [HTTP/3] [6] forwarded 1/1 h3 bytes to QUIC, eos=0
14:53:15.749053 [0-0] * [HTTP/3] h3_send_streams -> 0
14:53:15.749116 [0-0] * [HTTP/3] progress_egress -> 0
14:53:15.749192 [0-0] * [HTTP/3] [0] OPENED stream for https://moechat.kimiblock.top/versions
14:53:15.749254 [0-0] * [HTTP/3] [0] [:method: GET]
14:53:15.749311 [0-0] * [HTTP/3] [0] [:scheme: https]
14:53:15.749376 [0-0] * [HTTP/3] [0] [:authority: moechat.kimiblock.top]
14:53:15.749434 [0-0] * [HTTP/3] [0] [:path: /versions]
14:53:15.749493 [0-0] * [HTTP/3] [0] [user-agent: curl/8.10.0]
14:53:15.749550 [0-0] * [HTTP/3] [0] [accept: */*]
14:53:15.749649 [0-0] * [HTTP/3] [0] send 44 bytes to QUIC ok
14:53:15.749707 [0-0] * [HTTP/3] [0] forwarded 44/44 h3 bytes to QUIC, eos=1
14:53:15.749779 [0-0] * [HTTP/3] h3_send_streams -> 0
14:53:15.749839 [0-0] * [HTTP/3] progress_egress -> 0
14:53:15.749949 [0-0] * [HTTP/3] QUIC expiry in 202ms
14:53:15.749996 [0-0] * [HTTP/3] [0] cf_send(len=91) -> 91, 0
14:53:15.750036 [0-0] > GET /versions HTTP/3
14:53:15.750036 [0-0] > Host: moechat.kimiblock.top
14:53:15.750036 [0-0] > User-Agent: curl/8.10.0
14:53:15.750036 [0-0] > Accept: */*
14:53:15.750036 [0-0] > 
14:53:15.750305 [0-0] * [HTTP/3] progress_ingress -> 0
14:53:15.750352 [0-0] * [HTTP/3] h3_send_streams -> 0
14:53:15.750391 [0-0] * [HTTP/3] progress_egress -> 0
14:53:15.750433 [0-0] * [HTTP/3] QUIC expiry in 202ms
14:53:15.750468 [0-0] * [HTTP/3] [0] cf_recv(len=102400) -> -1, 81
14:53:15.750519 [0-0] * Request completely sent off
14:53:15.814575 [0-0] * QUIC connection has been shut down
14:53:15.814624 [0-0] * [HTTP/3] [0] cf_osslq_stream_recv -> 56
14:53:15.814653 [0-0] * [HTTP/3] progress_ingress -> 56
14:53:15.814692 [0-0] * [HTTP/3] h3_send_streams -> 0
14:53:15.814771 [0-0] * [HTTP/3] progress_egress -> 0
14:53:15.814841 [0-0] * [HTTP/3] QUIC expiry in 138ms
14:53:15.814894 [0-0] * [HTTP/3] [0] cf_recv(len=102400) -> -1, 56
14:53:15.814974 [0-0] * [HTTP/3] [0] easy handle is done
14:53:15.815038 [0-0] * [HTTP/3] [0] RESET: error 268
14:53:15.815122 [0-0] * Connection #0 to host moechat.kimiblock.top left intact
curl: (56) QUIC connection has been shut down

[deepbluev7]

http3 in Nheko is now disabled by default. So I will close this for now, since in the next release this shouldn't be an issue anymore (from the Nheko side). I will see if I can follow up with the curl upstream regarding the other http3 issues.