devsisters / goquic

QUIC support for Go
http://devsisters.github.io/goquic/
BSD 3-Clause "New" or "Revised" License
944 stars 100 forks source link

Issues when running with -quic_only flag enabled #46

Open GaetanoCarlucci opened 7 years ago

GaetanoCarlucci commented 7 years ago

I am having trouble experimenting with goquic.

Basically, I have deployed the goquic server in a Docker container and I am running it with -d and --net=host flags.

The server is listening on localhost. I have created the certificate according to this guide

If I run the server without the -quic_onlyflag, everything works fine and the web page is transferred over HTTP2. However, if I enable the -quic_onlyflag the QUIC server seems unreachable from Chrome.

I have tried the go client and everything works fine.

There seems to be some issue when interacting with Chrome.

MisssRain commented 7 years ago

I tried goquic with the CAgenerator you provide at https://github.com/GaetanoCarlucci/CertificateGenerator and the 2048-sha256-root.pem has been added into the system CAs and modify it to be trusted by all the users. I run goquic this way

./server -cert=/PATH/leaf_cert.pem -key=/PATH/leaf_cert.key -quic_only

and run chrome this way

/Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome \ --user-data-dir=/tmp/chrome \ --no-proxy-server \ --enable-quic \ --host-resolver-rules='MAP www.example.org:443 0.0.0.0:8080' \ https://www.example.org

and I could not open the site with ERR_QUIC_PROTOCOL_ERROR and the server shows

Server: Received ConnectionClose for connection: 4729024066337921568, with error: QUIC_PROOF_INVALID (Proof invalid: Failed to verify certificate chain: net::ERR_CERT_COMMON_NAME_INVALID)

when I run server without -quic_only I could open the site but it is not secure with

There are issues with the site's certificate chain (net::ERR_CERT_COMMON_NAME_INVALID).

and when I clickview certificate, it is the CA I add and trust.

I don't know whether there is something changed... and help...