http://quic.aiortc.org/ works with neqo-client but not in the browser

[agrover]

In the browser I get:

[2020-05-04T19:12:36Z WARN neqo_crypto::agent] [Agent 0x7fe8735565b0] error: NssError { name: "SSL_ERROR_HANDSHAKE_FAILED", code: -12116, desc: "SSL handshake has already failed. No more operations possible." } [2020-05-04T19:12:36Z WARN neqo_transport::connection] [Client 0x7fe873a6b000] Handshake failed [2020-05-04T19:12:36Z INFO neqo_transport::connection] [Client 0x7fe873a6b000] State change from Handshaking -> Closing { error: Transport(CryptoAlert(45)), frame_type: 0, msg: "", timeout: Instant { tv_sec: 2074773, tv_nsec: 514223532 } }

[agrover]

This may be a server-side cert issue.

[rmarx]

This was indeed an expired server-side cert. It was updated yesterday, now seems to work for me in Nightly. It would be good to make this type of error more transparent imo.

[ddragana]

If server cert has expired Firefox should show an error page. I am 100% sure that it used to do it (I have implemented that). I will open a bug in bugzilla to fix this and add a test so we do not regress this again.

[rmarx]

I think in this case it was a weird scenario where the HTTP/2 server has a different cert than the QUIC server... (not 100% sure, but the H2 cert was issued in april, while the H3 one was updated yesterday). It seems FF just fell back transparently to H2, never indicating it even tried H3. Arguably, that's the best play here for user experience, but difficult to debug. Overall, I think this type of thing will be the most frustrating for people trying to get QUIC working with alt-svc etc. and some investment in browser devtools to make these issues clearer would be welcome.

FWIW Chrome Canary did show the QUIC error page and didn't fall back to H2.

[ddragana]

Oh, you are right. The firrefox will not show an error and it will not use Http/3. That is intentional design. We should have something in devtool for alt-svc. I will look into that.