Is it possible to proxy Http/2 to Http/3 on TCP layer?

[louiesun]

I want to write a proxy but I don't want to add a CA on my users's computer.

So I can't decrypt the flow.

Is it possible?

[wkrp]

No, it's not possible. If it were possible for a local proxy to decrypt TLS and re-encrypt as QUIC, it would be possible for anyone on the network path to do it, which would mean TLS is insecure.

There's a thread about local CA and MITM at #373.

You could, of course, wrap HTTP/2 (or any other stream) in an HTTP/3 tunnel, using a local HTTP proxy (CONNECT) or MASQUE CONNECT-UDP or CONNECT-IP. But then you can't forward connections straight to the origin web server, you need a proxy server to remove the outer layer.

[louiesun]

No, it's not possible. If it were possible for a local proxy to decrypt TLS and re-encrypt as QUIC, it would be possible for anyone on the network path to do it, which would mean TLS is insecure.

There's a thread about local CA and MITM at #373.

You could, of course, wrap HTTP/2 (or any other stream) in an HTTP/3 tunnel, using a local HTTP proxy (CONNECT) or MASQUE CONNECT-UDP or CONNECT-IP. But then you can't forward connections straight to the origin web server, you need a proxy server to remove the outer layer.

I don't want to decrypt the package. I am trying to move the randoms and secrets and some other things of the packages. Can we just move the clinet random from one to another and move the encrypted server responce from another to one?

[mmmray]

the payload inside TLS in h2 vs h3 looks completely different, and has to be converted. you can't do it for the same reason you can't convert h1 to h2 without decrypting. of course, with QUIC there are more issues than that.