Using experimental QUIC

Philipp_M · December 14, 2024, 10:35am

1. The problem I’m having:

version of caddy 2.4.6 so simulate an old cve for my thesis. But i cant setup the experimental http3 support which should be possible in that version. How to make a config file which i can use to connect to a client also in my local network to connect the server which should run with http3.

2. Error messages and/or full log output:

adapting config using caddyfile: /etc/caddy/Caddyfile:2: unrecognized global option: experimental_http3

3. Caddy version:

v2.4.6 installed via github releases

4. How I installed and ran Caddy:

installed with github releases and run on a ubuntu 18 VM

a. System environment: VM ubuntu 18

b. Command:

This is my config file:
{
experimental_http3
}

192.168.0.102 {
tls ./server.crt ./server.key
root * /var/www/html
file_server
}





### d. My complete Caddy config:

{
    experimental_http3
}


192.168.0.102 {
    tls ./server.crt ./server.key
    root * /var/www/html
    file_server
}

<!--
DO NOT REDACT anything except credentials.
LEAVE DOMAIN NAMES INTACT.
If using the Caddyfile:
  - Please use `caddy fmt` to make your config more legible.
  - Review https://caddyserver.com/docs/caddyfile/concepts#structure
-->




### 5. Links to relevant resources:
This did not work beacuase my config file does not accept this https://caddy.community/t/caddyfile-configuration-for-caddy-2-4-6-to-enable-quic-protocol/22097
<!-- Optional, but can help get us on the same page quickly. -->

francislavoie · December 22, 2024, 9:47am

Sorry for the delay, was taking some time off from the forums.

I think the config was:

{
	servers {
		protocols {
			experimental_http3
		}
	}
}

Philipp_M · December 22, 2024, 2:24pm

Thank you so much for the response, in the mean time if had already fixed it. Sadly my client won’t communicate with version 2.4.6 so I tried version 2.5.0 which can establish the connection. Do you think this is also sufficient enough to simulate this CVE
https://nvd.nist.gov/vuln/detail/CVE-2022-30591
According to nist versions of up to quic-go 27 should be vulnerable but somehow I can’t see the affects of the MTU discovery issue when using caddy version 2.5.0, is there any documentation wether this was fixed before caddy release 2.5.0 ?

francislavoie · December 23, 2024, 2:02am

We didn’t keep track of that, we just updated the quic-go dependency as necessary. You’d have to dig into quic-go to see which versions applied.

system · January 22, 2025, 2:03am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.