ngtcp2+quictls build of curl 8.16.0 fails HTTP/3 connection to Caddy web server with "Weird server reply" #18518
Description
I did this
Going from version 8.15.0 to 8.16.0, curl is now unable to connect via QUIC + HTTP/3 to any Caddy web server instance I tried (eg. running locally on my Mac, Caddy v2.10.2, or even the https://caddyserver.com official website).
Running
curl -vv --http3-only https://caddyserver.com
results in the following output, repeated until timeout:
* Host caddyserver.com:443 was resolved.
* IPv6: (none)
* IPv4: 165.227.20.207
* [HTTPS-CONNECT] adding wanted h3
* [HTTPS-CONNECT] added
* [HTTPS-CONNECT] connect, init
* Trying 165.227.20.207:443...
* [HTTP/3] vquic_send(len=1200, gso=1200) -> 0, sent=1200
* [HTTPS-CONNECT] connect -> 0, done=0
* [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0
* [HTTPS-CONNECT] adjust_pollset -> 0, 1 socks
* [HTTP/3] ossl_populate_x509_store, path=none, blob=0
* [HTTPS-CONNECT] connect -> 0, done=0
* [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0
* [HTTPS-CONNECT] adjust_pollset -> 0, 1 socks
* [HTTP/3] ingress, read_pkt -> ERR_DRAINING (-224)
* [HTTP/3] recvd 1 packets with 57 bytes -> 56
* QUIC connect to 165.227.20.207 port 443 failed: Weird server reply
* [HTTP/3] connect -> 8, done=0
* [HTTPS-CONNECT] connect -> 0, done=0
* [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0
* [HTTPS-CONNECT] adjust_pollset -> 0, 0 socks
* Trying 165.227.20.207:443...
* [HTTP/3] vquic_send(len=1200, gso=1200) -> 0, sent=1200
* [HTTP/3] destroy
* [HTTP/3] start shutdown(err_type=0, err_code=10) -> 0
* [HTTP/3] shutdown completely sent off, done
* [HTTP/3] close
* [HTTPS-CONNECT] connect -> 0, done=0
* [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0
* [HTTPS-CONNECT] adjust_pollset -> 0, 1 socks
* [HTTP/3] ingress, read_pkt -> ERR_DRAINING (-224)
* [HTTP/3] recvd 1 packets with 57 bytes -> 56
* QUIC connect to 165.227.20.207 port 443 failed: Weird server reply
* [HTTP/3] connect -> 8, done=0
* [HTTPS-CONNECT] connect -> 0, done=0
* [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0
* [HTTPS-CONNECT] adjust_pollset -> 0, 0 socks
The same curl 8.16.0 is still able to make a successful HTTP/3 connection to Cloudflare servers or an nginx instance I have running, but fails with any instance of Caddy I have tried, whether running on Mac or Linux.
I expected the following
curl 8.15.0, freshly rebuilt using the exact same configuration and external library versions, continues to connect to the same servers without issue.
* Host caddyserver.com:443 was resolved.
* IPv6: (none)
* IPv4: 165.227.20.207
* [HTTPS-CONNECT] adding wanted h3
* [HTTPS-CONNECT] added
* [HTTPS-CONNECT] connect, init
* Trying 165.227.20.207:443...
* [HTTP/3] vquic_send(len=1200, gso=1200) -> 0, sent=1200
* [HTTPS-CONNECT] connect -> 0, done=0
* [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0
* [HTTPS-CONNECT] adjust_pollset -> 1 socks
* [HTTP/3] ossl_populate_x509_store, path=none, blob=0
* [HTTPS-CONNECT] connect -> 0, done=0
* [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0
* [HTTPS-CONNECT] adjust_pollset -> 1 socks
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256 / X25519 / id-ecPublicKey
* Server certificate:
* subject: CN=caddyserver.com
* start date: Aug 19 16:03:27 2025 GMT
* expire date: Nov 17 16:03:26 2025 GMT
* subjectAltName: host "caddyserver.com" matched cert's "caddyserver.com"
* issuer: C=US; O=Let's Encrypt; CN=E6
* SSL certificate verify ok.
* Certificate level 0: Public key type EC/prime256v1 (256/128 Bits/secBits), signe
* Certificate level 1: Public key type EC/secp384r1 (384/192 Bits/secBits), signed
tion
* Certificate level 2: Public key type RSA (4096/152 Bits/secBits), signed using s
* [HTTP/3] handshake complete after 183ms
* [HTTP/3] max bidi streams now 100, used 0
* [HTTP/3] [3] read_stream(len=3) -> 3
* [HTTP/3] recvd 4 packets with 2714 bytes -> 0
* [HTTP/3] vquic_send_tail_split: [1200 gso=1200][1406 gso=1406]
* [HTTP/3] vquic_send(len=1200, gso=1200) -> 0, sent=1200
* [HTTP/3] vquic_send(len=1406, gso=1406) -> 0, sent=1406
* [HTTP/3] peer verified
* [HTTP/3] connect -> 0, done=1
* [HTTPS-CONNECT] connect+handshake h3: 183ms, 1st data: 3ms
* [HTTPS-CONNECT] connect -> 0, done=1
* [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=1
* Connected to caddyserver.com (165.227.20.207) port 443
* using HTTP/3
* [HTTP/3] peer idle timeout is 30000ms, set keep-alive to 15000 ms.
* [HTTP/3] [0] OPENED stream for https://caddyserver.com/
* [HTTP/3] [0] [:method: GET]
* [HTTP/3] [0] [:scheme: https]
* [HTTP/3] [0] [:authority: caddyserver.com]
* [HTTP/3] [0] [:path: /]
* [HTTP/3] [0] [user-agent: curl/8.15.0]
* [HTTP/3] [0] [accept: */*]
* [HTTP/3] vquic_send(len=57, gso=57) -> 0, sent=57
* [HTTP/3] [0] cf_send(len=77) -> 0, 77
> GET / HTTP/3
> Host: caddyserver.com
> User-Agent: curl/8.15.0
> Accept: */*
[ … output of correct functionality continues … ]
curl/libcurl version
curl 8.16.0 (x86_64-apple-darwin) libcurl/8.16.0 quictls/3.0.15 zlib/1.2.12 brotli/1.1.0 zstd/1.5.7 libidn2/2.3.8 libpsl/0.21.5 libssh/0.11.2/openssl/zlib nghttp2/1.67.0 ngtcp2/1.15.1 nghttp3/1.11.0
Release-Date: 2025-09-10
Protocols: dict file ftp ftps gopher gophers http https imap imaps ipfs ipns ldap ldaps mqtt pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp ws wss
Features: alt-svc AsynchDNS brotli GSS-API HSTS HTTP2 HTTP3 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM PSL SPNEGO SSL threadsafe TLS-SRP UnixSockets zstd
operating system
Darwin hostname 24.6.0 Darwin Kernel Version 24.6.0: Mon Jul 14 11:28:17 PDT 2025; root:xnu-11417.140.69~1/RELEASE_X86_64 x86_64