http3: Can't fallback to http2 on Windows (CURLE_BAD_FUNCTION_ARGUMENT)

[vvb2060]

I did this

curl.exe --http3 https://crypto.cloudflare.com/cdn-cgi/trace --trace-ascii -
== Info: processing: https://crypto.cloudflare.com/cdn-cgi/trace
== Info:   Trying [2606:4700:7::a29f:8955]:443...
== Info:  CAfile: curl-ca-bundle.crt
== Info:  CApath: none
== Info:   Trying 162.159.137.85:443...
== Info:   Trying [2606:4700:7::a29f:8955]:443...
== Info:   Trying [2606:4700:7::a29f:8955]:443...
== Info:   Trying 162.159.137.85:443...
== Info: Connected to crypto.cloudflare.com (2606:4700:7::a29f:8955) port 443
== Info: ALPN: offers h2,http/1.1
=> Send SSL data, 5 bytes (0x5)
0000: .....
== Info: TLSv1.3 (OUT), TLS handshake, Client hello (1):
=> Send SSL data, 512 bytes (0x200)
0000: ........C`...x.6/f..x.L.....%..".m.[.. h...'.....{...[.......*QN
0040: c.a.....>.......,.0.........+./...$.(.k.#.'.g.....9.....3.....=.
0080: <.5./.....u.........crypto.cloudflare.com.......................
00c0: ..................h2.http/1.1.........1.....". .................
0100: ................+........-.....3.&.$... <......))......U...H4!(.
0140: ..y.$A.o........................................................
0180: ................................................................
01c0: ................................................................
== Info: Closing connection
curl: (43) A libcurl function was given a bad argument

curl.exe --http3-only https://crypto.cloudflare.com/cdn-cgi/trace --trace-ascii -
== Info: processing: https://crypto.cloudflare.com/cdn-cgi/trace
== Info:   Trying [2606:4700:7::a29f:8955]:443...
== Info:  CAfile: curl-ca-bundle.crt
== Info:  CApath: none
== Info:   Trying 162.159.137.85:443...
== Info:   Trying [2606:4700:7::a29f:8955]:443...
== Info:   Trying 162.159.137.85:443...
== Info: Closing connection
curl: (43) A libcurl function was given a bad argument

crypto.cloudflare.com does not support h3, but curl does not fallback to h2.

I expected the following

Test on android:

curl --http3-only https://crypto.cloudflare.com/cdn-cgi/trace -v
*   Trying [2606:4700:7::a29f:8a55]:443...
*  CAfile: none
*  CApath: /system/etc/security/cacerts
*   Trying 162.159.137.85:443...
*   Trying [2606:4700:7::a29f:8a55]:443...
*  CAfile: none
*  CApath: /system/etc/security/cacerts
*  CAfile: none
*  CApath: /system/etc/security/cacerts
*   Trying 162.159.137.85:443...
*   Trying [2606:4700:7::a29f:8a55]:443...
*  CAfile: none
*  CApath: /system/etc/security/cacerts
*  CAfile: none
*  CApath: /system/etc/security/cacerts
*   Trying 162.159.137.85:443...
*  CAfile: none
*  CApath: /system/etc/security/cacerts
*   Trying [2606:4700:7::a29f:8a55]:443...
*  CAfile: none
*  CApath: /system/etc/security/cacerts
*   Trying 162.159.137.85:443...
*   Trying [2606:4700:7::a29f:8a55]:443...
*  CAfile: none
*  CApath: /system/etc/security/cacerts
*  CAfile: none
*  CApath: /system/etc/security/cacerts
*   Trying 162.159.137.85:443...
*   Trying [2606:4700:7::a29f:8a55]:443...
*  CAfile: none
*  CApath: /system/etc/security/cacerts
*  CAfile: none
*  CApath: /system/etc/security/cacerts
*   Trying 162.159.137.85:443...
*   Trying [2606:4700:7::a29f:8a55]:443...
*  CAfile: none
*  CApath: /system/etc/security/cacerts
*   Trying 162.159.137.85:443...
*  CAfile: none
*  CApath: /system/etc/security/cacerts
*   Trying [2606:4700:7::a29f:8a55]:443...
*  CAfile: none
*  CApath: /system/etc/security/cacerts
*  CAfile: none
*  CApath: /system/etc/security/cacerts
*   Trying 162.159.137.85:443...
*   Trying [2606:4700:7::a29f:8a55]:443...
*  CAfile: none
*  CApath: /system/etc/security/cacerts
*  CAfile: none
*  CApath: /system/etc/security/cacerts
*   Trying 162.159.137.85:443...
*  CAfile: none
*  CApath: /system/etc/security/cacerts
*   Trying 162.159.137.85:443...
*  CAfile: none
*  CApath: /system/etc/security/cacerts
*   Trying 162.159.137.85:443...
*  CAfile: none
*  CApath: /system/etc/security/cacerts
*   Trying 162.159.137.85:443...
*  CAfile: none
*  CApath: /system/etc/security/cacerts
*   Trying 162.159.137.85:443...
*  CAfile: none
*  CApath: /system/etc/security/cacerts
*   Trying 162.159.137.85:443...
*  CAfile: none
*  CApath: /system/etc/security/cacerts
*   Trying 162.159.137.85:443...
*  CAfile: none
*  CApath: /system/etc/security/cacerts
*   Trying 162.159.137.85:443...
*  CAfile: none
*  CApath: /system/etc/security/cacerts
*   Trying 162.159.137.85:443...
*  CAfile: none
*  CApath: /system/etc/security/cacerts
*   Trying 162.159.137.85:443...
*  CAfile: none
*  CApath: /system/etc/security/cacerts
*   Trying 162.159.137.85:443...
*  CAfile: none
*  CApath: /system/etc/security/cacerts
*   Trying 162.159.137.85:443...
*  CAfile: none
*  CApath: /system/etc/security/cacerts
* ngtcp2_conn_handle_expiry returned error: ERR_HANDSHAKE_TIMEOUT
*   Trying [2606:4700:7::a29f:8955]:443...
*  CAfile: none
*  CApath: /system/etc/security/cacerts
*   Trying [2606:4700:7::a29f:8955]:443...
*  CAfile: none
*  CApath: /system/etc/security/cacerts
*   Trying [2606:4700:7::a29f:8955]:443...
*  CAfile: none
*  CApath: /system/etc/security/cacerts
*   Trying [2606:4700:7::a29f:8955]:443...
*  CAfile: none
*  CApath: /system/etc/security/cacerts
*   Trying [2606:4700:7::a29f:8955]:443...
*  CAfile: none
*  CApath: /system/etc/security/cacerts
* ngtcp2_conn_handle_expiry returned error: ERR_HANDSHAKE_TIMEOUT
*   Trying 162.159.138.85:443...
*  CAfile: none
*  CApath: /system/etc/security/cacerts
*   Trying 162.159.138.85:443...
*  CAfile: none
*  CApath: /system/etc/security/cacerts
*   Trying 162.159.138.85:443...
*  CAfile: none
*  CApath: /system/etc/security/cacerts
*   Trying 162.159.138.85:443...
*  CAfile: none
*  CApath: /system/etc/security/cacerts
*   Trying 162.159.138.85:443...
*  CAfile: none
*  CApath: /system/etc/security/cacerts
*   Trying 162.159.138.85:443...
*  CAfile: none
*  CApath: /system/etc/security/cacerts
*   Trying 162.159.138.85:443...
* ngtcp2_conn_handle_expiry returned error: ERR_HANDSHAKE_TIMEOUT
*  CAfile: none
*  CApath: /system/etc/security/cacerts
*   Trying 162.159.138.85:443...
*  CAfile: none
*  CApath: /system/etc/security/cacerts
*   Trying 162.159.138.85:443...
*  CAfile: none
*  CApath: /system/etc/security/cacerts
*   Trying 162.159.138.85:443...
*  CAfile: none
*  CApath: /system/etc/security/cacerts
*   Trying 162.159.138.85:443...
*  CAfile: none
*  CApath: /system/etc/security/cacerts
*   Trying 162.159.138.85:443...
*  CAfile: none
*  CApath: /system/etc/security/cacerts
*   Trying 162.159.138.85:443...
*  CAfile: none
*  CApath: /system/etc/security/cacerts
*   Trying 162.159.138.85:443...
*  CAfile: none
*  CApath: /system/etc/security/cacerts
*   Trying 162.159.138.85:443...
*  CAfile: none
*  CApath: /system/etc/security/cacerts
*   Trying 162.159.138.85:443...
*  CAfile: none
*  CApath: /system/etc/security/cacerts
* ngtcp2_conn_handle_expiry returned error: ERR_HANDSHAKE_TIMEOUT
* Failed to connect to crypto.cloudflare.com port 443 after 42744 ms: Failed sending data to the peer
* Closing connection
curl: (55) ngtcp2_conn_handle_expiry returned error: ERR_HANDSHAKE_TIMEOUT

curl --http3 https://crypto.cloudflare.com/cdn-cgi/trace -v
*   Trying [2606:4700:7::a29f:8955]:443...
*  CAfile: none
*  CApath: /system/etc/security/cacerts
*   Trying [2606:4700:7::a29f:8955]:443...
*   Trying [2606:4700:7::a29f:8955]:443...
*   Trying 162.159.137.85:443...
*  CAfile: none
*  CApath: /system/etc/security/cacerts
* Connected to crypto.cloudflare.com (2606:4700:7::a29f:8955) port 443
* ALPN: curl offers h2,http/1.1
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
*  CAfile: none
*  CApath: /system/etc/security/cacerts
*   Trying 162.159.137.85:443...
*  CAfile: none
*  CApath: /system/etc/security/cacerts
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN: server accepted h2
* Server certificate:
*  subject: C=US; ST=California; L=San Francisco; O=Cloudflare, Inc.; CN=sni.cloudflaressl.com
*  start date: Mar  4 00:00:00 2023 GMT
*  expire date: Mar  3 23:59:59 2024 GMT
*  subjectAltName: host "crypto.cloudflare.com" matched cert's "crypto.cloudflare.com"
*  issuer: C=US; O=Cloudflare, Inc.; CN=Cloudflare Inc ECC CA-3
*  SSL certificate verify ok.
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://crypto.cloudflare.com/cdn-cgi/trace
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: crypto.cloudflare.com]
* [HTTP/2] [1] [:path: /cdn-cgi/trace]
* [HTTP/2] [1] [user-agent: curl/8.3.0-DEV]
* [HTTP/2] [1] [accept: */*]
> GET /cdn-cgi/trace HTTP/2
> Host: crypto.cloudflare.com
> User-Agent: curl/8.3.0-DEV
> Accept: */*
>
< HTTP/2 200
[edited]
* Connection #0 to host crypto.cloudflare.com left intact

curl -V
curl 8.3.0-DEV (unknown-linux-android) libcurl/8.3.0-DEV BoringSSL zlib/1.2.11 nghttp2/1.55.1 ngtcp2/0.18.0 nghttp3/0.14.0
Release-Date: [unreleased]
Protocols: dict file ftp ftps gopher gophers http https imap imaps mqtt pop3 pop3s rtsp smb smbs smtp smtps telnet tftp ws wss
Features: alt-svc AsynchDNS HSTS HTTP2 HTTP3 HTTPS-proxy IPv6 Largefile libz NTLM SSL threadsafe UnixSockets

curl/libcurl version

curl 8.2.1 (x86_64-w64-mingw32) libcurl/8.2.1 OpenSSL/3.1.2 (Schannel) zlib/1.3 brotli/1.1.0 zstd/1.5.5 WinIDN libssh2/1.11.0 nghttp2/1.56.0 ngtcp2/0.19.1 nghttp3/0.15.0
Release-Date: 2023-07-26
Protocols: dict file ftp ftps gopher gophers http https imap imaps ldap ldaps mqtt pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp ws wss
Features: alt-svc AsynchDNS brotli HSTS HTTP2 HTTP3 HTTPS-proxy IDN IPv6 Kerberos Largefile libz MultiSSL NTLM SPNEGO SSL SSPI threadsafe UnixSockets zstd

operating system

windows

[bagder]

curl: (43) A libcurl function was given a bad argument

That one is unexpected and suspicious!

[bagder]

Does 8.4.0 work any better?

[vvb2060]

curl.exe --http3-only https://crypto.cloudflare.com/cdn-cgi/trace -v
*   Trying [2606:4700:7::a29f:8955]:443...
* QUIC cipher selection: TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_CCM_SHA256
*  CAfile: curl-ca-bundle.crt
*  CApath: none
*   Trying [2606:4700:7::a29f:8955]:443...
* Closing connection
curl: (43) A libcurl function was given a bad argument

curl.exe --http3 https://crypto.cloudflare.com/cdn-cgi/trace -v
*   Trying [2606:4700:7::a29f:8955]:443...
* QUIC cipher selection: TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_CCM_SHA256
*  CAfile: curl-ca-bundle.crt
*  CApath: none
*   Trying [2606:4700:7::a29f:8955]:443...
* Closing connection
curl: (43) A libcurl function was given a bad argument

[icing]

curl: (43) A libcurl function was given a bad argument looks strange. I do not see that on my dev build on macOS. If you indeed have a 8.4 curl available, could you add --trace-config all to the command. That will give you more verbose output and maybe help us detect where the error 43 happens on your system. Thanks.

[bagder]

I made #12401 with the hope that something like that should be able to help us pinpoint this problem better.

[vvb2060]

curl.exe --http3 https://crypto.cloudflare.com/cdn-cgi/trace --trace-config all -v
00:42:25.222384 [0-0] * [HTTPS-CONNECT] added
00:42:25.227719 [0-0] * [HTTPS-CONNECT] connect, init
00:42:25.231975 [0-0] * [HAPPY-EYEBALLS] created ipv6 (timeout 149990ms)
00:42:25.235889 [0-0] * [HAPPY-EYEBALLS] created ipv4 (timeout 149990ms)
00:42:25.239810 [0-0] * [HAPPY-EYEBALLS] ipv6 starting (timeout=149987ms)
00:42:25.243983 [0-0] *   Trying [2606:4700:7::a29f:8955]:443...
00:42:25.248679 [0-0] * [UDP] cf_socket_open() -> 0, fd=456
00:42:25.253040 [0-0] * [UDP] QUIC socket 456 connected: [...aab:57721] -> [2606:4700:7::a29f:8955:443]
00:42:25.260524 [0-0] * [UDP] cf_udp_connect(), opened socket=456 (...aab:57721)
00:42:25.269056 [0-0] * QUIC cipher selection: TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_CCM_SHA256
00:42:25.278573 [0-0] * [HTTP/3] vquic_send(len=1200, gso=1200) -> 0, sent=1200
00:42:25.284146 [0-0] * [HAPPY-EYEBALLS] ipv6 connect -> 0, connected=0
00:42:25.289031 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
00:42:25.294056 [0-0] * [HTTPS-CONNECT] get_selected_socks(h3) -> 1
00:42:25.299212 [0-0] * [HTTPS-CONNECT] get_selected_socks -> 1
00:42:25.302813 [0-0] * [HTTPS-CONNECT] get_selected_socks(h3) -> 1
00:42:25.306549 [0-0] * [HTTPS-CONNECT] get_selected_socks -> 1
00:42:25.313082 [0-0] * [HTTPS-CONNECT] get_selected_socks(h3) -> 1
00:42:25.318117 [0-0] * [HTTPS-CONNECT] get_selected_socks -> 1
00:42:25.667023 [0-0] *  CAfile: curl-ca-bundle.crt
00:42:25.672620 [0-0] *  CApath: none
00:42:25.675993 [0-0] * [HTTP/3] ingress, read_pkt -> ERR_DRAINING
00:42:25.680655 [0-0] * [HTTP/3] recvd 2 packets with 2400 bytes -> 56
00:42:25.685797 [0-0] * [HTTP/3] connect, remote closed, reconnect after 200ms
00:42:25.690619 [0-0] * [UDP] cf_socket_close(456, not active)
00:42:25.695175 [0-0] *   Trying [2606:4700:7::a29f:8955]:443...
00:42:25.701205 [0-0] * [UDP] cf_socket_open() -> 0, fd=456
00:42:25.706477 [0-0] * [UDP] QUIC socket 456 connected: [...aab:57722] -> [2606:4700:7::a29f:8955:443]
00:42:25.716311 [0-0] * [UDP] cf_udp_connect(), opened socket=456 (...aab:57722)
00:42:25.722696 [0-0] * [HAPPY-EYEBALLS] ipv6 connect -> 0, connected=0
00:42:25.727006 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
00:42:25.732500 [0-0] * [HTTPS-CONNECT] get_selected_socks(h3) -> 1
00:42:25.736800 [0-0] * [HTTPS-CONNECT] get_selected_socks -> 1
00:42:25.741098 [0-0] * [HTTPS-CONNECT] get_selected_socks(h3) -> 1
00:42:25.745971 [0-0] * [HTTPS-CONNECT] get_selected_socks -> 1
00:42:25.752039 [0-0] * Closing connection
00:42:25.755617 [0-0] * [HTTPS-CONNECT] close
00:42:25.759038 [0-0] * [SETUP] close
00:42:25.762987 [0-0] * [HAPPY-EYEBALLS] close
00:42:25.768206 [0-0] * [HTTP/3] destroy
00:42:25.771662 [0-0] * [UDP] cf_socket_close(456, not active)
00:42:25.775754 [0-0] * [UDP] destroy
00:42:25.780833 [0-0] * [HAPPY-EYEBALLS] destroy
00:42:25.784629 [0-0] * [SETUP] destroy
00:42:25.787891 [0-0] * [HTTPS-CONNECT] destroy
curl: (43) A libcurl function was given a bad argument

[bagder]

@vvb2060 can you use the patch from #12401 in a test build to see if that tells you better what option it does not like?

It seems we cannot reproduce this problem.

[vvb2060]

I don't have a Windows build environment...

[jay]

curl for windows 8.4.0 returns CURLE_BAD_FUNCTION_ARGUMENT (43) and the daily build curl-8.5.0-DEV_20231129-win64-mingw returns CURLE_WEIRD_SERVER_REPLY (8)

8.4.0:

== Info:   Trying 162.159.138.85:443...
== Info: Closing connection
curl: (43) A libcurl function was given a bad argument

8.5.0-DEV_20231129:

== Info: Host crypto.cloudflare.com:443 was resolved.
== Info: IPv6: (none)
== Info: IPv4: 162.159.138.85, 162.159.137.85
== Info:   Trying 162.159.138.85:443...
== Info: QUIC cipher selection: TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_CCM_SHA256
== Info:  CAfile: [REMOVED]
== Info:  CApath: none
== Info: QUIC connect to 162.159.138.85 port 443 failed: Weird server reply
== Info:   Trying 162.159.137.85:443...
== Info: QUIC cipher selection: TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_CCM_SHA256
== Info: QUIC connect to 162.159.137.85 port 443 failed: Weird server reply
== Info:   Trying 162.159.138.85:443...
== Info: QUIC cipher selection: TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_CCM_SHA256
== Info: QUIC connect to 162.159.138.85 port 443 failed: Weird server reply
== Info:   Trying 162.159.137.85:443...
== Info: QUIC cipher selection: TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_CCM_SHA256
== Info: QUIC connect to 162.159.137.85 port 443 failed: Weird server reply
== Info: Failed to connect to crypto.cloudflare.com port 443 after 143 ms: Weird server reply
== Info: Closing connection
curl: (8) Failed to connect to crypto.cloudflare.com port 443 after 143 ms: Weird server reply

OT but isn't cipher selection going to be the same every time, is it necessary to show it for every connect now?

[icing]

@jay the eyeballing in QUIC always involves a new TLS instance for every connection. That is why it is showing the messages. I doubt we can avoid that. We could suppress the messages, I assume...

[vvb2060]

https://github.com/curl/curl-for-win/actions/runs/6632238595 7fdf30f bad argument
https://github.com/curl/curl-for-win/actions/runs/6645832682 6ec70a9 work

[jay]

https://github.com/curl/curl-for-win/actions/runs/6632238595 7fdf30f bad argument
https://github.com/curl/curl-for-win/actions/runs/6645832682 6ec70a9 work

Yeah I see the same. I notice those curl commits don't have any bearing on QUIC and that otherwise the manifest of the build is the same (same dependencies). Maybe this is a curl-for-win issue? It looks like curl-for-win switched to cmake and then there was no longer bad argument but somehow it came back on or before 20231129.

[bagder]

Is this still happening?

[jay]

Is this still happening?

AFAICT no. I tested curl-8.6.1-DEV_20240212-win64-mingw (backup link for posterity) and I see a bunch of "weird server reply" to all the QUIC but after that curl falls back to HTTP/2. It would be nice if someone could confirm.

[bagder]

Presumed fixed or at least changed behavior.