http/2 h2c request to Cloudflare sites results in Recv failure: Connection reset by peer

[candrews]

I did this

This issue appears to be reproducible with any site handled by Cloudflare, including http://cloudflare.com

$ curl http://cloudflare.com --http2 -v
*   Trying 2606:4700::6811:b055:80...
* Connected to cloudflare.com (2606:4700::6811:b055) port 80 (#0)
> GET / HTTP/1.1
> Host: cloudflare.com
> User-Agent: curl/7.73.0
> Accept: */*
> Connection: Upgrade, HTTP2-Settings
> Upgrade: h2c
> HTTP2-Settings: AAMAAABkAAQCAAAAAAIAAAAA
> 
* Recv failure: Connection reset by peer
* Closing connection 0
curl: (56) Recv failure: Connection reset by peer

$ curl http://image.tmdb.org --http2 -v
*   Trying 2606:4700::6810:399b:80...
* Connected to image.tmdb.org (2606:4700::6810:399b) port 80 (#0)
> GET / HTTP/1.1
> Host: image.tmdb.org
> User-Agent: curl/7.73.0
> Accept: */*
> Connection: Upgrade, HTTP2-Settings
> Upgrade: h2c
> HTTP2-Settings: AAMAAABkAAQCAAAAAAIAAAAA
> 
* Recv failure: Connection reset by peer
* Closing connection 0
curl: (56) Recv failure: Connection reset by peer

Realistically, h2c isn't commonly used so this isn't a high priority issue. But, it's not working, so I thought curl should know about it, in case it is a problem that curl can fix (or work around).

I expected the following

A successful response (should be a 404)

curl/libcurl version

$ curl -V
curl 7.73.0 (x86_64-pc-linux-gnu) libcurl/7.73.0 OpenSSL/1.1.1h zlib/1.2.11 brotli/1.0.9 zstd/1.4.5 libidn2/2.3.0 libssh2/1.9.0_DEV nghttp2/1.41.0 quiche/0.5.1 librtmp/2.3
Release-Date: 2020-10-14
Protocols: dict file ftp ftps http https imap imaps pop3 pop3s rtmp rtsp scp sftp smtp smtps tftp 
Features: alt-svc AsynchDNS brotli HTTP2 HTTP3 HTTPS-proxy IDN IPv6 Largefile libz Metalink NTLM SSL TLS-SRP UnixSockets zstd

operating system

$ uname -a
Linux irrational 5.8.6-gentoo-x86_64 #1 SMP Fri Sep 4 18:34:47 EDT 2020 x86_64 Intel(R) Core(TM) i5-6500 CPU @ 3.20GHz GenuineIntel GNU/Linux

[jay]

This doesn't appear to be a curl issue. cloudflare closes the connection. Maybe they shut it off to mitigate smuggling issues?

/cc @the-bumble

[candrews]

If curl isn't doing anything wrong, then the problem is that Cloudflare is incorrectly closing the connection: if the client requests an h2c upgrade, and the server doesn't want to do the upgrade, then the server should ignore the request and continue as usual with HTTP/1.1. I submitted an issue on their community support forum: https://community.cloudflare.com/t/http-h2c-upgrade-requests-result-in-connection-reset-by-peer/214761

If someone has a better way to contact Cloudflare to make them aware of this issue so they can fix it, can you please do so?

[bagder]

I have passed on this information to some relevant persons. As we don't see any curl problem here, let's close this issue.

[alexwala]

may be same issue ?
Alexa SDK on Raspberry Pi - TuneIn stopped working - streamingError