http3: initial support for OpenSSL 3.2 QUIC stack

- HTTP/3 for curl using OpenSSL's own QUIC stack together with nghttp3 - configure with `--with-openssl-quic` to enable curl to build this. This requires the nghttp3 library - implementation with the following restrictions: * macOS has to use an unconnected UDP socket due to an issue in OpenSSL's datagram implementation See https://github.com/openssl/openssl/issues/23251 This makes connections to non-reponsive servers hang. * GET requests will send the indicator that they have no body in a separate QUIC packet. This may result in processing delays or Transfer-Encodings on proxied requests * uploads that encounter blocks will use 100% cpu as detection of these flow control issue is not working (we have not figured out to pry that from OpenSSL). Closes #12734
2024-01-18 13:07:07 +01:00 · 2024-01-18 13:07:07 +01:00 · 0535f6ec71
commit 0535f6ec71
parent f81a335e85
15 changed files with 2698 additions and 16 deletions
--- a/.github/workflows/osslq-linux.yml
+++ b/.github/workflows/osslq-linux.yml
@ -0,0 +1,233 @@
 # Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
 #
 # SPDX-License-Identifier: curl
 name: osslq-linux
 on:
  push:
    branches:
      - master
      - '*/ci'
    paths-ignore:
      - '**/*.md'
      - '**/CMakeLists.txt'
      - '.azure-pipelines.yml'
      - '.circleci/**'
      - '.cirrus.yml'
      - 'appveyor.*'
      - 'CMake/**'
      - 'packages/**'
      - 'plan9/**'
      - 'projects/**'
      - 'winbuild/**'
  pull_request:
    branches:
      - master
    paths-ignore:
      - '**/*.md'
      - '**/CMakeLists.txt'
      - '.azure-pipelines.yml'
      - '.circleci/**'
      - '.cirrus.yml'
      - 'appveyor.*'
      - 'CMake/**'
      - 'packages/**'
      - 'plan9/**'
      - 'projects/**'
      - 'winbuild/**'
 concurrency:
  # Hardcoded workflow filename as workflow name above is just Linux again
  group: osslq-${{ github.event.pull_request.number || github.sha }}
  cancel-in-progress: true
 permissions: {}
 env:
  MAKEFLAGS: -j 3
  openssl3-version: openssl-3.2.0
  quictls-version: 3.1.4+quic
  nghttp3-version: v1.1.0
  ngtcp2-version: v1.1.0
  nghttp2-version: master
  mod_h2-version: v2.0.25
 jobs:
  autotools:
    name: ${{ matrix.build.name }}
    runs-on: 'ubuntu-latest'
    timeout-minutes: 60
    strategy:
      fail-fast: false
      matrix:
        build:
          - name: openssl-quic
            configure: >-
              PKG_CONFIG_PATH="$HOME/openssl3/lib/pkgconfig" LDFLAGS="-Wl,-rpath,$HOME/openssl3/lib"
              --enable-warnings --enable-werror --enable-debug --disable-ntlm
              --with-test-nghttpx="$HOME/nghttpx/bin/nghttpx"
              --with-openssl=$HOME/openssl3 --with-openssl-quic
              --with-nghttp3=$HOME/nghttpx
    steps:
      - run: |
          sudo apt-get update
          sudo apt-get install libtool autoconf automake pkg-config stunnel4 \
            libpsl-dev libbrotli-dev libzstd-dev zlib1g-dev libev-dev libc-ares-dev \
            nettle-dev libp11-kit-dev libtspi-dev libunistring-dev guile-2.2-dev libtasn1-bin \
            libtasn1-6-dev libidn2-0-dev gawk gperf libtss2-dev dns-root-data bison gtk-doc-tools \
            texinfo texlive texlive-extra-utils autopoint libev-dev \
            apache2 apache2-dev libnghttp2-dev
        name: 'install prereqs and impacket, pytest, crypto, apache2'
      - name: cache openssl3
        if: contains(matrix.build.install_steps, 'openssl3')
        uses: actions/cache@v3
        id: cache-openssl3
        env:
          cache-name: cache-openssl3
        with:
          path: /home/runner/openssl3
          key: ${{ runner.os }}-build-${{ env.cache-name }}-${{ env.openssl3-version }}
      - name: 'install openssl3'
        if: steps.cache-openssl3.outputs.cache-hit != 'true'
        run: |
          git clone --quiet --depth=1 -b ${{ env.openssl3-version }} https://github.com/openssl/openssl
          cd openssl
          ./config --prefix=$HOME/openssl3 --libdir=$HOME/openssl3/lib
          make -j1 install_sw
      - name: cache quictls
        if: contains(matrix.build.install_steps, 'quictls')
        uses: actions/cache@v3
        id: cache-quictls
        env:
          cache-name: cache-quictls
        with:
          path: /home/runner/quictls
          key: ${{ runner.os }}-build-${{ env.cache-name }}-quictls-${{ env.quictls-version }}
      - name: cache quictls
        uses: actions/cache@v3
        id: cache-quictls-no-deprecated
        env:
          cache-name: cache-quictls-no-deprecated
        with:
          path: /home/runner/quictls
          key: ${{ runner.os }}-build-${{ env.cache-name }}-${{ env.quictls-version }}
      - if: steps.cache-quictls-no-deprecated.outputs.cache-hit != 'true'
        run: |
          cd $HOME
          git clone --quiet --depth=1 -b openssl-${{ env.quictls-version }} https://github.com/quictls/openssl quictls
          cd quictls
          ./config no-deprecated --prefix=$HOME/nghttpx --libdir=$HOME/nghttpx/lib
          make
        name: 'build quictls'
      - run: |
          cd $HOME/quictls
          make -j1 install_sw
        name: 'install quictls'
      - name: cache nghttp3
        uses: actions/cache@v3
        id: cache-nghttp3
        env:
          cache-name: cache-nghttp3
        with:
          path: /home/runner/nghttp3
          key: ${{ runner.os }}-build-${{ env.cache-name }}-${{ env.nghttp3-version }}
      - if: steps.cache-nghttp3.outputs.cache-hit != 'true'
        run: |
          cd $HOME
          git clone --quiet --depth=1 -b ${{ env.nghttp3-version }} https://github.com/ngtcp2/nghttp3
          cd nghttp3
          autoreconf -fi
          ./configure --prefix=$HOME/nghttpx PKG_CONFIG_PATH="$HOME/nghttpx/lib/pkgconfig" --enable-lib-only
          make
        name: 'build nghttp3'
      - run: |
          cd $HOME/nghttp3
          make install
        name: 'install nghttp3'
      # depends on all other cached libs built so far
      - run: |
          git clone --quiet --depth=1 -b ${{ env.ngtcp2-version }} https://github.com/ngtcp2/ngtcp2
          cd ngtcp2
          autoreconf -fi
          ./configure --prefix=$HOME/nghttpx PKG_CONFIG_PATH="$HOME/nghttpx/lib/pkgconfig" --enable-lib-only --with-openssl
          make install
        name: 'install ngtcp2'
      # depends on all other cached libs built so far
      - run: |
          git clone --quiet --depth=1 -b ${{ env.nghttp2-version }} https://github.com/nghttp2/nghttp2
          cd nghttp2
          autoreconf -fi
          ./configure --prefix=$HOME/nghttpx PKG_CONFIG_PATH="$HOME/nghttpx/lib/pkgconfig" --enable-http3
          make install
        name: 'install nghttp2'
      - name: cache mod_h2
        uses: actions/cache@v3
        id: cache-mod_h2
        env:
          cache-name: cache-mod_h2
        with:
          path: /home/runner/mod_h2
          key: ${{ runner.os }}-build-${{ env.cache-name }}-${{ env.mod_h2-version }}
      - if: steps.cache-mod_h2.outputs.cache-hit != 'true'
        run: |
          cd $HOME
          git clone --quiet --depth=1 -b  ${{ env.mod_h2-version }} https://github.com/icing/mod_h2
          cd mod_h2
          autoreconf -fi
          ./configure
          make
        name: 'build mod_h2'
      - run: |
          cd $HOME/mod_h2
          sudo make install
        name: 'install mod_h2'
      - uses: actions/checkout@v4
      - run: |
          sudo python3 -m pip install -r tests/requirements.txt -r tests/http/requirements.txt
        name: 'install python test prereqs'
      - run: autoreconf -fi
        name: 'autoreconf'
      - run: ./configure ${{ matrix.build.configure }}
        name: 'configure'
      - run: make V=1
        name: 'make'
      - run: make V=1 examples
        name: 'make examples'
      - run: make V=1 -C tests
        name: 'make tests'
      - run: make V=1 test-ci
        name: 'run tests'
        env:
          # 2500 and 25002 fail atm due to fin handling
          TFLAGS: "!http/3"
      - run: pytest -v tests
        name: 'run pytest'
        env:
          TFLAGS: "${{ matrix.build.tflags }}"
          CURL_CI: github
--- a/configure.ac
+++ b/configure.ac
@ -175,7 +175,7 @@ curl_headers_msg="enabled (--disable-headers-api)"
    ssl_backends=
     curl_h1_msg="enabled (internal)"
     curl_h2_msg="no      (--with-nghttp2)"
-     curl_h3_msg="no      (--with-ngtcp2 --with-nghttp3, --with-quiche, --with-msh3)"
+     curl_h3_msg="no      (--with-ngtcp2 --with-nghttp3, --with-quiche, --with-openssl-quic, --with-msh3)"
 enable_altsvc="yes"
 hsts="yes"
@ -3001,14 +3001,53 @@ if test "x$NGTCP2_ENABLED" = "x1" -a "x$WOLFSSL_ENABLED" = "x1"; then
  fi
 fi
 dnl **********************************************************************
 dnl Check for OpenSSL QUIC
 dnl **********************************************************************
 OPT_OPENSSL_QUIC="no"
 if test "x$disable_http" = "xyes" -o "x$OPENSSL_ENABLED" != "x1"; then
  # without HTTP or without openssl, no use
  OPT_OPENSSL_QUIC="no"
 fi
 AC_ARG_WITH(openssl-quic,
 AS_HELP_STRING([--with-openssl-quic],[Enable OpenSSL QUIC usage])
 AS_HELP_STRING([--without-openssl-quic],[Disable OpenSSL QUIC usage]),
  [OPT_OPENSSL_QUIC=$withval])
 case "$OPT_OPENSSL_QUIC" in
  no)
    dnl --without-openssl-quic option used
    want_openssl_quic="no"
    ;;
  yes)
    dnl --with-openssl-quic option used
    want_openssl_quic="yes"
    ;;
 esac
 curl_openssl_quic_msg="no      (--with-openssl-quic)"
 if test "x$want_openssl_quic" = "xyes"; then
  if test "$NGTCP2_ENABLED" = 1; then
    AC_MSG_ERROR([--with-openssl-quic and --with-ngtcp2 are mutually exclusive])
  fi
  if test "$HAVE_OPENSSL_QUIC" != 1; then
    AC_MSG_ERROR([--with-openssl-quic requires quic support in OpenSSL])
  fi
  AC_DEFINE(USE_OPENSSL_QUIC, 1, [if openssl QUIC is in use])
  AC_SUBST(USE_OPENSSL_QUIC, [1])
 fi
 dnl **********************************************************************
 dnl Check for nghttp3 (HTTP/3 with ngtcp2)
 dnl **********************************************************************
 OPT_NGHTTP3="yes"
-if test "x$NGTCP2_ENABLED" = "x"; then
+if test "x$USE_NGTCP2" = "x" -a "$USE_OPENSSL_QUIC" = "x"; then
-  # without ngtcp2, nghttp3 is of no use for us
+  # without ngtcp2 or openssl quic, nghttp3 is of no use for us
  OPT_NGHTTP3="no"
 fi
@ -3036,10 +3075,6 @@ esac
 curl_http3_msg="no      (--with-nghttp3)"
 if test X"$want_nghttp3" != Xno; then
  if test "$NGTCP2_ENABLED" != "1"; then
    AC_MSG_ERROR([--with-nghttp3 also requires --with-ntcp2])
  fi
  dnl backup the pre-nghttp3 variables
  CLEANLDFLAGS="$LDFLAGS"
  CLEANCPPFLAGS="$CPPFLAGS"
@ -3070,8 +3105,6 @@ if test X"$want_nghttp3" != Xno; then
    AC_CHECK_LIB(nghttp3, nghttp3_conn_client_new_versioned,
      [
       AC_CHECK_HEADERS(nghttp3/nghttp3.h,
          curl_h3_msg="enabled (ngtcp2 + nghttp3)"
          NGHTTP3_ENABLED=1
          AC_DEFINE(USE_NGHTTP3, 1, [if nghttp3 is in use])
          AC_SUBST(USE_NGHTTP3, [1])
          CURL_LIBRARY_PATH="$CURL_LIBRARY_PATH:$DIR_NGHTTP3"
@ -3096,6 +3129,29 @@ if test X"$want_nghttp3" != Xno; then
 fi
 dnl **********************************************************************
 dnl Check for ngtcp2 and nghttp3 (HTTP/3 with ngtcp2 + nghttp3)
 dnl **********************************************************************
 if test "x$NGTCP2_ENABLED" = "x1" -a "x$USE_NGHTTP3" = "x1"; then
  AC_DEFINE(USE_NGTCP2_H3, 1, [if ngtcp2 + nghttp3 is in use])
  AC_SUBST(USE_NGTCP2_H3, [1])
  AC_MSG_NOTICE([HTTP3 support is experimental])
  curl_h3_msg="enabled (ngtcp2 + nghttp3)"
 fi
 dnl **********************************************************************
 dnl Check for OpenSSL and nghttp3 (HTTP/3 with nghttp3 using OpenSSL QUIC)
 dnl **********************************************************************
 if test "x$USE_OPENSSL_QUIC" = "x1" -a "x$USE_NGHTTP3" = "x1"; then
  experimental="$experimental HTTP3"
  AC_DEFINE(USE_OPENSSL_H3, 1, [if openssl quic + nghttp3 is in use])
  AC_SUBST(USE_OPENSSL_H3, [1])
  AC_MSG_NOTICE([HTTP3 support is experimental])
  curl_h3_msg="enabled (openssl + nghttp3)"
 fi
 dnl **********************************************************************
 dnl Check for quiche (QUIC)
 dnl **********************************************************************
@ -3245,6 +3301,9 @@ if test X"$want_msh3" != Xno; then
  if test "$NGHTTP3_ENABLED" = 1; then
    AC_MSG_ERROR([--with-msh3 and --with-ngtcp2 are mutually exclusive])
  fi
  if test "$QUICHE_ENABLED" = 1; then
    AC_MSG_ERROR([--with-msh3 and --with-quiche are mutually exclusive])
  fi
  dnl backup the pre-msh3 variables
  CLEANLDFLAGS="$LDFLAGS"
@ -4575,8 +4634,8 @@ if test "x$USE_NGHTTP2" = "x1"; then
  SUPPORT_FEATURES="$SUPPORT_FEATURES HTTP2"
 fi
-if test "x$USE_NGTCP2" = "x1" -o "x$USE_QUICHE" = "x1" \
+if test "x$USE_NGTCP2_H3" = "x1" -o "x$USE_QUICHE" = "x1" \
-    -o "x$USE_MSH3" = "x1"; then
+    -o "x$USE_OPENSSL_H3" = "x1" -o "x$USE_MSH3" = "x1"; then
  SUPPORT_FEATURES="$SUPPORT_FEATURES HTTP3"
 fi
--- a/docs/HTTP3.md
+++ b/docs/HTTP3.md
@ -15,6 +15,8 @@ QUIC libraries we are using:
 [quiche](https://github.com/cloudflare/quiche) - **EXPERIMENTAL**
 [OpenSSL 3.2+ QUIC](https://github.com/openssl/openssl) - **EXPERIMENTAL**
 [msh3](https://github.com/nibanks/msh3) (with [msquic](https://github.com/microsoft/msquic)) - **EXPERIMENTAL**
 ## Experimental
@ -193,6 +195,40 @@ Build curl:
 If `make install` results in `Permission denied` error, you will need to prepend it with `sudo`.
 # OpenSSL version
 quiche QUIC support is **EXPERIMENTAL**
 Build OpenSSL 3.2.0
     % cd ..
     % git clone -b openssl-3.2.0 https://github.com/openssl/openssl
     % cd openssl
     % ./config enable-tls1_3 --prefix=<somewhere> --libdir=<somewhere>/lib
     % make install
 Build nghttp3
     % cd ..
     % git clone -b v1.1.0 https://github.com/ngtcp2/nghttp3
     % cd nghttp3
     % autoreconf -fi
     % ./configure --prefix=<somewhere2> --enable-lib-only
     % make
     % make install
 Build curl:
     % cd ..
     % git clone https://github.com/curl/curl
     % cd curl
     % autoreconf -fi
     % ./configure --with-openssl=<somewhere> --with-openssl-quic --with-nghttp3=<somewhere2> 
     % make
     % make install
 If `make install` results in `Permission denied` error, you will need to prepend it with `sudo`.
 # msh3 (msquic) version
 **Note**: The msquic HTTP/3 backend is immature and is not properly functional
--- a/lib/Makefile.inc
+++ b/lib/Makefile.inc
@ -78,6 +78,7 @@ LIB_VTLS_HFILES =           \
 LIB_VQUIC_CFILES = \
  vquic/curl_msh3.c   \
  vquic/curl_ngtcp2.c   \
  vquic/curl_osslq.c   \
  vquic/curl_quiche.c   \
  vquic/vquic.c \
  vquic/vquic-tls.c
@ -85,6 +86,7 @@ LIB_VQUIC_CFILES = \
 LIB_VQUIC_HFILES = \
  vquic/curl_msh3.h   \
  vquic/curl_ngtcp2.h   \
  vquic/curl_osslq.h   \
  vquic/curl_quiche.h   \
  vquic/vquic.h    \
  vquic/vquic_int.h \
--- a/lib/cf-socket.c
+++ b/lib/cf-socket.c
@ -1630,11 +1630,17 @@ static CURLcode cf_udp_setup_quic(struct Curl_cfilter *cf,
  /* QUIC needs a connected socket, nonblocking */
  DEBUGASSERT(ctx->sock != CURL_SOCKET_BAD);
 #if defined(__APPLE__) && defined(USE_OPENSSL_QUIC)
  (void)rc;
  /* On macOS OpenSSL QUIC fails on connected sockets.
   * see: <https://github.com/openssl/openssl/issues/23251> */
 #else
  rc = connect(ctx->sock, &ctx->addr.sa_addr, ctx->addr.addrlen);
  if(-1 == rc) {
    return socket_connect_result(data, ctx->r_ip, SOCKERRNO);
  }
  ctx->sock_connected = TRUE;
 #endif
  set_local_ip(cf, data);
  CURL_TRC_CF(data, cf, "%s socket %" CURL_FORMAT_SOCKET_T
              " connected: [%s:%d] -> [%s:%d]",
--- a/lib/curl_setup.h
+++ b/lib/curl_setup.h
@ -827,6 +827,7 @@ int getpwuid_r(uid_t uid, struct passwd *pwd, char *buf,
 #endif
 #if (defined(USE_NGTCP2) && defined(USE_NGHTTP3)) || \
    (defined(USE_OPENSSL_QUIC) && defined(USE_NGHTTP3)) || \
    defined(USE_QUICHE) || defined(USE_MSH3)
 #define ENABLE_QUIC
 #define USE_HTTP3
--- a/lib/vquic/curl_osslq.c
+++ b/lib/vquic/curl_osslq.c
--- a/lib/vquic/curl_osslq.h
+++ b/lib/vquic/curl_osslq.h
@ -0,0 +1,51 @@
 #ifndef HEADER_CURL_VQUIC_CURL_OSSLQ_H
 #define HEADER_CURL_VQUIC_CURL_OSSLQ_H
 /***************************************************************************
 *                                  _   _ ____  _
 *  Project                     ___| | | |  _ \| |
 *                             / __| | | | |_) | |
 *                            | (__| |_| |  _ <| |___
 *                             \___|\___/|_| \_\_____|
 *
 * Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
 *
 * This software is licensed as described in the file COPYING, which
 * you should have received as part of this distribution. The terms
 * are also available at https://curl.se/docs/copyright.html.
 *
 * You may opt to use, copy, modify, merge, publish, distribute and/or sell
 * copies of the Software, and permit persons to whom the Software is
 * furnished to do so, under the terms of the COPYING file.
 *
 * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
 * KIND, either express or implied.
 *
 * SPDX-License-Identifier: curl
 *
 ***************************************************************************/
 #include "curl_setup.h"
 #if defined(USE_OPENSSL_QUIC) && defined(USE_NGHTTP3)
 #ifdef HAVE_NETINET_UDP_H
 #include <netinet/udp.h>
 #endif
 struct Curl_cfilter;
 #include "urldata.h"
 void Curl_osslq_ver(char *p, size_t len);
 CURLcode Curl_cf_osslq_create(struct Curl_cfilter **pcf,
                              struct Curl_easy *data,
                              struct connectdata *conn,
                              const struct Curl_addrinfo *ai);
 bool Curl_conn_is_osslq(const struct Curl_easy *data,
                        const struct connectdata *conn,
                        int sockindex);
 #endif
 #endif /* HEADER_CURL_VQUIC_CURL_OSSLQ_H */
--- a/lib/vquic/vquic-tls.c
+++ b/lib/vquic/vquic-tls.c
@ -97,7 +97,11 @@ static CURLcode curl_ossl_init_ctx(struct quic_tls_ctx *ctx,
  CURLcode result = CURLE_FAILED_INIT;
  DEBUGASSERT(!ctx->ssl_ctx);
 #ifdef USE_OPENSSL_QUIC
  ctx->ssl_ctx = SSL_CTX_new(OSSL_QUIC_client_method());
 #else
  ctx->ssl_ctx = SSL_CTX_new(TLS_method());
 #endif
  if(!ctx->ssl_ctx) {
    result = CURLE_OUT_OF_MEMORY;
    goto out;
@ -216,7 +220,9 @@ static CURLcode curl_ossl_init_ssl(struct quic_tls_ctx *ctx,
  SSL_set_app_data(ctx->ssl, user_data);
  SSL_set_connect_state(ctx->ssl);
 #ifndef USE_OPENSSL_QUIC
  SSL_set_quic_use_legacy_codepoint(ctx->ssl, 0);
 #endif
  if(alpn)
    SSL_set_alpn_protos(ctx->ssl, (const uint8_t *)alpn, (int)alpn_len);
--- a/lib/vquic/vquic.c
+++ b/lib/vquic/vquic.c
@ -46,6 +46,7 @@
 #include "curl_trc.h"
 #include "curl_msh3.h"
 #include "curl_ngtcp2.h"
 #include "curl_osslq.h"
 #include "curl_quiche.h"
 #include "rand.h"
 #include "vquic.h"
@ -74,6 +75,8 @@ void Curl_quic_ver(char *p, size_t len)
 {
 #if defined(USE_NGTCP2) && defined(USE_NGHTTP3)
  Curl_ngtcp2_ver(p, len);
 #elif defined(USE_OPENSSL_QUIC) && defined(USE_NGHTTP3)
  Curl_osslq_ver(p, len);
 #elif defined(USE_QUICHE)
  Curl_quiche_ver(p, len);
 #elif defined(USE_MSH3)
@ -608,6 +611,8 @@ CURLcode Curl_cf_quic_create(struct Curl_cfilter **pcf,
  DEBUGASSERT(transport == TRNSPRT_QUIC);
 #if defined(USE_NGTCP2) && defined(USE_NGHTTP3)
  return Curl_cf_ngtcp2_create(pcf, data, conn, ai);
 #elif defined(USE_OPENSSL_QUIC) && defined(USE_NGHTTP3)
  return Curl_cf_osslq_create(pcf, data, conn, ai);
 #elif defined(USE_QUICHE)
  return Curl_cf_quiche_create(pcf, data, conn, ai);
 #elif defined(USE_MSH3)
@ -627,6 +632,8 @@ bool Curl_conn_is_http3(const struct Curl_easy *data,
 {
 #if defined(USE_NGTCP2) && defined(USE_NGHTTP3)
  return Curl_conn_is_ngtcp2(data, conn, sockindex);
 #elif defined(USE_OPENSSL_QUIC) && defined(USE_NGHTTP3)
  return Curl_conn_is_osslq(data, conn, sockindex);
 #elif defined(USE_QUICHE)
  return Curl_conn_is_quiche(data, conn, sockindex);
 #elif defined(USE_MSH3)
--- a/m4/curl-openssl.m4
+++ b/m4/curl-openssl.m4
@ -422,4 +422,23 @@ AS_HELP_STRING([--disable-openssl-auto-load-config],[Disable automatic loading o
 ])
 fi
 dnl ---
 dnl We may use OpenSSL QUIC.
 dnl ---
 if test "$OPENSSL_ENABLED" = "1"; then
  AC_MSG_CHECKING([for QUIC support in OpenSSL])
  AC_LINK_IFELSE([
    AC_LANG_PROGRAM([[
 #include <openssl/ssl.h>
    ]],[[
      OSSL_QUIC_client_method();
    ]])
  ],[
    AC_MSG_RESULT([yes])
    AC_DEFINE(HAVE_OPENSSL_QUIC, 1, [if you have the functions OSSL_QUIC_client_method])
    AC_SUBST(HAVE_OPENSSL_QUIC, [1])
  ],[
    AC_MSG_RESULT([no])
  ])
 fi
 ])
--- a/tests/http/scorecard.py
+++ b/tests/http/scorecard.py
@ -332,7 +332,7 @@ class ScoreCard:
            p['name'] = 'h3'
            if not self.env.have_h3_curl():
                raise ScoreCardException('curl does not support HTTP/3')
-            for lib in ['ngtcp2', 'quiche', 'msh3']:
+            for lib in ['ngtcp2', 'quiche', 'msh3', 'nghttp3']:
                if self.env.curl_uses_lib(lib):
                    p['implementation'] = lib
                    break
--- a/tests/http/test_08_caddy.py
+++ b/tests/http/test_08_caddy.py
@ -163,3 +163,20 @@ class TestCaddy:
            assert r.total_connects > 1, r.dump_logs()
        else:
            assert r.total_connects == 1, r.dump_logs()
    # upload data parallel, check that they were echoed
    @pytest.mark.skipif(condition=Env().ci_run, reason="not suitable for CI runs")
    @pytest.mark.parametrize("proto", ['h2', 'h3'])
    def test_08_06_upload_parallel(self, env: Env, caddy, repeat, proto):
        if proto == 'h3' and not env.have_h3():
            pytest.skip("h3 not supported")
        if proto == 'h3' and env.curl_uses_lib('msh3'):
            pytest.skip("msh3 stalls here")
        # limit since we use a separate connection in h1
        count = 20
        data = '0123456789'
        curl = CurlClient(env=env)
        url = f'https://{env.domain1}:{caddy.port}/data10.data?[0-{count-1}]'
        r = curl.http_upload(urls=[url], data=data, alpn_proto=proto,
                             extra_args=['--parallel'])
        r.check_stats(count=count, http_status=200, exitcode=0)
--- a/tests/http/test_14_auth.py
+++ b/tests/http/test_14_auth.py
@ -133,5 +133,7 @@ class TestAuth:
        r = curl.http_upload(urls=[url], data=f'@{fdata}', alpn_proto=proto, extra_args=[
            '--basic', '--user', f'test:{password}'
        ])
-        # request was never sent
+        # Depending on protocl, we might have an error sending or
-        r.check_response(exitcode=55, http_status=0)
+        # the server might shutdown the connection and we see the error
        # on receiving
        assert r.exit_code in [55, 56], f'{self.dump_logs()}'
--- a/tests/http/testenv/nghttpx.py
+++ b/tests/http/testenv/nghttpx.py
@ -129,7 +129,9 @@ class Nghttpx:
        try_until = datetime.now() + timeout
        while datetime.now() < try_until:
            check_url = f'https://{self.env.domain1}:{self._port}/'
-            r = curl.http_get(url=check_url, extra_args=['--http3-only'])
+            r = curl.http_get(url=check_url, extra_args=[
                '--http3-only', '--connect-timeout', '1'
            ])
            if r.exit_code != 0:
                return True
            log.debug(f'waiting for nghttpx to stop responding: {r}')
@ -143,7 +145,8 @@ class Nghttpx:
        while datetime.now() < try_until:
            check_url = f'https://{self.env.domain1}:{self._port}/'
            r = curl.http_get(url=check_url, extra_args=[
-                '--http3-only', '--trace', 'curl.trace', '--trace-time'
+                '--http3-only', '--trace', 'curl.trace', '--trace-time',
                '--connect-timeout', '1'
            ])
            if r.exit_code == 0:
                return True
@ -193,6 +196,7 @@ class NghttpxQuic(Nghttpx):
            f'--frontend-http3-max-window-size=10M',
            f'--frontend-http3-connection-window-size=10M',
            f'--frontend-http3-max-connection-window-size=100M',
            # f'--frontend-quic-debug-log',
        ]
        ngerr = open(self._stderr, 'a')
        self._process = subprocess.Popen(args=args, stderr=ngerr)