Weird Browser lock up
-
It only does it in Safari I found a weird process in Firefox when I ran it that is linked to Facebook and shows a URL with the word proxy in that that was pointing to Facebooks CDN. I think that might be causing the issues but in Firefox it’s not an issue.
-
@johnpoz Its QUIC ...
Facebook wants access to QUIC and locks up...
Check out my PCAP
I don't want to allow UDP https3 to run as it will do whatever it wants. I wonder how to deal with this ....
-
https://github.com/squid-cache/squid/pull/919
Squid is already working on this... This is gonna be bad for DNS based filters soon... Don't give up on Squid yet this may be the only option to keep URL filters working once QUIC starts to go a lot more mainstream
-
So only Safari tries to use it? And then just ignores the ICMP reply?
I would expect it to just fall back to https(s).
-
Yup as @stephenw10 mentions that is a browser problem - if trying to do http or https over quic, ie UDP - and it doesn't work it should instantly fall back to using tcp.
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 24.11 | Lab VMs 2.8, 24.11 -
@stephenw10 it takes some time before it settles down they are really pushing the https3 on the M1 iMac, you can’t even disable it with Safari. I had to get Firefox to solve it. Yeah it’s like all the sudden it’s enabled. I am glad I looked at the pcap. You know that http3-DoH is coming soon too. That is gonna be some fun code to write for firewalls. Someone has a video on YouTube of setting up wireshark to decode QUIC traffic and he got the get requests out of it, there should be a way to make it secure
-
@johnpoz yes it is, best temporary solution is to use Firefox
-
Can it be disabled as shown here?: https://developers.cloudflare.com/cloudflare-one/policies/gateway/http-policies/http3/
Still seems like a browser bug though because it should see the ICMP denied reply and fall back. Even if it can't be disabled from trying.
-
@stephenw10 thanks!!
-
@stephenw10 should I allow ping on Squid and on the firewall to fix the auto disable? On Squid I have pinger disabled and on the firewall no icpm allowed for the imac
-
Where did you run the pcap above? It shows the icmp replies going back to the iMac already.
-
@stephenw10 I can the pcap on pfsense.
HTTP/3 is no longer experimental and is fully active in the iMac it can no longer be disabled manually
2017--> was still in development
2021--> This was the background
https://developer.apple.com/videos/play/wwdc2021/10094/?time=162024--> Apple has fully activated this on the Sonoma 14.5 and Safari 17.5 it has no option to disable like the link above has.
It also has HTTP/3 DNS lets call it DoH/3
DoH/3 will cause issues with DNS based URL blocking as it is pure UDP over HTTP3
This makes Squid ever more attractive for URL blocking as they are already working on having QUIC support
unreal how fast that moved versus ipv6
-
@stephenw10 It just cycles that for a while in the pcap file it does it so long it is noticeable on the browsers, it also has taken over Firefox it routes it with streams into https/3 also and attempted it anyway. Apple at it's finest that is impressive.. Edge also is getting forced as the iMac software data marshes the NIC and forces HTTPS/3 it will downgrade but it goes so slow like this now... I got to tell you it should disable and not keep doing this with every connection. New to me.. I sure like the nice Apple Development videos I found they explain it all
-
What's in that ICMP packet? I expect that to be a port denied message.
