FYI: HTTP3/QUIC mode w/ mTLS is causing problems with Chromium browsers

I use CF tunnels to publicly expose sites that I run at home. I had “HTTP/3 (with QUIC)” enabled, and I also have a WAF rule to require a Cloudflare-generated client certificate. On my home network, no client certificate is required because my internal DNS directs my sites to my server’s internal IP address.

A few weeks ago, an update to Chrome (noticed it in Brave as well) resulted in the lack of the typical client cert prompt when accessing my sites via CF after I had accessed them at home. That is, if I accessed my site without a client certificate, I’d no longer be prompted for one when it was required. I found this to be the case for both Linux and Android versions of Chrome.

After turning off “HTTP/3 (with QUIC)”, the issue went away. I suspect this is a Chrome issue rather than a CF issue, but I figured I’d share my findings if anyone else experiences the same problem.

Repro steps:

  1. Connect to the site outside of CF (in my case, I connected via my home network; connecting via CF pre-client cert enablement may work as well)
  2. Setup client certs for the site under “SSL/TLS - Client Certificates”
  3. Add a WAF rule to require client certs (Block with rule: (not cf.tls_client_auth.cert_verified) or cf.tls_client_auth.cert_revoked)
  4. Ensure “HTTP/3 (with QUIC)” is enabled under “Network”
  5. Attempting to connect to the site will now fail with “Access Denied”; no client cert prompt appears.
  6. Disable “HTTP/3 (with QUIC)”
  7. Reload site. Cert prompt will appear, and site can be connected to as usual.

Tested with Brave for Linux 1.44.112 (Chromium 106.0.5249.119) and Chrome for Android 106.0.5249.118.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.