Http3 Client times out for an untrusted certificate

Josiah Noel josiahnoel at gmail.com
Thu Nov 6 16:52:49 UTC 2025 

Indeed I'm using a self signed cert created by mkcert for the server. I
created a keystore out of it, and used the same sslcontext for both the
server and the client. Attached are my logs.



On Thu, Nov 6, 2025 at 10:38 AM Daniel Fuchs <daniel.fuchs at oracle.com>
wrote:

> Hi Joshua,
>
> Thanks for reporting this and for trying out HTTP/3!
>
> I have logged https://bugs.openjdk.org/browse/JDK-8371413 and we will
> investigate.
>
> A couple of question though:
>
> 1. if I understand correctly the server was using a self-signed
>     certificate and the client truststore didn't contain it. Is
>     that a fair description of the set up?
>
> 2. would it possible for you to share the client logs when the issue
>     occurred?
>
>     Running the client with:
>
>
> -Ddk.httpclient.HttpClient.log=requests,headers,errors,http3,quic:control:retransmit
>
>     would help us diagnose the issue.
>
> Note: the mailing list might reject the attachment, let me know if
>        that happens.
>
> best regards,
>
> -- daniel
>
> On 06/11/2025 15:15, Josiah Noel wrote:
> > I've been testing the Http3 support on windows 11 with build
> > 26-ea+22-2263, and my request was seemingly just timing out.
> >
> > After like 3 hours of fiddling, I realized that I forgot to import the
> > mkcert rootCA  I was using into the jdk cacerts.
> >
> > Long story short, when I ran  `keytool -import -trustcacerts -noprompt
> > -alias mkcert-root-ca   -file "$(mkcert -CAROOT)/rootCA.pem"   -keystore
> > "$JAVA_HOME/lib/security/cacerts"   -storepass changeit` then it
> > suddenly began to work.
> >
> > Perchance is it possible to get a clearer error message?
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/net-dev/attachments/20251106/12fb391c/attachment.htm>
-------------- next part --------------
WARNING: Unknown module: io.avaje.jex.test specified to --add-reads
Nov 06, 2025 11:37:03 AM io.avaje.jex.core.BootstrapServer start
INFO: Avaje Jex started class io.avaje.jex.http3.flupke.impl.FlupkeHttpServer in 194ms on https://0:0:0:0:0:0:0:0:8080
Nov 06, 2025 11:37:04 AM jdk.internal.net.http.Http3ClientImpl getConnectionFor
INFO: HTTP3: getConnectionFor exchange https://localhost:8080 GET #1
Nov 06, 2025 11:37:04 AM jdk.internal.net.http.Http3ClientImpl getConnectionFor
INFO: HTTP3: Creating connection for Exchange https://localhost:8080 GET #1
Nov 06, 2025 11:37:04 AM jdk.internal.net.http.HttpQuicConnection logAltSvcFor
INFO: ALTSVC: No AltService found for localhost:8080
Nov 06, 2025 11:37:04 AM jdk.internal.net.http.quic.QuicClient chooseEndpoint
INFO: QUIC: Adding new endpoint: QuicEndpoint(HttpClientImpl(1)-0)
Nov 06, 2025 11:37:04 AM jdk.internal.net.http.quic.QuicEndpoint lambda$create$1
INFO: QUIC: Initial receive buffer size is: 65536
Nov 06, 2025 11:37:04 AM jdk.internal.net.http.quic.QuicEndpoint lambda$create$1
INFO: QUIC: Initial send buffer size is: 65536
Nov 06, 2025 11:37:04 AM jdk.internal.net.http.Http3Connection createAsync
INFO: HTTP3: Http3Connection.createAsync: Got HttpQuicConnection for https://localhost:8080 GET #1 is: quic:1
Nov 06, 2025 11:37:04 AM jdk.internal.net.http.quic.QuicConnectionImpl startInitialTimer
INFO: QUIC: QuicClientConnection(1): Arming quic initial timer for PT29.9998017S
Nov 06, 2025 11:37:04 AM jdk.internal.net.http.quic.QuicConnectionImpl sendFirstInitialPacket
INFO: QUIC: QuicClientConnection(1): connectionId: a2185e4ac3afe4deda4fc7dc14, QuicEndpoint(HttpClientImpl(1)-0): QuicEndpoint(HttpClientImpl(1)-0) - /[0:0:0:0:0:0:0:0]:50781
Nov 06, 2025 11:37:04 AM jdk.internal.net.http.quic.IdleTimeoutManager checkUpdateIdleTimeout
INFO: QUIC: QuicClientConnection(1) idle connection timeout updated to 30,000 milli seconds
Nov 06, 2025 11:37:04 AM jdk.internal.net.http.quic.PacketSpaceManager$PacketTransmissionTask logNoDeadline
INFO: QUIC: QuicClientConnection(1): INITIAL no deadline, task unscheduled
Nov 06, 2025 11:37:04 AM jdk.internal.net.http.quic.PacketSpaceManager close
INFO: QUIC: QuicClientConnection(1) closing packet space INITIAL
Nov 06, 2025 11:37:04 AM jdk.internal.net.http.quic.ConnectionTerminatorImpl immediateClose
INFO: QUIC: QuicClientConnection(1) entering closing state, code 0x12e - jdk.internal.net.quic.QuicTransportException: certificate_unknown
Nov 06, 2025 11:37:04 AM jdk.internal.net.http.quic.QuicConnectionImpl pushDatagram
INFO: QUIC: QuicClientConnection(1) OUT: HANDSHAKE(pn:2, size=70, frames:[ConnectionCloseFrame[type=0x1c, errorCode=0x12e, tlsAlertDescription=46, errorFrameType=0x0, reason=certificate_unknown]])
Nov 06, 2025 11:37:04 AM jdk.internal.net.http.quic.PacketSpaceManager close
INFO: QUIC: QuicClientConnection(1) closing packet space HANDSHAKE
Nov 06, 2025 11:37:04 AM jdk.internal.net.http.quic.PacketSpaceManager close
INFO: QUIC: QuicClientConnection(1) closing packet space APPLICATION
Nov 06, 2025 11:37:04 AM jdk.internal.net.http.Http3ClientImpl connectionCompleted
INFO: HTTP3: Checking waiters on completed connection null to https:localhost:8080 created for https://localhost:8080 GET #1
Nov 06, 2025 11:37:04 AM jdk.internal.net.http.quic.PacketSpaceManager$PacketTransmissionTask logNoDeadline
INFO: QUIC: QuicClientConnection(1): HANDSHAKE no deadline, task unscheduled
Nov 06, 2025 11:37:04 AM jdk.internal.net.http.quic.PacketSpaceManager$PacketTransmissionTask logNoDeadline
INFO: QUIC: QuicClientConnection(1): APPLICATION no deadline, task unscheduled
Nov 06, 2025 11:37:04 AM jdk.internal.net.http.quic.ConnectionTerminatorImpl immediateClose
INFO: QUIC: QuicClientConnection(1) connection has now transitioned to closing state
Nov 06, 2025 11:37:04 AM jdk.internal.net.http.Http3ClientImpl connectionCompleted0
INFO: HTTP3: No HTTP/3 connection created for requests to https:localhost:8080, will fail or downgrade: waiters[0](completed:0, retried:0, errors:0) - originally created for https://localhost:8080 GET #1

More information about the net-dev mailing list