Kestrel doesn't respond to HTTP3 request on udp

[ackava]

Is there an existing issue for this?

• I have searched the existing issues

Describe the bug

I have created a YARP proxy and enabled HTTP3 along with libmsquic in docker.

Server only respond to HTTP2 and by using url http3check , it seems server doesn't respond to HTTP3 even on same machine, netstat -lnu shows up that container is listening correctly but there is no response.

Expected Behavior

Server should respond to http3 requests...

docker run -ti --rm alpine/curl-http3 curl --http3-only -sI https://validurl.....

There should be a valid response like HTTP/3 200. But it times out.

But in case of following,

docker run -ti --rm alpine/curl-http3 curl --http3 -sI https://validurl.....

Response is, curl gets response with HTTP/2

HTTP/2 200
content-type: text/html; charset=utf-8
date: Tue, 19 Aug 2025 08:18:07 GMT
server: Kestrel
alt-svc: h3=":443"; ma=86400
cache-control: no-cache, no-store, max-age=0

Steps To Reproduce

FROM mcr.microsoft.com/dotnet/sdk:8.0-alpine AS base

RUN apk add libmsquic

WORKDIR /app

COPY . .

RUN dotnet build -c Release -o /app/build

EXPOSE 443/tcp
EXPOSE 443/udp

ENTRYPOINT [ "dotnet", "/app/build/DotNetReverseProxy.dll"]

    var builder = WebApplication.CreateBuilder(args);
    builder.WebHost.ConfigureKestrel(kestrel =>
    {
        var tls = new TlsHandshakeCallbackOptions
        {
            OnConnection = async (c) =>
            {
                var fwd = await store.GetCertificate(c.ClientHelloInfo.ServerName);
                var ctx = cache.GetOrCreate(fwd.Cert, (ci) =>
                {
                    var xCert = X509Certificate2.CreateFromPem(fwd.Cert, fwd.Key);

                    ci.AbsoluteExpirationRelativeToNow = TimeSpan.FromMinutes(15);

                    return new SslServerAuthenticationOptions
                    {
                        ServerCertificate = xCert,
                        EnabledSslProtocols = System.Security.Authentication.SslProtocols.Tls13
                            | System.Security.Authentication.SslProtocols.Tls12
                    };
                });
                var unixEndPoint = new UnixDomainSocketEndPoint(fwd.Port);
                cache.Set(c.Connection.ConnectionId, unixEndPoint);
                return ctx;
            }
        };

        // following isn't working either...
        //var ip = new IPAddress([0, 0, 0, 0]);
        //kestrel.Listen(ip, 443, portOptions => {
        //    portOptions.Protocols = HttpProtocols.Http1AndHttp2AndHttp3;
        //    portOptions.UseHttps(tls);
        //});

        kestrel.ListenAnyIP(443, portOptions => {
            portOptions.Protocols = HttpProtocols.Http1AndHttp2AndHttp3;
            portOptions.UseHttps(tls);
        });
    });

Exceptions (if any)

None

.NET Version

8

Anything else?

No response

[danmoseley]

@JamesNK any thoughts on this one?

[JamesNK]

Debugging HTTP/3 success/failure is difficult.

I think reducing your app to be as simple as possible would be a first step to debugging what is going on. What is the purpose of TlsHandshakeCallbackOptions.OnConnection callback? Does it work if you remove the callback when adding HTTPS?

One sanity check to make is to write to logging the value of QuicListener.IsSupported. That checks whether required platform dependencies are available.

You could configure trace level logging on your app, attempt to browse to it using HTTP/3, and add the results here. That might give a clue to what is happening.

[ackava]

@JamesNK

Same setup is running correctly on WSL, the problem occurs when I move to production Ubuntu server which only has IPv4.

I suspect that Kestrel on Ubuntu server inside docker is listening to "all ips on udp6 and only on 0.0.0.0 udp (IPv4)", but on WSL, Kestrel listens to all udp (IPv4). Because same configuration is working on WSL. But not on Live Ubuntu server.

This is a problem because Ubuntu server has only IPv4 external IP, external IPv6 is not available but IPv6 isn't disabled in Docker by default.

Now I had read somewhere in documentation that if IPv6 is available then Kestrel will listen on all UDP IPv6 and 0.0.0.0 IPv4, but I want server to listen on all UDP IPv4. On WSL it works fine. We need ability to listen to all IPv4 for ubuntu in kestrel, currently I don't know how to do it.

When container is in WSL, when I run netstat -luna I get following output

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
udp        0      0 127.0.0.11:36376        0.0.0.0:*                           
udp        0      0 :::443                  :::*    <---------------------- WSL                            
udp        0      0 :::443                  :::*                                
udp        0      0 :::443                  :::*                                
udp        0      0 :::443                  :::*                                
udp        0      0 :::443                  :::*                                
udp        0      0 :::443                  :::*                                
udp        0      0 :::443                  :::*                                
udp        0      0 :::443                  :::*                                
udp        0      0 :::443                  :::*                                
udp        0      0 :::443                  :::*                                
udp        0      0 :::443                  :::*                                
udp        0      0 :::443                  :::*

When container is in Ubuntu Server live, and when I execute netstat -luna in the container, I get following output.

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       
udp        0      0 127.0.0.11:38817        0.0.0.0:*  

When I execute netstat -lnua on the Ubuntu Server host , I get following.

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
udp        0      0 64.91.224.23:53         0.0.0.0:*
udp        0      0 127.0.0.53:53           0.0.0.0:*
udp        0      0 172.18.0.1:123          0.0.0.0:*
udp        0      0 172.17.0.1:123          0.0.0.0:*
udp        0      0 64.91.224.23:123        0.0.0.0:*
udp        0      0 127.0.0.1:123           0.0.0.0:*
udp        0      0 0.0.0.0:123             0.0.0.0:*
udp        0      0 0.0.0.0:443             0.0.0.0:* <----- UBUNTU
udp6       0      0 fe80::943f:cdff:fe0:123 :::*
udp6       0      0 fe80::28f7:bcff:fe8:123 :::*
udp6       0      0 fe80::a8fb:d6ff:fe6:123 :::*
udp6       0      0 fe80::40e:b0ff:fe07:123 :::*
udp6       0      0 fe80::9848:22ff:fe7:123 :::*
udp6       0      0 fe80::24e7:ceff:fee:123 :::*
udp6       0      0 fe80::9cd6:36ff:fec:123 :::*
udp6       0      0 fe80::5054:ff:fe0f::123 :::*
udp6       0      0 ::1:123                 :::*
udp6       0      0 :::123                  :::*
udp6       0      0 :::443                  :::* <----- UBUNTU

TlsHandshakeCallbackOptions.OnConnection handles fetching certificate based on host name, it is lets encrypt connector which does fetch correct certificate and changing it does not make any difference.

#pragma warning disable CA2252 // This API requires opting into preview features
    if (QuicListener.IsSupported)
    {
        Console.Out.WriteLine("Quic is available");
    } else
    {
        Console.Out.WriteLine("Quic is not available");
    }
#pragma warning restore CA2252 // This API requires opting into preview features

This prints Quic is available.

[ackava]

@JamesNK

Before disabling IPv6 for Docker Daemon, curl http3 test would timeout and would hung up.

After disabling IPv6 for Docker Daemon curl http3 test gives following response.

docker run -ti alpine/curl-http3 curl -k -v --http3-only -sI https://url
* Host url:443 was resolved.
* IPv6: (none)
* IPv4: 64.91.224.23
*   Trying 64.91.224.23:443...
* connect to 64.91.224.23 port 443 failed: Weird server reply
*   Trying 64.91.224.23:443...
* connect to 64.91.224.23 port 443 failed: Weird server reply
*   Trying 64.91.224.23:443...
* connect to 64.91.224.23 port 443 failed: Weird server reply
*   Trying 64.91.224.23:443...
* connect to 64.91.224.23 port 443 failed: Weird server reply
*   Trying 64.91.224.23:443...
* connect to 64.91.224.23 port 443 failed: Weird server reply
*   Trying 64.91.224.23:443...
* connect to 64.91.224.23 port 443 failed: Weird server reply
*   Trying 64.91.224.23:443...
* connect to 64.91.224.23 port 443 failed: Weird server reply
*   Trying 64.91.224.23:443...
* connect to 64.91.224.23 port 443 failed: Weird server reply
*   Trying 64.91.224.23:443...
* connect to 64.91.224.23 port 443 failed: Weird server reply
*   Trying 64.91.224.23:443...
* connect to 64.91.224.23 port 443 failed: Weird server reply
*   Trying 64.91.224.23:443...
* connect to 64.91.224.23 port 443 failed: Weird server reply
*   Trying 64.91.224.23:443...
* connect to 64.91.224.23 port 443 failed: Weird server reply

Now I believe container is listening to all IPs on 443 UDP, but I don't know how to trace further.