private deployment for experiments

#1
Hello,

I'm trying to use h3/quic in a closed lab environment for experimentation purposes. I installed openlitespeed 1.7.16 on ubuntu 18.04. The ubuntu server has no DNS name, it's ip address only. There is one client on the lab network, a macbook with chrome. There's no firewall between the macbook and ubuntu server.

The lab LAN is firewalled from the internet, no incoming connections on any port allowed.

Can I enable h3 without having to get trusted certs and SSL config?

What's the easiest way to set up a temporary OLS h3/quic env like this? One server <----> one client, run some tests, and done.

No external traffic will ever come in. None of the ip's are routable in the internet and don't need to be.

Any info would be great, thanks
 

Cold-Egg

Administrator
#2
Maybe, just maybe, you can setup a public site and apply a certificate from Let's Encrypt for a domain, e.g. abc.com. Then, go to the lab env, set up a private domain abc.com and upload the valid certificate there. Then add abc.com with lab IP to your device's host file, then you can start testing it.
 
#3
Thanks for the suggestion. I got past the certs by using https://smallstep.com/. With this tool I was able to run my own CA and create a trusted cert that worked for my test domain (quicpoc.local).

Now when I go to https://quicpoc.local it loads the openlitespeed landing page without any warnings and I see the "connection is secure" with closed lock icon in the chrome toolbar. So all good as far as TLS.

But chrome is showing that protocol is h2 now. It's better than http1.1 like before but what I really want is h3. Any tips for how to get OLS to use h3?

For example going to litespeedtech.com shows h3, how can i get my server to respond like that?

f_346.jpg

f_347.jpg
 
#5
There is no firewall but the problem ended up being the smallstep cert. Although chrome said the cert was valid, somehow it prevented h3 from being agreed on. I switched to using Let's Encrypt with wildcard certs. Then I edited /etc/hosts to match a subdomain that the wildcard cert supported. It works now. Thanks for your helpful suggestions.
 
Top