id summary reporter owner description type status priority milestone component version resolution keywords cc uname nginx_version 2289 QUIC: RETIRE_CONNECTION_ID with invalid DestinationConnectionId WesleyRosenblum@… "While testing nginx QUIC functionality, nginx sent a RETIRE_CONNECTION_ID frame with Sequence: 0, using the Destination Connection ID referred to by Sequence ID 0. This is prohibited by RFC 9000 §19.16: The sequence number specified in a RETIRE_CONNECTION_ID frame MUST NOT refer to the Destination Connection ID field of the packet in which the frame is contained. The invalid RETIRE_CONNECTION_ID frame was received in response to the server sending two NEW_CONNECTION_ID frames, each with Retire Prior To set to 1. QUIC Short Header DCID=0000000000000008a1d253f480c1d8e8dd75e0c0 PKN=2 Destination Connection ID: 0000000000000008a1d253f480c1d8e8dd75e0c0 Packet Number: 2 NEW_CONNECTION_ID Frame Type: NEW_CONNECTION_ID (0x0000000000000018) Sequence: 1 Retire Prior To: 1 Connection ID Length: 16 Connection ID: 1aa096604a4a5c26f51a9ebb38965ee7 Stateless Reset Token: d4dde1412056fbd92b1158c6502cae29 NEW_CONNECTION_ID Frame Type: NEW_CONNECTION_ID (0x0000000000000018) Sequence: 2 Retire Prior To: 1 Connection ID Length: 16 Connection ID: 007061a58f6a2518b98f5a5c4ad39994 Stateless Reset Token: 3c5a67af0edc63d2451994942ab932ca nginx responds with: QUIC Short Header DCID=98376dec4bb617de72b3ce5062d58a66 PKN=2 Destination Connection ID: 98376dec4bb617de72b3ce5062d58a66 Packet Number: 2 RETIRE_CONNECTION_ID Frame Type: RETIRE_CONNECTION_ID (0x0000000000000019) Sequence: 0 Since Destination Connection ID: 98376dec4bb617de72b3ce5062d58a66 is the connection ID referred to by Sequence: 0, this is not valid. The Destination Connection should be either 1aa096604a4a5c26f51a9ebb38965ee7 or 007061a58f6a2518b98f5a5c4ad39994 Here is the nginx version information: nginx version: nginx/1.21.4 (8703:aae8b91e0280) built by gcc 9.3.0 (Ubuntu 9.3.0-17ubuntu1~20.04) built with OpenSSL 1.1.1 (compatible; BoringSSL) (running with BoringSSL) TLS SNI support enabled configure arguments: --prefix=/etc/nginx --build=8703:aae8b91e0280 --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/run/nginx.pid --lock-path=/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-debug --with-http_ssl_module --with-http_v2_module --with-http_quic_module --with-stream_quic_module --with-http_v3_module --with-cc-opt='-I/boringssl/include -O0 -fno-common -fno-omit-frame-pointer -DNGX_QUIC_DRAFT_VERSION=29' --with-ld-opt='-L/boringssl/build/ssl -L/boringssl/build/crypto' Thanks for considering this issue and let me know if you need any further information! " defect closed minor http/3 1.19.x fixed nginx/1.21.4 (8703:aae8b91e0280)