When QUIC and AVG Antivirus don't play nice: solving a mysterious SSL error in Caddy

The Problem

Recently, I encountered an interesting issue with one of my client setups. We use Caddy as a front-end server with its excellent "On Demand TLS" feature, while Apache sits behind it serving the actual site content. While I'd love to simplify this stack by eliminating Apache, the client's application heavily relies on .htaccess files for configuration, so we maintain this hybrid approach.

The issue emerged when the client reported that users with AVG Antivirus installed were receiving strange SSL errors across all browsers when attempting to access the site. Curiously, I couldn't reproduce this problem on AVG for Mac, which added another layer of mystery to the troubleshooting process.

Debugging Process

When analyzing the problem in Chrome on a Windows machine with AVG installed, I noticed references to QUIC in the error messages. For those unfamiliar, QUIC (Quick UDP Internet Connections) is a transport layer protocol developed by Google that serves as the foundation for HTTP/3. It aims to improve performance, particularly in high-latency and lossy network environments.

I ran multiple validation tests on the website but couldn't find any explicit QUIC-related errors. The site's SSL configuration passed all the standard checks, and everything looked fine from a certificate perspective.

After extensive troubleshooting and ruling out other potential causes, I decided to test disabling QUIC in Caddy. Surprisingly, this immediately resolved the issue - users with AVG could now access the site without any SSL errors.

The solution

If you encounter similar SSL errors with Caddy and AVG Antivirus, here's how to disable QUIC/HTTP/3 globally in your Caddy configuration:

{
  servers {
    protocols h1 h2
  }
}

# Rest of your Caddyfile...

This simple configuration change tells Caddy to only use HTTP/1.1 and HTTP/2 protocols for all sites, effectively disabling HTTP/3 (QUIC) across your entire server.

Why does this happen?

The exact cause of the conflict between Caddy's QUIC implementation and AVG Antivirus remains somewhat mysterious. After searching through both Caddy GitHub issues and AVG forums, I couldn't find any posts specifically addressing this issue.

My theory is that AVG's HTTPS scanning feature might be intercepting and inspecting TLS traffic but doesn't properly support or handle QUIC/HTTP/3 connections. Since QUIC works over UDP instead of TCP and uses a different handshake mechanism, it's possible that AVG's scanning engine either misinterprets these connections or incorrectly flags them as suspicious.

Performance implications

While disabling QUIC/HTTP/3 does solve the compatibility issue with AVG, it's worth noting that you'll lose some potential performance benefits, especially for users on high-latency or lossy connections. HTTP/3 offers advantages like improved connection establishment times and better handling of packet loss.

However, the performance impact should be minimal for most websites, as HTTP/2 already provides many optimizations compared to HTTP/1.1. The most important thing is ensuring your site is accessible to all users, regardless of their security software.

Conclusion

This case highlights an interesting compatibility issue between modern web protocols and security software. As the web continues to evolve with new protocols and standards, these types of conflicts may become more common.

If you're running Caddy and users report SSL errors that you can't reproduce on your end, checking for antivirus interference and potentially disabling QUIC might be a quick solution. While not ideal from a cutting-edge performance perspective, ensuring compatibility with common security software used by your visitors is often more important.

Have you encountered similar issues with QUIC or HTTP/3 and security software? Let me know in the comments below!

P.S. While most of my blog posts are written in Dutch, I've chosen to write this specific article in English to increase the chances of Google directing users here. There's surprisingly little information available online about this particular QUIC/AVG issue, so I hope this helps others who might be facing the same problem.