H2C remains enabled with quarkus.http.http2=false #49592
Description
Describe the bug
When setting the quarkus.http.http2 property to true, a plain HTTP endpoint continues to respond with HTTP/2 when the client offers an h2c upgrade. HTTPS endpoints work as expected and respond with HTTP/1.1.
Expected behavior
Both HTTP and HTTPS endpoints should respond with HTTP/1.1 when quarkus.http.http2 is true.
Actual behavior
HTTP endpoints allow upgrade to H2C and respond with HTTP/2 when offered an upgrade by the client.
How to Reproduce?
Please see the reproducer at https://github.com/MikeEdgar/quarkus-quickstarts/tree/h2c-with-http2-false/getting-started
- Start application, dev mode will reproduce the issue fine
- Request the hello endpoint using curl (or equivalent) with http2
curl -kv --http2 http://localhost:8080/hello - Note the output indicates HTTP/2 is agreed to by the server
* Trying 127.0.0.1:8080... * Connected to localhost (127.0.0.1) port 8080 (#0) > GET /hello HTTP/1.1 > Host: localhost:8080 > User-Agent: curl/7.81.0 > Accept: */* > Connection: Upgrade, HTTP2-Settings > Upgrade: h2c > HTTP2-Settings: AAMAAABkAAQCAAAAAAIAAAAA > * Mark bundle as not supporting multiuse < HTTP/1.1 101 Switching Protocols < connection: upgrade < upgrade: h2c * Received 101 * Using HTTP2, server supports multiplexing * Connection state changed (HTTP/2 confirmed) * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=21 < HTTP/2 200 < content-length: 5 < content-type: text/plain;charset=UTF-8 < * Connection #0 to host localhost left intact hello - HTTPS endpoints do not agree to HTTP/2
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 * ALPN, server did not agree to a protocol * Server certificate: * subject: O=apache.org; OU=eng; CN=localhost * start date: Aug 18 15:04:18 2025 GMT * expire date: Aug 16 15:04:18 2035 GMT * issuer: O=apache.org; OU=eng; CN=ca * SSL certificate verify result: self-signed certificate in certificate chain (19), continuing anyway. * TLSv1.2 (OUT), TLS header, Supplemental data (23): > GET /hello HTTP/1.1 > Host: localhost:8443 > User-Agent: curl/7.81.0 > Accept: */* > * TLSv1.2 (IN), TLS header, Supplemental data (23): * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4): * TLSv1.2 (IN), TLS header, Supplemental data (23): * Mark bundle as not supporting multiuse < HTTP/1.1 200 OK < content-length: 5 < Content-Type: text/plain;charset=UTF-8 < * Connection #0 to host localhost left intact hello
Output of uname -a or ver
No response
Output of java -version
No response
Quarkus version or git rev
3.25.3
Build tool (ie. output of mvnw --version or gradlew --version)
Apache Maven 3.9.9 (8e8579a9e76f7d015ee5ec7bfcdc97d260186937)
Additional information
No response