Welcome! Log In Create A New Profile

Advanced

Re: nginxQuic: поддержка Openssl библиотеки quicktls

Maxim Dounin
December 02, 2021 08:32AM
Hello!

On Thu, Dec 02, 2021 at 01:44:02PM +0300, Sergey Kandaurov wrote:

> > On 24 Nov 2021, at 22:58, izorkin@gmail.com wrote:
> >
> > Здравствуйте.
> >
> > Собрал nginx с библиотекой QuicTLS - https://github.com/quictls/openssl
> > При активации протокола HTTP3 на нескольких хостах в лог начинаются сыпаться такие ошибки:
> > ```
> > 2021/11/24 22:52:45 [error] 40152#40152: *51 SSL_do_handshake() failed (SSL: error:0A0C0101:SSL routines::called a function you should not call) while handling frames, client: 91...., server: 0.0.0.0:443
> > 2021/11/24 22:52:45 [error] 40151#40151: *52 SSL_do_handshake() failed (SSL: error:0A0C0101:SSL routines::called a function you should not call) while handling frames, client: 91...., server: 0.0.0.0:443
> > 2021/11/24 22:52:45 [error] 40153#40153: *53 SSL_do_handshake() failed (SSL: error:0A0C0101:SSL routines::called a function you should not call) while handling frames, client: 91...., server: 0.0.0.0:443
> > ```
> > Если использовать BoringSSL с аналогичной конфигурацией, то такой ошибки нету.
> >
>
> Попробуйте этот патч:
>
> # HG changeset patch
> # User Sergey Kandaurov <pluknet@nginx.com>
> # Date 1638441718 -10800
> # Thu Dec 02 13:41:58 2021 +0300
> # Branch quic
> # Node ID 45c2b34248365f63bcec694a8587d11f52441ac9
> # Parent aa0bd5f3127f6a27669b9e6f8362ba9254785193
> QUIC: clear SSL_OP_ENABLE_MIDDLEBOX_COMPAT on SSL context switch.
>
> The SSL_OP_ENABLE_MIDDLEBOX_COMPAT option is provided by QuicTLS and enabled
> by default in the newly created SSL contexts. SSL_set_quic_method() is used
> to clear it, which is required for SSL handshake to work on QUIC connections.
> Switching context in the ngx_http_ssl_servername() SNI callback overrides SSL
> options from the new SSL context. This results in the option set again.
> Fix is to explicitly clear it when switching to another SSL context.
>
> Initially reported here (in Russian):
> http://mailman.nginx.org/pipermail/nginx-ru/2021-November/063989.html
>
> diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c
> --- a/src/http/ngx_http_request.c
> +++ b/src/http/ngx_http_request.c
> @@ -962,7 +962,14 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *
> #ifdef SSL_OP_NO_RENEGOTIATION
> SSL_set_options(ssl_conn, SSL_OP_NO_RENEGOTIATION);
> #endif
> +
> +#ifdef SSL_OP_ENABLE_MIDDLEBOX_COMPAT
> +#if (NGX_QUIC)
> + if (c->listening->quic) {
> + SSL_clear_options(ssl_conn, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
> }
> +#endif
> +#endif
>
> done:

На взгляд кажется, что индентация неверна и забыта закрывающая
фигурная скобка.

--
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx-ru mailing list
nginx-ru@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-ru
Subject Author Posted

nginxQuic: поддержка Openssl библиотеки quicktls

Anonymous User November 24, 2021 03:00PM

Re: nginxQuic: поддержка Openssl библиотеки quicktls

Sergey Kandaurov November 25, 2021 06:20AM

Re: nginxQuic: поддержка Openssl библиотеки quicktls

Anonymous User November 25, 2021 02:20PM

Re: nginxQuic: поддержка Openssl библиотеки quicktls

Sergey Kandaurov December 02, 2021 05:46AM

Re: nginxQuic: поддержка Openssl библиотеки quicktls

Maxim Dounin December 02, 2021 08:32AM

Re: nginxQuic: поддержка Openssl библиотеки quicktls

Anonymous User December 02, 2021 08:52AM

Re: nginxQuic: поддержка Openssl библиотеки quicktls

Sergey Kandaurov December 02, 2021 09:06AM

Re: nginxQuic: поддержка Openssl библиотеки quicktls

Anonymous User December 02, 2021 09:22AM

Re: nginxQuic: поддержка Openssl библиотеки quicktls

Sergey Kandaurov December 07, 2021 08:56AM

Re: nginxQuic: поддержка Openssl библиотеки quicktls

Anonymous User December 08, 2021 09:36AM

Re: nginxQuic: поддержка Openssl библиотеки quicktls

Sergey Kandaurov December 09, 2021 03:26AM

Re: nginxQuic: поддержка Openssl библиотеки quicktls

Anonymous User December 08, 2021 01:28PM

Re: nginxQuic: поддержка Openssl библиотеки quicktls

Sergey Kandaurov December 09, 2021 03:26AM

Re: nginxQuic: поддержка Openssl библиотеки quicktls

Anonymous User December 02, 2021 09:06AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 132
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready