details: https://github.com/nginx/nginx/commit/cedb855d75ceefd7fe513f9c27c9364678582786 branches: master commit: cedb855d75ceefd7fe513f9c27c9364678582786 user: Sergey Kandaurov <pluk...@nginx.com> date: Tue, 27 May 2025 21:56:40 +0400 description: QUIC: disabled OpenSSL 3.5 QUIC API support by default.
In OpenSSL 3.5.0, the "quic_transport_parameters" extension set internally by the QUIC API is cleared on the SSL context switch, which disables sending QUIC transport parameters if switching to a different server block on SNI. See the initial report in [1]. This is fixed post OpenSSL 3.5.0 [2]. The fix is anticipated in OpenSSL 3.5.1, which has not been released yet. When building with OpenSSL 3.5, OpenSSL compat layer is now used by default. The OpenSSL 3.5 QUIC API support can be switched back using --with-cc-opt='-DNGX_QUIC_OPENSSL_API=1'. [1] https://github.com/nginx/nginx/issues/711 [2] https://github.com/openssl/openssl/commit/45bd3c3798 --- src/event/quic/ngx_event_quic.h | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/event/quic/ngx_event_quic.h b/src/event/quic/ngx_event_quic.h index d95d3d85b..335d87191 100644 --- a/src/event/quic/ngx_event_quic.h +++ b/src/event/quic/ngx_event_quic.h @@ -13,7 +13,10 @@ #ifdef OSSL_RECORD_PROTECTION_LEVEL_NONE -#define NGX_QUIC_OPENSSL_API 1 +#ifndef NGX_QUIC_OPENSSL_API +#define NGX_QUIC_BORINGSSL_API 1 +#define NGX_QUIC_OPENSSL_COMPAT 1 +#endif #elif (defined SSL_R_MISSING_QUIC_TRANSPORT_PARAMETERS_EXTENSION) #define NGX_QUIC_QUICTLS_API 1 _______________________________________________ nginx-devel mailing list nginx-devel@nginx.org https://mailman.nginx.org/mailman/listinfo/nginx-devel