Hello,
Commits 7468a10b62276be4adee0fcd6aaf6244270984ab
"QUIC: adjusted handling of callback errors."
and 47f96993f669543c6cb4979dd3f680ad01314ee5
"QUIC: logging of SSL library errors."
lead to the situation when you may get spurious
"ignoring stale global SSL error" errors in unrelated connections.
This happens due to the fact that openssl error queue is (thread) global,
and quic handshake handler does not read out the error after the failed
handshake and relies on qc->error set by callback.
So the error stays in queue and may show itself in unrelated quic connection,
typically on SSL shutdown.
config below may be used to reproduce the issue:
>>>
daemon off;
error_log logs/error.log debug;
events {
}
http {
ssl_certificate_key localhost.key;
ssl_certificate localhost.crt;
server {
error_log logs/good.log debug;
listen 127.0.0.1:8080 quic;
location / { return 200 OK; }
}
server {
error_log logs/reject.log debug;
listen 127.0.0.1:8081 quic;
ssl_reject_handshake on;
location / { return 200 OK; }
}
}
<<<
start the server and run:
$ curl -k --http3 https://127.0.0.1:8080/
$ curl -k --http3 https://127.0.0.1:8081/
The result is alert in good.log:
2025/08/15 09:58:19 [alert] 1154786#1154786: *1 ignoring stale global SSL error
(SSL: error:10000084:SSL routines:OPENSSL_internal:CLIENTHELLO_TLSEXT
error:100000be:SSL routines:OPENSSL_internal:PARSE_TLSEXT) while preparing ack,
client: 127.0.0.1, server: 127.0.0.1:8080
caused by failed handshake in server 2;
when the ngx_http_ssl_servername() callback returns error,
the ngx_quic_send_alert() sets qc->error, and the ngx_quic_ssl_handshake()
checks qc->error after SSL_do_handshake() and closes connection.
But the error stays, and manifests itself later in another connection
in the same process.
The quic fix is probably something like this:
diff --git a/src/event/quic/ngx_event_quic_ssl.c
b/src/event/quic/ngx_event_quic_ssl.c
index e961c80cd..dc0a030ff 100644
--- a/src/event/quic/ngx_event_quic_ssl.c
+++ b/src/event/quic/ngx_event_quic_ssl.c
@@ -696,6 +696,7 @@ ngx_quic_handshake(ngx_connection_t *c)
ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_do_handshake: %d", n);
if (qc->error) {
+ ERR_clear_error();
return NGX_ERROR;
}
Or may be it makes sense to clear error in the moment of setting qc->error;
and do not clear everything, but try to log using ngx_ssl_error() with some
non-alert level.
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx-devel
