Hello! On Thu, Dec 02, 2021 at 01:44:02PM +0300, Sergey Kandaurov wrote:
> > On 24 Nov 2021, at 22:58, izor...@gmail.com wrote: > > > > Здравствуйте. > > > > Собрал nginx с библиотекой QuicTLS - https://github.com/quictls/openssl > > При активации протокола HTTP3 на нескольких хостах в лог начинаются > > сыпаться такие ошибки: > > ``` > > 2021/11/24 22:52:45 [error] 40152#40152: *51 SSL_do_handshake() failed > > (SSL: error:0A0C0101:SSL routines::called a function you should not call) > > while handling frames, client: 91...., server: 0.0.0.0:443 > > 2021/11/24 22:52:45 [error] 40151#40151: *52 SSL_do_handshake() failed > > (SSL: error:0A0C0101:SSL routines::called a function you should not call) > > while handling frames, client: 91...., server: 0.0.0.0:443 > > 2021/11/24 22:52:45 [error] 40153#40153: *53 SSL_do_handshake() failed > > (SSL: error:0A0C0101:SSL routines::called a function you should not call) > > while handling frames, client: 91...., server: 0.0.0.0:443 > > ``` > > Если использовать BoringSSL с аналогичной конфигурацией, то такой ошибки > > нету. > > > > Попробуйте этот патч: > > # HG changeset patch > # User Sergey Kandaurov <pluk...@nginx.com> > # Date 1638441718 -10800 > # Thu Dec 02 13:41:58 2021 +0300 > # Branch quic > # Node ID 45c2b34248365f63bcec694a8587d11f52441ac9 > # Parent aa0bd5f3127f6a27669b9e6f8362ba9254785193 > QUIC: clear SSL_OP_ENABLE_MIDDLEBOX_COMPAT on SSL context switch. > > The SSL_OP_ENABLE_MIDDLEBOX_COMPAT option is provided by QuicTLS and enabled > by default in the newly created SSL contexts. SSL_set_quic_method() is used > to clear it, which is required for SSL handshake to work on QUIC connections. > Switching context in the ngx_http_ssl_servername() SNI callback overrides SSL > options from the new SSL context. This results in the option set again. > Fix is to explicitly clear it when switching to another SSL context. > > Initially reported here (in Russian): > http://mailman.nginx.org/pipermail/nginx-ru/2021-November/063989.html > > diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c > --- a/src/http/ngx_http_request.c > +++ b/src/http/ngx_http_request.c > @@ -962,7 +962,14 @@ ngx_http_ssl_servername(ngx_ssl_conn_t * > #ifdef SSL_OP_NO_RENEGOTIATION > SSL_set_options(ssl_conn, SSL_OP_NO_RENEGOTIATION); > #endif > + > +#ifdef SSL_OP_ENABLE_MIDDLEBOX_COMPAT > +#if (NGX_QUIC) > + if (c->listening->quic) { > + SSL_clear_options(ssl_conn, SSL_OP_ENABLE_MIDDLEBOX_COMPAT); > } > +#endif > +#endif > > done: На взгляд кажется, что индентация неверна и забыта закрывающая фигурная скобка. -- Maxim Dounin http://mdounin.ru/ _______________________________________________ nginx-ru mailing list nginx-ru@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-ru
