<div dir="ltr">forgot to add that this affects only http3 requests [I've tested from more than one machine and multiple clients, including cURL and FF]<div><br></div><div>http2 request work fine with no change in configuration.</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Dec 21, 2020 at 7:16 PM Surinder Sund <<a href="mailto:goodlord@gmail.com">goodlord@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div class="gmail_quote"><div dir="ltr"><div dir="ltr"><div><span style="font-family:monospace">I'm trying to get NGINX QUIC to work on a fresh install of Ubuntu 20.04.</span><br></div><div><font face="monospace"><br></font></div><div><span style="font-family:monospace">But I'm getting this error:</span><br></div><div><font face="monospace"><br></font></div><div><font face="monospace"><b>*1 SSL_do_handshake() failed (SSL: error:10000118:SSL routines:OPENSSL_internal:NO_SUPPORTED_VERSIONS_ENABLED)</b><br></font></div><div><font face="monospace"><br></font></div><div><font face="monospace">Looks like some issue with the way Boringssl is set up, or being used by Nginx?</font></div><div><br></div><div><br></div><div>HOW I BUILT BORINGSSL</div><div><br></div><div>cd boringssl; mkdir build ; cd build ; cmake -GNinja ..<br></div><div><div>ninja</div></div><div><br></div><div>NGINX DETAILS</div><div><b><br></b></div><div><b>~/nginx-quic# nginx -V</b><br></div><div><div><br></div><div>nginx version: nginx/1.19.6<b><br></b></div><div>built by gcc 9.3.0 (Ubuntu 9.3.0-17ubuntu1~20.04)</div><div>built with OpenSSL 1.1.1 (compatible; BoringSSL) (running with BoringSSL)</div><div>TLS SNI support enabled</div><div>configure arguments: --with-debug --with-http_v3_module --with-cc-opt=-I../boringssl/include --with-ld-opt='-L../boringssl/build/ssl -L../boringssl/build/crypto' --with-http_quic_module --with-stream_quic_module --with-http_image_filter_module --with-http_sub_module --with-stream --add-module=/usr/local/src/ngx_brotli --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --pid-path=/var/run/nginx.pid</div></div><div><br></div><div><br></div><div>HOW I BUILT NGINX QUIC:</div><div><div><br></div><div>cd ~/nginx-quic ;</div><div>./auto/configure --with-debug --with-http_v3_module \</div><div> --with-cc-opt="-I../boringssl/include" \</div><div> --with-ld-opt="-L../boringssl/build/ssl \</div><div> -L../boringssl/build/crypto" \</div><div>--with-http_quic_module --with-stream_quic_module --with-http_image_filter_module --with-http_sub_module --with-stream --add-module=/usr/local/src/ngx_brotli --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --pid-path=/var/run/nginx.pid </div></div><div><br></div><div><br></div><div>MY NGINX BUILD CONFIGURATION SUMMARY:</div><div><br></div><div><div>Configuration summary</div><div> + using system PCRE library</div><div> + using system OpenSSL library</div><div> + using system zlib library</div><div><br></div><div> nginx path prefix: "/etc/nginx"</div><div> nginx binary file: "/usr/sbin/nginx"</div><div> nginx modules path: "/usr/lib/nginx/modules"</div><div> nginx configuration prefix: "/etc/nginx"</div><div> nginx configuration file: "/etc/nginx/nginx.conf"</div><div> nginx pid file: "/var/run/nginx.pid"</div><div> nginx error log file: "/var/log/nginx/error.log"</div><div> nginx http access log file: "/etc/nginx/logs/access.log"</div><div> nginx http client request body temporary files: "client_body_temp"</div><div> nginx http proxy temporary files: "proxy_temp"</div><div> nginx http fastcgi temporary files: "fastcgi_temp"</div><div> nginx http uwsgi temporary files: "uwsgi_temp"</div><div> nginx http scgi temporary files: "scgi_temp"</div></div><div><br></div><div><br></div><div><br></div><div><br></div><div>MY SITE CONFIGURATION</div><div><br></div><div><font face="monospace"><br></font></div><div><div><font face="monospace"> listen 80;</font></div><div><font face="monospace"> listen [::]:80;</font></div><div><font face="monospace"> listen 443 ssl http2 fastopen=150;</font></div><div><font face="monospace"> listen [::]:443 ipv6only=on ssl fastopen=150;</font></div><div><font face="monospace"> include snippets/ssl-params.conf;</font></div><div><font face="monospace"> server_name blah.blah;</font></div><div><font face="monospace"> root /var/wordpress;</font></div><div><font face="monospace"> index index.html index.htm index.php;</font></div><div><font face="monospace"> access_log /var/log/nginx/xx.log;</font></div><div><font face="monospace"> error_log /var/log/nginx/xx-error_log;<br></font></div><div><font face="monospace"> ssl_early_data on;</font></div><div><font face="monospace"> listen 443 http3 reuseport;</font></div><div><font face="monospace"> listen [::]:443 http3 reuseport;</font></div><div><font face="monospace"> add_header Alt-Svc '$http3=":8443"; ma=86400';</font></div></div><div><font face="monospace"><br></font></div><div><font face="monospace"><br></font></div><div><font face="monospace"><b>in nginx.conf I've added this:</b></font></div><div><font face="monospace"><b><br></b></font></div><div><span style="font-family:monospace"> ssl_protocols TLSv1.3; #disabled 1.1 & 1.2</span><br></div><div><font face="monospace"><br></font></div><div><br></div><div>UDP is open on port 441, I've double checked this from the outside. So it's not a port issue.</div><div><font face="monospace"><br></font></div><div></div></div></div>
</div></div>
</blockquote></div>