Clients fail to connect via HTTP3 over QUIC

Vladimir Homutov vl at nginx.com
Tue Feb 22 06:41:06 UTC 2022


22.02.2022 00:43, David Hu via nginx-devel пишет:
> I have compiled the latest master branch of nginx-quic with these options:
> 
> nginx version: nginx/1.21.7 (8861:b5c87e0e57ef)
> built with OpenSSL 3.0.1+quic 14 Dec 2021
> TLS SNI support enabled
> configure arguments: --prefix=/usr/local/nginx --build=8861:b5c87e0e57ef 
> --with-debug --with-http_ssl_module --with-http_v2_module 
> --with-stream_quic_module --with-http_v3_module 
> --with-cc-opt='-I/usr/local/include/openssl -O0 -DNGX_HTTP_V3_HQ=1' 
> --with-ld-opt=-L/usr/local/lib64
> 
> and OpenSSL version (quictls):
> OpenSSL 3.0.1+quic 14 Dec 2021 (Library: OpenSSL 3.0.1+quic 14 Dec 2021)
> built on: Sun Feb 20 01:43:12 2022 UTC
> platform: linux-x86_64
> options:  bn(64,64)
> compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -O3 
> -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC 
> -DOPENSSL_BUILDING_OPENSSL -DNDEBUG -DOPENSSL_TLS_SECURITY_LEVEL=2
> OPENSSLDIR: "/usr/local/ssl"
> ENGINESDIR: "/usr/local/lib64/engines-81.3"
> MODULESDIR: "/usr/local/lib64/ossl-modules"
> Seeding source: os-specific
> CPUINFO: OPENSSL_ia32cap=0xfff83203078bffff:0x4219c01ab
> 
> 
> And my nginx config file http block looks like this:
> [redacted sensitive configs]
> http {
>      [redacted some configs]
>      quic_retry on;
>      http3_push on;
>      http3_hq on;
> }
> 
> However clients cannot cannot to my server either through H3 or HQ anymore
> 
> Wireshark shows handshake failure
> CONNECTION_CLOSE (Transport) Error code: CRYPTO_ERROR (No application 
> Protocol)
>      Frame Type: CONNECTION_CLOSE (Transport) (0x000000000000001c)
>      Error code: CRYPTO_ERROR (376)
>      TLS Alert Description: No application Protocol (120)
>      Frame Type: 0
>      Reason phrase Length: 16
>      Reason phrase: handshake failed
> 
> 
> How am I supposed to solve this?

First, check the logs, the error should be logged. Message supposes your 
client did not send proper protocol (or no ALPN at all). We've recently
removed draft version suppoort 
(http://hg.nginx.org/nginx-quic/rev/d8865baab732), so now only quic v1 
is supported, and "h3" should be used for application protocol. You may 
want to check your configuration for 'Alt-Svc' header.



More information about the nginx-devel mailing list