NGINX-QUIC: OPENSSL_internal:NO_SUPPORTED_VERSIONS_ENABLED

Jonny Barnes jonnybarnes at gmail.com
Tue Dec 22 17:04:38 UTC 2020


Do you have a firewall setup on the server to only allow traffic on 443 if
it’s tcp traffic?

Rule needs to be added for udp as well

On Tue, 22 Dec 2020 at 13:08, Surinder Sund <goodlord at gmail.com> wrote:

> Thank You Johny.
>
> I fixed that (In fact, I'd fixed it in the trial machine earlier, but when
> I restored a backup, it came back in).
>
> Unfortunately, the error still remains.
>
> Pls see the picture below. I can confirm that the traffic is hitting
> 443/UDP, but nothing is being returned.
>
>
> https://drive.google.com/file/d/1knHKb_jUcjdY71wCz-w1TG4QupxH9CN3/view?usp=sharing
>
> [image: image.png]
>
> Looks like no cigar for me yet.
>
>
>
>
>
> On Mon, Dec 21, 2020 at 10:24 PM Jonny Barnes <jonnybarnes at gmail.com>
> wrote:
>
>> I think your Alt Svc header should be pointing to port 443, not 8443
>>
>> On Mon, 21 Dec 2020 at 14:41, Surinder Sund <goodlord at gmail.com> wrote:
>>
>>> forgot to add that this affects only http3 requests [I've tested from
>>> more than one machine and multiple clients, including cURL and FF]
>>>
>>> http2 request work fine with no change in configuration.
>>>
>>> On Mon, Dec 21, 2020 at 7:16 PM Surinder Sund <goodlord at gmail.com>
>>> wrote:
>>>
>>>> I'm trying to get NGINX QUIC to work on a fresh install of Ubuntu 20.04.
>>>>
>>>> But I'm getting this error:
>>>>
>>>> **1 SSL_do_handshake() failed (SSL: error:10000118:SSL
>>>> routines:OPENSSL_internal:NO_SUPPORTED_VERSIONS_ENABLED)*
>>>>
>>>> Looks like some issue with the way Boringssl is set up, or being used
>>>> by Nginx?
>>>>
>>>>
>>>> HOW I BUILT BORINGSSL
>>>>
>>>> cd boringssl; mkdir build ; cd build ; cmake -GNinja ..
>>>> ninja
>>>>
>>>> NGINX DETAILS
>>>>
>>>> *~/nginx-quic# nginx -V*
>>>>
>>>> nginx version: nginx/1.19.6
>>>> built by gcc 9.3.0 (Ubuntu 9.3.0-17ubuntu1~20.04)
>>>> built with OpenSSL 1.1.1 (compatible; BoringSSL) (running with
>>>> BoringSSL)
>>>> TLS SNI support enabled
>>>> configure arguments: --with-debug --with-http_v3_module
>>>> --with-cc-opt=-I../boringssl/include
>>>> --with-ld-opt='-L../boringssl/build/ssl -L../boringssl/build/crypto'
>>>> --with-http_quic_module --with-stream_quic_module
>>>> --with-http_image_filter_module --with-http_sub_module --with-stream
>>>> --add-module=/usr/local/src/ngx_brotli --prefix=/etc/nginx
>>>> --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules
>>>> --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log
>>>> --pid-path=/var/run/nginx.pid
>>>>
>>>>
>>>> HOW I BUILT NGINX QUIC:
>>>>
>>>> cd ~/nginx-quic ;
>>>> ./auto/configure --with-debug --with-http_v3_module       \
>>>>                        --with-cc-opt="-I../boringssl/include"   \
>>>>                        --with-ld-opt="-L../boringssl/build/ssl  \
>>>>                                       -L../boringssl/build/crypto"    \
>>>> --with-http_quic_module  --with-stream_quic_module
>>>>  --with-http_image_filter_module --with-http_sub_module --with-stream
>>>> --add-module=/usr/local/src/ngx_brotli    --prefix=/etc/nginx
>>>> --sbin-path=/usr/sbin/nginx   --modules-path=/usr/lib/nginx/modules
>>>>  --conf-path=/etc/nginx/nginx.conf
>>>> --error-log-path=/var/log/nginx/error.log --pid-path=/var/run/nginx.pid
>>>>
>>>>
>>>> MY NGINX BUILD CONFIGURATION SUMMARY:
>>>>
>>>> Configuration summary
>>>>   + using system PCRE library
>>>>   + using system OpenSSL library
>>>>   + using system zlib library
>>>>
>>>>   nginx path prefix: "/etc/nginx"
>>>>   nginx binary file: "/usr/sbin/nginx"
>>>>   nginx modules path: "/usr/lib/nginx/modules"
>>>>   nginx configuration prefix: "/etc/nginx"
>>>>   nginx configuration file: "/etc/nginx/nginx.conf"
>>>>   nginx pid file: "/var/run/nginx.pid"
>>>>   nginx error log file: "/var/log/nginx/error.log"
>>>>   nginx http access log file: "/etc/nginx/logs/access.log"
>>>>   nginx http client request body temporary files: "client_body_temp"
>>>>   nginx http proxy temporary files: "proxy_temp"
>>>>   nginx http fastcgi temporary files: "fastcgi_temp"
>>>>   nginx http uwsgi temporary files: "uwsgi_temp"
>>>>   nginx http scgi temporary files: "scgi_temp"
>>>>
>>>>
>>>>
>>>>
>>>> MY SITE CONFIGURATION
>>>>
>>>>
>>>>             listen 80;
>>>>             listen [::]:80;
>>>>             listen 443 ssl http2 fastopen=150;
>>>>             listen   [::]:443 ipv6only=on ssl  fastopen=150;
>>>>             include snippets/ssl-params.conf;
>>>>             server_name blah.blah;
>>>>             root /var/wordpress;
>>>>             index index.html index.htm index.php;
>>>>             access_log /var/log/nginx/xx.log;
>>>>             error_log /var/log/nginx/xx-error_log;
>>>>             ssl_early_data on;
>>>>             listen 443 http3 reuseport;
>>>>             listen [::]:443 http3 reuseport;
>>>>             add_header Alt-Svc '$http3=":8443"; ma=86400';
>>>>
>>>>
>>>> *in nginx.conf I've added this:*
>>>>
>>>>            ssl_protocols  TLSv1.3; #disabled 1.1 & 1.2
>>>>
>>>>
>>>> UDP is open on port 441, I've double checked this from the outside. So
>>>> it's not a port issue.
>>>>
>>>> _______________________________________________
>>> nginx-devel mailing list
>>> nginx-devel at nginx.org
>>> http://mailman.nginx.org/mailman/listinfo/nginx-devel
>>
>> _______________________________________________
>> nginx-devel mailing list
>> nginx-devel at nginx.org
>> http://mailman.nginx.org/mailman/listinfo/nginx-devel
>
> _______________________________________________
> nginx-devel mailing list
> nginx-devel at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx-devel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20201222/29d4148e/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 34331 bytes
Desc: not available
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20201222/29d4148e/attachment-0001.png>


More information about the nginx-devel mailing list