NGINX-QUIC: OPENSSL_internal:NO_SUPPORTED_VERSIONS_ENABLED
Surinder Sund
goodlord at gmail.com
Tue Feb 2 13:22:14 UTC 2021
No no. UDP is open. Anyway, I've given up trying to get it working.
On Tue, Dec 22, 2020 at 10:34 PM Jonny Barnes <jonnybarnes at gmail.com> wrote:
> Do you have a firewall setup on the server to only allow traffic on 443 if
> it’s tcp traffic?
>
> Rule needs to be added for udp as well
>
> On Tue, 22 Dec 2020 at 13:08, Surinder Sund <goodlord at gmail.com> wrote:
>
>> Thank You Johny.
>>
>> I fixed that (In fact, I'd fixed it in the trial machine earlier, but
>> when I restored a backup, it came back in).
>>
>> Unfortunately, the error still remains.
>>
>> Pls see the picture below. I can confirm that the traffic is hitting
>> 443/UDP, but nothing is being returned.
>>
>>
>> https://drive.google.com/file/d/1knHKb_jUcjdY71wCz-w1TG4QupxH9CN3/view?usp=sharing
>>
>> [image: image.png]
>>
>> Looks like no cigar for me yet.
>>
>>
>>
>>
>>
>> On Mon, Dec 21, 2020 at 10:24 PM Jonny Barnes <jonnybarnes at gmail.com>
>> wrote:
>>
>>> I think your Alt Svc header should be pointing to port 443, not 8443
>>>
>>> On Mon, 21 Dec 2020 at 14:41, Surinder Sund <goodlord at gmail.com> wrote:
>>>
>>>> forgot to add that this affects only http3 requests [I've tested from
>>>> more than one machine and multiple clients, including cURL and FF]
>>>>
>>>> http2 request work fine with no change in configuration.
>>>>
>>>> On Mon, Dec 21, 2020 at 7:16 PM Surinder Sund <goodlord at gmail.com>
>>>> wrote:
>>>>
>>>>> I'm trying to get NGINX QUIC to work on a fresh install of Ubuntu
>>>>> 20.04.
>>>>>
>>>>> But I'm getting this error:
>>>>>
>>>>> **1 SSL_do_handshake() failed (SSL: error:10000118:SSL
>>>>> routines:OPENSSL_internal:NO_SUPPORTED_VERSIONS_ENABLED)*
>>>>>
>>>>> Looks like some issue with the way Boringssl is set up, or being used
>>>>> by Nginx?
>>>>>
>>>>>
>>>>> HOW I BUILT BORINGSSL
>>>>>
>>>>> cd boringssl; mkdir build ; cd build ; cmake -GNinja ..
>>>>> ninja
>>>>>
>>>>> NGINX DETAILS
>>>>>
>>>>> *~/nginx-quic# nginx -V*
>>>>>
>>>>> nginx version: nginx/1.19.6
>>>>> built by gcc 9.3.0 (Ubuntu 9.3.0-17ubuntu1~20.04)
>>>>> built with OpenSSL 1.1.1 (compatible; BoringSSL) (running with
>>>>> BoringSSL)
>>>>> TLS SNI support enabled
>>>>> configure arguments: --with-debug --with-http_v3_module
>>>>> --with-cc-opt=-I../boringssl/include
>>>>> --with-ld-opt='-L../boringssl/build/ssl -L../boringssl/build/crypto'
>>>>> --with-http_quic_module --with-stream_quic_module
>>>>> --with-http_image_filter_module --with-http_sub_module --with-stream
>>>>> --add-module=/usr/local/src/ngx_brotli --prefix=/etc/nginx
>>>>> --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules
>>>>> --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log
>>>>> --pid-path=/var/run/nginx.pid
>>>>>
>>>>>
>>>>> HOW I BUILT NGINX QUIC:
>>>>>
>>>>> cd ~/nginx-quic ;
>>>>> ./auto/configure --with-debug --with-http_v3_module \
>>>>> --with-cc-opt="-I../boringssl/include" \
>>>>> --with-ld-opt="-L../boringssl/build/ssl \
>>>>> -L../boringssl/build/crypto" \
>>>>> --with-http_quic_module --with-stream_quic_module
>>>>> --with-http_image_filter_module --with-http_sub_module --with-stream
>>>>> --add-module=/usr/local/src/ngx_brotli --prefix=/etc/nginx
>>>>> --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules
>>>>> --conf-path=/etc/nginx/nginx.conf
>>>>> --error-log-path=/var/log/nginx/error.log --pid-path=/var/run/nginx.pid
>>>>>
>>>>>
>>>>> MY NGINX BUILD CONFIGURATION SUMMARY:
>>>>>
>>>>> Configuration summary
>>>>> + using system PCRE library
>>>>> + using system OpenSSL library
>>>>> + using system zlib library
>>>>>
>>>>> nginx path prefix: "/etc/nginx"
>>>>> nginx binary file: "/usr/sbin/nginx"
>>>>> nginx modules path: "/usr/lib/nginx/modules"
>>>>> nginx configuration prefix: "/etc/nginx"
>>>>> nginx configuration file: "/etc/nginx/nginx.conf"
>>>>> nginx pid file: "/var/run/nginx.pid"
>>>>> nginx error log file: "/var/log/nginx/error.log"
>>>>> nginx http access log file: "/etc/nginx/logs/access.log"
>>>>> nginx http client request body temporary files: "client_body_temp"
>>>>> nginx http proxy temporary files: "proxy_temp"
>>>>> nginx http fastcgi temporary files: "fastcgi_temp"
>>>>> nginx http uwsgi temporary files: "uwsgi_temp"
>>>>> nginx http scgi temporary files: "scgi_temp"
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> MY SITE CONFIGURATION
>>>>>
>>>>>
>>>>> listen 80;
>>>>> listen [::]:80;
>>>>> listen 443 ssl http2 fastopen=150;
>>>>> listen [::]:443 ipv6only=on ssl fastopen=150;
>>>>> include snippets/ssl-params.conf;
>>>>> server_name blah.blah;
>>>>> root /var/wordpress;
>>>>> index index.html index.htm index.php;
>>>>> access_log /var/log/nginx/xx.log;
>>>>> error_log /var/log/nginx/xx-error_log;
>>>>> ssl_early_data on;
>>>>> listen 443 http3 reuseport;
>>>>> listen [::]:443 http3 reuseport;
>>>>> add_header Alt-Svc '$http3=":8443"; ma=86400';
>>>>>
>>>>>
>>>>> *in nginx.conf I've added this:*
>>>>>
>>>>> ssl_protocols TLSv1.3; #disabled 1.1 & 1.2
>>>>>
>>>>>
>>>>> UDP is open on port 441, I've double checked this from the outside. So
>>>>> it's not a port issue.
>>>>>
>>>>> _______________________________________________
>>>> nginx-devel mailing list
>>>> nginx-devel at nginx.org
>>>> http://mailman.nginx.org/mailman/listinfo/nginx-devel
>>>
>>> _______________________________________________
>>> nginx-devel mailing list
>>> nginx-devel at nginx.org
>>> http://mailman.nginx.org/mailman/listinfo/nginx-devel
>>
>> _______________________________________________
>> nginx-devel mailing list
>> nginx-devel at nginx.org
>> http://mailman.nginx.org/mailman/listinfo/nginx-devel
>
> _______________________________________________
> nginx-devel mailing list
> nginx-devel at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx-devel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20210202/9c789f97/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 34331 bytes
Desc: not available
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20210202/9c789f97/attachment-0001.png>
More information about the nginx-devel
mailing list