Re: nginxQuic: поддержка Openssl библиотеки quicktls

Sergey Kandaurov pluknet на nginx.com
Чт Дек 2 14:01:57 UTC 2021


> On 2 Dec 2021, at 16:30, Maxim Dounin <mdounin на mdounin.ru> wrote:
> 
> Hello!
> 
> On Thu, Dec 02, 2021 at 01:44:02PM +0300, Sergey Kandaurov wrote:
> 
>>> On 24 Nov 2021, at 22:58, izorkin на gmail.com wrote:
>>> 
>>> Здравствуйте.
>>> 
>>> Собрал nginx с библиотекой QuicTLS - https://github.com/quictls/openssl
>>> При активации протокола HTTP3 на нескольких хостах в лог начинаются сыпаться такие ошибки:
>>> ```
>>> 2021/11/24 22:52:45 [error] 40152#40152: *51 SSL_do_handshake() failed (SSL: error:0A0C0101:SSL routines::called a function you should not call) while handling frames, client: 91...., server: 0.0.0.0:443
>>> 2021/11/24 22:52:45 [error] 40151#40151: *52 SSL_do_handshake() failed (SSL: error:0A0C0101:SSL routines::called a function you should not call) while handling frames, client: 91...., server: 0.0.0.0:443
>>> 2021/11/24 22:52:45 [error] 40153#40153: *53 SSL_do_handshake() failed (SSL: error:0A0C0101:SSL routines::called a function you should not call) while handling frames, client: 91...., server: 0.0.0.0:443
>>> ```
>>> Если использовать BoringSSL с аналогичной конфигурацией, то такой ошибки нету.
>>> 
>> 
>> Попробуйте этот патч:
>> 
>> # HG changeset patch
>> # User Sergey Kandaurov <pluknet на nginx.com>
>> # Date 1638441718 -10800
>> #      Thu Dec 02 13:41:58 2021 +0300
>> # Branch quic
>> # Node ID 45c2b34248365f63bcec694a8587d11f52441ac9
>> # Parent  aa0bd5f3127f6a27669b9e6f8362ba9254785193
>> QUIC: clear SSL_OP_ENABLE_MIDDLEBOX_COMPAT on SSL context switch.
>> 
>> The SSL_OP_ENABLE_MIDDLEBOX_COMPAT option is provided by QuicTLS and enabled
>> by default in the newly created SSL contexts.  SSL_set_quic_method() is used
>> to clear it, which is required for SSL handshake to work on QUIC connections.
>> Switching context in the ngx_http_ssl_servername() SNI callback overrides SSL
>> options from the new SSL context.  This results in the option set again.
>> Fix is to explicitly clear it when switching to another SSL context.
>> 
>> Initially reported here (in Russian):
>> http://mailman.nginx.org/pipermail/nginx-ru/2021-November/063989.html
>> 
>> diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c
>> --- a/src/http/ngx_http_request.c
>> +++ b/src/http/ngx_http_request.c
>> @@ -962,7 +962,14 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *
>> #ifdef SSL_OP_NO_RENEGOTIATION
>>         SSL_set_options(ssl_conn, SSL_OP_NO_RENEGOTIATION);
>> #endif
>> +
>> +#ifdef SSL_OP_ENABLE_MIDDLEBOX_COMPAT
>> +#if (NGX_QUIC)
>> +    if (c->listening->quic) {
>> +        SSL_clear_options(ssl_conn, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
>>     }
>> +#endif
>> +#endif
>> 
>> done:
> 
> На взгляд кажется, что индентация неверна и забыта закрывающая 
> фигурная скобка.
> 

Tnx, видимо отвлёкся, пока переносил из ngx_ssl_create().

diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c
--- a/src/http/ngx_http_request.c
+++ b/src/http/ngx_http_request.c
@@ -962,6 +962,14 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *
 #ifdef SSL_OP_NO_RENEGOTIATION
         SSL_set_options(ssl_conn, SSL_OP_NO_RENEGOTIATION);
 #endif
+
+#ifdef SSL_OP_ENABLE_MIDDLEBOX_COMPAT
+#if (NGX_HTTP_QUIC)
+        if (c->listening->quic) {
+            SSL_clear_options(ssl_conn, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
+        }
+#endif
+#endif
     }
 
 done:

-- 
Sergey Kandaurov



Подробная информация о списке рассылки nginx-ru