Mercurial > hg > nginx
comparison src/http/ngx_http_request.c @ 8928:e06283038ec8 quic
QUIC: clear SSL_OP_ENABLE_MIDDLEBOX_COMPAT on SSL context switch.
The SSL_OP_ENABLE_MIDDLEBOX_COMPAT option is provided by QuicTLS and enabled
by default in the newly created SSL contexts. SSL_set_quic_method() is used
to clear it, which is required for SSL handshake to work on QUIC connections.
Switching context in the ngx_http_ssl_servername() SNI callback overrides SSL
options from the new SSL context. This results in the option set again.
Fix is to explicitly clear it when switching to another SSL context.
Initially reported here (in Russian):
http://mailman.nginx.org/pipermail/nginx-ru/2021-November/063989.html
| author | Sergey Kandaurov <pluknet@nginx.com> |
|---|---|
| date | Tue, 07 Dec 2021 15:49:51 +0300 |
| parents | be08b858086a |
| children | 0ee56d2eac44 |
comparison
equal
deleted
inserted
replaced
| 8927:e4952530e6af | 8928:e06283038ec8 |
|---|---|
| 952 SSL_set_options(ssl_conn, SSL_CTX_get_options(sscf->ssl.ctx)); | 952 SSL_set_options(ssl_conn, SSL_CTX_get_options(sscf->ssl.ctx)); |
| 953 | 953 |
| 954 #ifdef SSL_OP_NO_RENEGOTIATION | 954 #ifdef SSL_OP_NO_RENEGOTIATION |
| 955 SSL_set_options(ssl_conn, SSL_OP_NO_RENEGOTIATION); | 955 SSL_set_options(ssl_conn, SSL_OP_NO_RENEGOTIATION); |
| 956 #endif | 956 #endif |
| 957 | |
| 958 #ifdef SSL_OP_ENABLE_MIDDLEBOX_COMPAT | |
| 959 #if (NGX_HTTP_QUIC) | |
| 960 if (c->listening->quic) { | |
| 961 SSL_clear_options(ssl_conn, SSL_OP_ENABLE_MIDDLEBOX_COMPAT); | |
| 962 } | |
| 963 #endif | |
| 964 #endif | |
| 957 } | 965 } |
| 958 | 966 |
| 959 done: | 967 done: |
| 960 | 968 |
| 961 sscf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_ssl_module); | 969 sscf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_ssl_module); |