# HG changeset patch # User Sergey Kandaurov # Date 1632916913 -10800 # Node ID e5a17d6041bd2d93868b635a63ffc6275b09863a # Parent 5a2080d48da8363b67d980ad1e5c842a54c794fb Fixed mismerge of ssl_reject_handshake in 71b7453fb11f. In particular, this fixes rejecting "listen .. quic|http3" configurations without TLSv1.3 configured. diff --git a/src/http/modules/ngx_http_ssl_module.c b/src/http/modules/ngx_http_ssl_module.c --- a/src/http/modules/ngx_http_ssl_module.c +++ b/src/http/modules/ngx_http_ssl_module.c @@ -1385,14 +1385,23 @@ ngx_http_ssl_init(ngx_conf_t *cf) sscf = cscf->ctx->srv_conf[ngx_http_ssl_module.ctx_index]; if (sscf->certificates) { + + if (addr[a].opt.quic && !(sscf->protocols & NGX_SSL_TLSv1_3)) { + ngx_log_error(NGX_LOG_EMERG, cf->log, 0, + "\"ssl_protocols\" must enable TLSv1.3 for " + "the \"listen ... %s\" directive in %s:%ui", + name, cscf->file_name, cscf->line); + return NGX_ERROR; + } + continue; } if (!sscf->reject_handshake) { ngx_log_error(NGX_LOG_EMERG, cf->log, 0, "no \"ssl_certificate\" is defined for " - "the \"listen ... ssl\" directive in %s:%ui", - cscf->file_name, cscf->line); + "the \"listen ... %s\" directive in %s:%ui", + name, cscf->file_name, cscf->line); return NGX_ERROR; } @@ -1417,14 +1426,6 @@ ngx_http_ssl_init(ngx_conf_t *cf) name, cscf->file_name, cscf->line); return NGX_ERROR; } - - if (addr[a].opt.quic && !(sscf->protocols & NGX_SSL_TLSv1_3)) { - ngx_log_error(NGX_LOG_EMERG, cf->log, 0, - "\"ssl_protocols\" did not enable TLSv1.3 for " - "the \"listen ... %s\" directives in %s:%ui", - name, cscf->file_name, cscf->line); - return NGX_ERROR; - } } }