Fixed client certificate verification.

For ngx_http_process_request() part to work, this required to set both
r->http_connection->ssl and c->ssl on a QUIC stream.  To avoid damaging
global SSL object, ngx_ssl_shutdown() is managed to ignore QUIC streams.

3 files changed, 7 insertions, 0 deletions

diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
index 91b415caa..2fd254446 100644
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -2735,6 +2735,11 @@ ngx_ssl_shutdown(ngx_connection_t *c)
     int        n, sslerr, mode;
     ngx_err_t  err;
 
+    if (c->qs) {
+        /* QUIC streams inherit SSL object */
+        return NGX_OK;
+    }
+
     if (SSL_in_init(c->ssl->connection)) {
         /*
          * OpenSSL 1.0.2f complains if SSL_shutdown() is called during
diff --git a/src/event/ngx_event_quic.c b/src/event/ngx_event_quic.c
index a4a293a14..a466ac184 100644
--- a/src/event/ngx_event_quic.c
+++ b/src/event/ngx_event_quic.c
@@ -1470,6 +1470,7 @@ ngx_quic_create_stream(ngx_connection_t *c, ngx_uint_t id)
     sn->c->sockaddr = c->sockaddr;
     sn->c->local_sockaddr = c->local_sockaddr;
     sn->c->addr_text = c->addr_text;
+    sn->c->ssl = c->ssl;
 
     rev = sn->c->read;
     wev = sn->c->write;
diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c
index acd708cf6..890e5374b 100644
--- a/src/http/ngx_http_request.c
+++ b/src/http/ngx_http_request.c
@@ -225,6 +225,7 @@ ngx_http_init_connection(ngx_connection_t *c)
     if (c->type == SOCK_DGRAM) {
         hc = ngx_pcalloc(c->pool, sizeof(ngx_http_v3_connection_t));
         hc->quic = 1;
+        hc->ssl = 1;
 
     } else
 #endif