From 26ac1c73f0fe90c77cbad84a6b4ef5712e35ba52 Mon Sep 17 00:00:00 2001 From: Sergey Kandaurov Date: Fri, 28 Feb 2020 13:09:51 +0300 Subject: Initial QUIC support in http. --- src/http/modules/ngx_http_ssl_module.c | 27 ++++++++++++++++++++++++++- 1 file changed, 26 insertions(+), 1 deletion(-) (limited to 'src/http/modules/ngx_http_ssl_module.c') diff --git a/src/http/modules/ngx_http_ssl_module.c b/src/http/modules/ngx_http_ssl_module.c index 495e628d3..693e45a1c 100644 --- a/src/http/modules/ngx_http_ssl_module.c +++ b/src/http/modules/ngx_http_ssl_module.c @@ -249,6 +249,13 @@ static ngx_command_t ngx_http_ssl_commands[] = { offsetof(ngx_http_ssl_srv_conf_t, early_data), NULL }, + { ngx_string("ssl_quic"), + NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG, + ngx_conf_set_flag_slot, + NGX_HTTP_SRV_CONF_OFFSET, + offsetof(ngx_http_ssl_srv_conf_t, quic), + NULL }, + ngx_null_command }; @@ -568,6 +575,7 @@ ngx_http_ssl_create_srv_conf(ngx_conf_t *cf) sscf->enable = NGX_CONF_UNSET; sscf->prefer_server_ciphers = NGX_CONF_UNSET; sscf->early_data = NGX_CONF_UNSET; + sscf->quic = NGX_CONF_UNSET; sscf->buffer_size = NGX_CONF_UNSET_SIZE; sscf->verify = NGX_CONF_UNSET_UINT; sscf->verify_depth = NGX_CONF_UNSET_UINT; @@ -612,6 +620,8 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child) ngx_conf_merge_value(conf->early_data, prev->early_data, 0); + ngx_conf_merge_value(conf->quic, prev->quic, 0); + ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols, (NGX_CONF_BITMASK_SET|NGX_SSL_TLSv1 |NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2)); @@ -696,6 +706,7 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child) } } +printf("ngx_ssl_create\n"); if (ngx_ssl_create(&conf->ssl, conf->protocols, conf) != NGX_OK) { return NGX_CONF_ERROR; } @@ -857,6 +868,10 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child) return NGX_CONF_ERROR; } + if (ngx_ssl_quic(cf, &conf->ssl, conf->quic) != NGX_OK) { + return NGX_CONF_ERROR; + } + return NGX_CONF_OK; } @@ -1141,13 +1156,15 @@ ngx_http_ssl_init(ngx_conf_t *cf) addr = port[p].addrs.elts; for (a = 0; a < port[p].addrs.nelts; a++) { +printf("ssl %d http3 %d\n", addr[a].opt.ssl, addr[a].opt.http3); - if (!addr[a].opt.ssl) { + if (!addr[a].opt.ssl && !addr[a].opt.http3) { continue; } cscf = addr[a].default_server; sscf = cscf->ctx->srv_conf[ngx_http_ssl_module.ctx_index]; +printf("sscf->protocols %lx\n", sscf->protocols); if (sscf->certificates == NULL) { ngx_log_error(NGX_LOG_EMERG, cf->log, 0, @@ -1156,6 +1173,14 @@ ngx_http_ssl_init(ngx_conf_t *cf) cscf->file_name, cscf->line); return NGX_ERROR; } + + if (addr[a].opt.http3 && !(sscf->protocols & NGX_SSL_TLSv1_3)) { + ngx_log_error(NGX_LOG_EMERG, cf->log, 0, + "\"ssl_protocols\" did not enable TLSv1.3 for " + "the \"listen ... http3\" directive in %s:%ui", + cscf->file_name, cscf->line); + return NGX_ERROR; + } } } -- cgit v1.2.3 From ef8b06b186a2f7ac25b8ee49a325c935c3e5bb9f Mon Sep 17 00:00:00 2001 From: Sergey Kandaurov Date: Fri, 28 Feb 2020 13:09:52 +0300 Subject: Cleanup. --- src/http/modules/ngx_http_ssl_module.c | 3 --- 1 file changed, 3 deletions(-) (limited to 'src/http/modules/ngx_http_ssl_module.c') diff --git a/src/http/modules/ngx_http_ssl_module.c b/src/http/modules/ngx_http_ssl_module.c index 693e45a1c..8640c2211 100644 --- a/src/http/modules/ngx_http_ssl_module.c +++ b/src/http/modules/ngx_http_ssl_module.c @@ -706,7 +706,6 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child) } } -printf("ngx_ssl_create\n"); if (ngx_ssl_create(&conf->ssl, conf->protocols, conf) != NGX_OK) { return NGX_CONF_ERROR; } @@ -1156,7 +1155,6 @@ ngx_http_ssl_init(ngx_conf_t *cf) addr = port[p].addrs.elts; for (a = 0; a < port[p].addrs.nelts; a++) { -printf("ssl %d http3 %d\n", addr[a].opt.ssl, addr[a].opt.http3); if (!addr[a].opt.ssl && !addr[a].opt.http3) { continue; @@ -1164,7 +1162,6 @@ printf("ssl %d http3 %d\n", addr[a].opt.ssl, addr[a].opt.http3); cscf = addr[a].default_server; sscf = cscf->ctx->srv_conf[ngx_http_ssl_module.ctx_index]; -printf("sscf->protocols %lx\n", sscf->protocols); if (sscf->certificates == NULL) { ngx_log_error(NGX_LOG_EMERG, cf->log, 0, -- cgit v1.2.3 From 5aa8e519c9fecc00b3a74781716ceb66609c5661 Mon Sep 17 00:00:00 2001 From: Roman Arutyunyan Date: Wed, 18 Mar 2020 16:37:16 +0300 Subject: Moved setting QUIC methods to runtime. This allows listening to both https and http3 in the same server. Also, the change eliminates the ssl_quic directive. --- src/http/modules/ngx_http_ssl_module.c | 14 -------------- 1 file changed, 14 deletions(-) (limited to 'src/http/modules/ngx_http_ssl_module.c') diff --git a/src/http/modules/ngx_http_ssl_module.c b/src/http/modules/ngx_http_ssl_module.c index 8640c2211..4b480a006 100644 --- a/src/http/modules/ngx_http_ssl_module.c +++ b/src/http/modules/ngx_http_ssl_module.c @@ -249,13 +249,6 @@ static ngx_command_t ngx_http_ssl_commands[] = { offsetof(ngx_http_ssl_srv_conf_t, early_data), NULL }, - { ngx_string("ssl_quic"), - NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG, - ngx_conf_set_flag_slot, - NGX_HTTP_SRV_CONF_OFFSET, - offsetof(ngx_http_ssl_srv_conf_t, quic), - NULL }, - ngx_null_command }; @@ -575,7 +568,6 @@ ngx_http_ssl_create_srv_conf(ngx_conf_t *cf) sscf->enable = NGX_CONF_UNSET; sscf->prefer_server_ciphers = NGX_CONF_UNSET; sscf->early_data = NGX_CONF_UNSET; - sscf->quic = NGX_CONF_UNSET; sscf->buffer_size = NGX_CONF_UNSET_SIZE; sscf->verify = NGX_CONF_UNSET_UINT; sscf->verify_depth = NGX_CONF_UNSET_UINT; @@ -620,8 +612,6 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child) ngx_conf_merge_value(conf->early_data, prev->early_data, 0); - ngx_conf_merge_value(conf->quic, prev->quic, 0); - ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols, (NGX_CONF_BITMASK_SET|NGX_SSL_TLSv1 |NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2)); @@ -867,10 +857,6 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child) return NGX_CONF_ERROR; } - if (ngx_ssl_quic(cf, &conf->ssl, conf->quic) != NGX_OK) { - return NGX_CONF_ERROR; - } - return NGX_CONF_OK; } -- cgit v1.2.3 From ede2656c6016d240b804bbcb28b6ecd391cca5de Mon Sep 17 00:00:00 2001 From: Roman Arutyunyan Date: Mon, 23 Mar 2020 19:26:24 +0300 Subject: Support for HTTP/3 ALPN. This is required by Chrome. --- src/http/modules/ngx_http_ssl_module.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) (limited to 'src/http/modules/ngx_http_ssl_module.c') diff --git a/src/http/modules/ngx_http_ssl_module.c b/src/http/modules/ngx_http_ssl_module.c index 4b480a006..a48d3b924 100644 --- a/src/http/modules/ngx_http_ssl_module.c +++ b/src/http/modules/ngx_http_ssl_module.c @@ -371,7 +371,7 @@ ngx_http_ssl_alpn_select(ngx_ssl_conn_t *ssl_conn, const unsigned char **out, #if (NGX_DEBUG) unsigned int i; #endif -#if (NGX_HTTP_V2) +#if (NGX_HTTP_V2 || NGX_HTTP_V3) ngx_http_connection_t *hc; #endif #if (NGX_HTTP_V2 || NGX_DEBUG) @@ -388,15 +388,23 @@ ngx_http_ssl_alpn_select(ngx_ssl_conn_t *ssl_conn, const unsigned char **out, } #endif -#if (NGX_HTTP_V2) +#if (NGX_HTTP_V2 || NGX_HTTP_V3) hc = c->data; +#endif +#if (NGX_HTTP_V2) if (hc->addr_conf->http2) { srv = (unsigned char *) NGX_HTTP_V2_ALPN_ADVERTISE NGX_HTTP_NPN_ADVERTISE; srvlen = sizeof(NGX_HTTP_V2_ALPN_ADVERTISE NGX_HTTP_NPN_ADVERTISE) - 1; } else +#endif +#if (NGX_HTTP_V3) + if (hc->addr_conf->http3) { + srv = (unsigned char *) NGX_HTTP_V3_ALPN_ADVERTISE; + srvlen = sizeof(NGX_HTTP_V3_ALPN_ADVERTISE) - 1; + } else #endif { srv = (unsigned char *) NGX_HTTP_NPN_ADVERTISE; -- cgit v1.2.3 From b813b9ec358862a2a94868bc057420d6eca5c05d Mon Sep 17 00:00:00 2001 From: Roman Arutyunyan Date: Tue, 21 Jul 2020 23:09:22 +0300 Subject: QUIC: added "quic" listen parameter. The parameter allows processing HTTP/0.9-2 over QUIC. Also, introduced ngx_http_quic_module and moved QUIC settings there --- src/http/modules/ngx_http_ssl_module.c | 33 +++++++++++++++++++++++++-------- 1 file changed, 25 insertions(+), 8 deletions(-) (limited to 'src/http/modules/ngx_http_ssl_module.c') diff --git a/src/http/modules/ngx_http_ssl_module.c b/src/http/modules/ngx_http_ssl_module.c index 7daa4daf2..409514821 100644 --- a/src/http/modules/ngx_http_ssl_module.c +++ b/src/http/modules/ngx_http_ssl_module.c @@ -402,7 +402,7 @@ ngx_http_ssl_alpn_select(ngx_ssl_conn_t *ssl_conn, const unsigned char **out, #if (NGX_DEBUG) unsigned int i; #endif -#if (NGX_HTTP_V2 || NGX_HTTP_V3) +#if (NGX_HTTP_V2 || NGX_HTTP_QUIC) ngx_http_connection_t *hc; #endif #if (NGX_HTTP_V2 || NGX_DEBUG) @@ -419,7 +419,7 @@ ngx_http_ssl_alpn_select(ngx_ssl_conn_t *ssl_conn, const unsigned char **out, } #endif -#if (NGX_HTTP_V2 || NGX_HTTP_V3) +#if (NGX_HTTP_V2 || NGX_HTTP_QUIC) hc = c->data; #endif @@ -436,6 +436,12 @@ ngx_http_ssl_alpn_select(ngx_ssl_conn_t *ssl_conn, const unsigned char **out, srv = (unsigned char *) NGX_HTTP_V3_ALPN_ADVERTISE; srvlen = sizeof(NGX_HTTP_V3_ALPN_ADVERTISE) - 1; } else +#endif +#if (NGX_HTTP_QUIC) + if (hc->addr_conf->quic) { + srv = (unsigned char *) NGX_HTTP_QUIC_ALPN_ADVERTISE; + srvlen = sizeof(NGX_HTTP_QUIC_ALPN_ADVERTISE) - 1; + } else #endif { srv = (unsigned char *) NGX_HTTP_NPN_ADVERTISE; @@ -1247,6 +1253,7 @@ static ngx_int_t ngx_http_ssl_init(ngx_conf_t *cf) { ngx_uint_t a, p, s; + const char *name; ngx_http_conf_addr_t *addr; ngx_http_conf_port_t *port; ngx_http_ssl_srv_conf_t *sscf; @@ -1296,26 +1303,36 @@ ngx_http_ssl_init(ngx_conf_t *cf) addr = port[p].addrs.elts; for (a = 0; a < port[p].addrs.nelts; a++) { - if (!addr[a].opt.ssl && !addr[a].opt.http3) { + if (!addr[a].opt.ssl && !addr[a].opt.quic) { continue; } + if (addr[a].opt.http3) { + name = "http3"; + + } else if (addr[a].opt.quic) { + name = "quic"; + + } else { + name = "ssl"; + } + cscf = addr[a].default_server; sscf = cscf->ctx->srv_conf[ngx_http_ssl_module.ctx_index]; if (sscf->certificates == NULL) { ngx_log_error(NGX_LOG_EMERG, cf->log, 0, "no \"ssl_certificate\" is defined for " - "the \"listen ... ssl\" directive in %s:%ui", - cscf->file_name, cscf->line); + "the \"listen ... %s\" directive in %s:%ui", + name, cscf->file_name, cscf->line); return NGX_ERROR; } - if (addr[a].opt.http3 && !(sscf->protocols & NGX_SSL_TLSv1_3)) { + if (addr[a].opt.quic && !(sscf->protocols & NGX_SSL_TLSv1_3)) { ngx_log_error(NGX_LOG_EMERG, cf->log, 0, "\"ssl_protocols\" did not enable TLSv1.3 for " - "the \"listen ... http3\" directive in %s:%ui", - cscf->file_name, cscf->line); + "the \"listen ... %s\" directives in %s:%ui", + name, cscf->file_name, cscf->line); return NGX_ERROR; } } -- cgit v1.2.3 From e8277e42241a848b63d4af2a05ceec156642690c Mon Sep 17 00:00:00 2001 From: Vladimir Homutov Date: Tue, 15 Sep 2020 22:44:46 +0300 Subject: SSL: added the "ssl_keys_file" directive. --- src/http/modules/ngx_http_ssl_module.c | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) (limited to 'src/http/modules/ngx_http_ssl_module.c') diff --git a/src/http/modules/ngx_http_ssl_module.c b/src/http/modules/ngx_http_ssl_module.c index 409514821..99dbd8ec6 100644 --- a/src/http/modules/ngx_http_ssl_module.c +++ b/src/http/modules/ngx_http_ssl_module.c @@ -119,6 +119,13 @@ static ngx_command_t ngx_http_ssl_commands[] = { 0, NULL }, + { ngx_string("ssl_keys_file"), + NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, + ngx_conf_set_str_slot, + NGX_HTTP_SRV_CONF_OFFSET, + offsetof(ngx_http_ssl_srv_conf_t, keys_file), + NULL }, + { ngx_string("ssl_dhparam"), NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, ngx_conf_set_str_slot, @@ -605,6 +612,7 @@ ngx_http_ssl_create_srv_conf(ngx_conf_t *cf) * sscf->trusted_certificate = { 0, NULL }; * sscf->crl = { 0, NULL }; * sscf->ciphers = { 0, NULL }; + * sscf->keys_file = { 0, NULL }; * sscf->shm_zone = NULL; * sscf->ocsp_responder = { 0, NULL }; * sscf->stapling_file = { 0, NULL }; @@ -676,6 +684,8 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child) ngx_conf_merge_ptr_value(conf->passwords, prev->passwords, NULL); + ngx_conf_merge_str_value(conf->keys_file, prev->keys_file, ""); + ngx_conf_merge_str_value(conf->dhparam, prev->dhparam, ""); ngx_conf_merge_str_value(conf->client_certificate, prev->client_certificate, @@ -912,6 +922,17 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child) return NGX_CONF_ERROR; } + if (conf->keys_file.len) { + + conf->ssl.keylog = ngx_conf_open_file(cf->cycle, &conf->keys_file); + + if (conf->ssl.keylog == NULL) { + return NGX_CONF_ERROR; + } + + SSL_CTX_set_keylog_callback(conf->ssl.ctx, ngx_ssl_keylogger); + } + if (conf->stapling) { if (ngx_ssl_stapling(cf, &conf->ssl, &conf->stapling_file, -- cgit v1.2.3 From 743cc997811336b01109f83c659a67752015ffad Mon Sep 17 00:00:00 2001 From: Vladimir Homutov Date: Mon, 19 Oct 2020 10:32:53 +0300 Subject: QUIC: reverted previous 3 commits. Changes were intended for the test repository. --- src/http/modules/ngx_http_ssl_module.c | 21 --------------------- 1 file changed, 21 deletions(-) (limited to 'src/http/modules/ngx_http_ssl_module.c') diff --git a/src/http/modules/ngx_http_ssl_module.c b/src/http/modules/ngx_http_ssl_module.c index 99dbd8ec6..409514821 100644 --- a/src/http/modules/ngx_http_ssl_module.c +++ b/src/http/modules/ngx_http_ssl_module.c @@ -119,13 +119,6 @@ static ngx_command_t ngx_http_ssl_commands[] = { 0, NULL }, - { ngx_string("ssl_keys_file"), - NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, - ngx_conf_set_str_slot, - NGX_HTTP_SRV_CONF_OFFSET, - offsetof(ngx_http_ssl_srv_conf_t, keys_file), - NULL }, - { ngx_string("ssl_dhparam"), NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, ngx_conf_set_str_slot, @@ -612,7 +605,6 @@ ngx_http_ssl_create_srv_conf(ngx_conf_t *cf) * sscf->trusted_certificate = { 0, NULL }; * sscf->crl = { 0, NULL }; * sscf->ciphers = { 0, NULL }; - * sscf->keys_file = { 0, NULL }; * sscf->shm_zone = NULL; * sscf->ocsp_responder = { 0, NULL }; * sscf->stapling_file = { 0, NULL }; @@ -684,8 +676,6 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child) ngx_conf_merge_ptr_value(conf->passwords, prev->passwords, NULL); - ngx_conf_merge_str_value(conf->keys_file, prev->keys_file, ""); - ngx_conf_merge_str_value(conf->dhparam, prev->dhparam, ""); ngx_conf_merge_str_value(conf->client_certificate, prev->client_certificate, @@ -922,17 +912,6 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child) return NGX_CONF_ERROR; } - if (conf->keys_file.len) { - - conf->ssl.keylog = ngx_conf_open_file(cf->cycle, &conf->keys_file); - - if (conf->ssl.keylog == NULL) { - return NGX_CONF_ERROR; - } - - SSL_CTX_set_keylog_callback(conf->ssl.ctx, ngx_ssl_keylogger); - } - if (conf->stapling) { if (ngx_ssl_stapling(cf, &conf->ssl, &conf->stapling_file, -- cgit v1.2.3 From b19923f91bd41f17470c0d4538ba15adcc0b95e8 Mon Sep 17 00:00:00 2001 From: Sergey Kandaurov Date: Tue, 10 Nov 2020 00:32:56 +0300 Subject: QUIC: multiple versions support in ALPN. Previously, a version based on NGX_QUIC_DRAFT_VERSION was always set. Now it is taken from the negotiated QUIC version that may differ. --- src/http/modules/ngx_http_ssl_module.c | 35 ++++++++++++++++++++++++++-------- 1 file changed, 27 insertions(+), 8 deletions(-) (limited to 'src/http/modules/ngx_http_ssl_module.c') diff --git a/src/http/modules/ngx_http_ssl_module.c b/src/http/modules/ngx_http_ssl_module.c index a2db307f7..111de479b 100644 --- a/src/http/modules/ngx_http_ssl_module.c +++ b/src/http/modules/ngx_http_ssl_module.c @@ -418,6 +418,9 @@ ngx_http_ssl_alpn_select(ngx_ssl_conn_t *ssl_conn, const unsigned char **out, unsigned char *outlen, const unsigned char *in, unsigned int inlen, void *arg) { +#if (NGX_HTTP_QUIC) + const char *fmt; +#endif unsigned int srvlen; unsigned char *srv; #if (NGX_DEBUG) @@ -452,16 +455,32 @@ ngx_http_ssl_alpn_select(ngx_ssl_conn_t *ssl_conn, const unsigned char **out, } else #endif -#if (NGX_HTTP_V3) - if (hc->addr_conf->http3) { - srv = (unsigned char *) NGX_HTTP_V3_ALPN_ADVERTISE; - srvlen = sizeof(NGX_HTTP_V3_ALPN_ADVERTISE) - 1; - } else -#endif #if (NGX_HTTP_QUIC) if (hc->addr_conf->quic) { - srv = (unsigned char *) NGX_HTTP_QUIC_ALPN_ADVERTISE; - srvlen = sizeof(NGX_HTTP_QUIC_ALPN_ADVERTISE) - 1; +#if (NGX_HTTP_V3) + if (hc->addr_conf->http3) { + srv = (unsigned char *) NGX_HTTP_V3_ALPN_ADVERTISE; + srvlen = sizeof(NGX_HTTP_V3_ALPN_ADVERTISE) - 1; + fmt = NGX_HTTP_V3_ALPN_DRAFT_FMT; + + } else +#endif + { + srv = (unsigned char *) NGX_HTTP_QUIC_ALPN_ADVERTISE; + srvlen = sizeof(NGX_HTTP_QUIC_ALPN_ADVERTISE) - 1; + fmt = NGX_HTTP_QUIC_ALPN_DRAFT_FMT; + } + + /* QUIC draft */ + + if (ngx_quic_version(c) > 1) { + srv = ngx_pnalloc(c->pool, sizeof("\x05h3-xx") - 1); + if (srv == NULL) { + return SSL_TLSEXT_ERR_NOACK; + } + srvlen = ngx_sprintf(srv, fmt, ngx_quic_version(c)) - srv; + } + } else #endif { -- cgit v1.2.3 From a96989365676de270fbb2ad19480435ad5e86df4 Mon Sep 17 00:00:00 2001 From: Sergey Kandaurov Date: Tue, 22 Dec 2020 12:04:15 +0300 Subject: QUIC: fixed building ALPN callback without debug and http2. --- src/http/modules/ngx_http_ssl_module.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src/http/modules/ngx_http_ssl_module.c') diff --git a/src/http/modules/ngx_http_ssl_module.c b/src/http/modules/ngx_http_ssl_module.c index 111de479b..97c58e445 100644 --- a/src/http/modules/ngx_http_ssl_module.c +++ b/src/http/modules/ngx_http_ssl_module.c @@ -429,7 +429,7 @@ ngx_http_ssl_alpn_select(ngx_ssl_conn_t *ssl_conn, const unsigned char **out, #if (NGX_HTTP_V2 || NGX_HTTP_QUIC) ngx_http_connection_t *hc; #endif -#if (NGX_HTTP_V2 || NGX_DEBUG) +#if (NGX_HTTP_V2 || NGX_HTTP_QUIC || NGX_DEBUG) ngx_connection_t *c; c = ngx_ssl_get_connection(ssl_conn); -- cgit v1.2.3 From 2765b63216fab23040aa83731ffd7d767cf0fa31 Mon Sep 17 00:00:00 2001 From: Sergey Kandaurov Date: Wed, 29 Sep 2021 15:01:53 +0300 Subject: Fixed mismerge of ssl_reject_handshake in 71b7453fb11f. In particular, this fixes rejecting "listen .. quic|http3" configurations without TLSv1.3 configured. --- src/http/modules/ngx_http_ssl_module.c | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) (limited to 'src/http/modules/ngx_http_ssl_module.c') diff --git a/src/http/modules/ngx_http_ssl_module.c b/src/http/modules/ngx_http_ssl_module.c index efbc4594c..dbb5905df 100644 --- a/src/http/modules/ngx_http_ssl_module.c +++ b/src/http/modules/ngx_http_ssl_module.c @@ -1385,14 +1385,23 @@ ngx_http_ssl_init(ngx_conf_t *cf) sscf = cscf->ctx->srv_conf[ngx_http_ssl_module.ctx_index]; if (sscf->certificates) { + + if (addr[a].opt.quic && !(sscf->protocols & NGX_SSL_TLSv1_3)) { + ngx_log_error(NGX_LOG_EMERG, cf->log, 0, + "\"ssl_protocols\" must enable TLSv1.3 for " + "the \"listen ... %s\" directive in %s:%ui", + name, cscf->file_name, cscf->line); + return NGX_ERROR; + } + continue; } if (!sscf->reject_handshake) { ngx_log_error(NGX_LOG_EMERG, cf->log, 0, "no \"ssl_certificate\" is defined for " - "the \"listen ... ssl\" directive in %s:%ui", - cscf->file_name, cscf->line); + "the \"listen ... %s\" directive in %s:%ui", + name, cscf->file_name, cscf->line); return NGX_ERROR; } @@ -1417,14 +1426,6 @@ ngx_http_ssl_init(ngx_conf_t *cf) name, cscf->file_name, cscf->line); return NGX_ERROR; } - - if (addr[a].opt.quic && !(sscf->protocols & NGX_SSL_TLSv1_3)) { - ngx_log_error(NGX_LOG_EMERG, cf->log, 0, - "\"ssl_protocols\" did not enable TLSv1.3 for " - "the \"listen ... %s\" directives in %s:%ui", - name, cscf->file_name, cscf->line); - return NGX_ERROR; - } } } -- cgit v1.2.3 From 7e7e552a10b9e5d0fd94b1a657061253ccac709e Mon Sep 17 00:00:00 2001 From: Sergey Kandaurov Date: Thu, 2 Dec 2021 13:59:09 +0300 Subject: HTTP/3: adjusted ALPN macro names to align with 61abb35bb8cf. --- src/http/modules/ngx_http_ssl_module.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'src/http/modules/ngx_http_ssl_module.c') diff --git a/src/http/modules/ngx_http_ssl_module.c b/src/http/modules/ngx_http_ssl_module.c index f2a85f12e..afeb68462 100644 --- a/src/http/modules/ngx_http_ssl_module.c +++ b/src/http/modules/ngx_http_ssl_module.c @@ -455,15 +455,15 @@ ngx_http_ssl_alpn_select(ngx_ssl_conn_t *ssl_conn, const unsigned char **out, if (hc->addr_conf->quic) { #if (NGX_HTTP_V3) if (hc->addr_conf->http3) { - srv = (unsigned char *) NGX_HTTP_V3_ALPN_ADVERTISE; - srvlen = sizeof(NGX_HTTP_V3_ALPN_ADVERTISE) - 1; + srv = (unsigned char *) NGX_HTTP_V3_ALPN_PROTO; + srvlen = sizeof(NGX_HTTP_V3_ALPN_PROTO) - 1; fmt = NGX_HTTP_V3_ALPN_DRAFT_FMT; } else #endif { - srv = (unsigned char *) NGX_HTTP_QUIC_ALPN_ADVERTISE; - srvlen = sizeof(NGX_HTTP_QUIC_ALPN_ADVERTISE) - 1; + srv = (unsigned char *) NGX_HTTP_QUIC_ALPN_PROTO; + srvlen = sizeof(NGX_HTTP_QUIC_ALPN_PROTO) - 1; fmt = NGX_HTTP_QUIC_ALPN_DRAFT_FMT; } -- cgit v1.2.3 From 731915a0c5e90b79d3cca1a4b0a3c33e1f77631c Mon Sep 17 00:00:00 2001 From: Roman Arutyunyan Date: Mon, 6 Dec 2021 13:02:36 +0300 Subject: HTTP/3: merged ngx_http_quic_module into ngx_http_v3_module. --- src/http/modules/ngx_http_ssl_module.c | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) (limited to 'src/http/modules/ngx_http_ssl_module.c') diff --git a/src/http/modules/ngx_http_ssl_module.c b/src/http/modules/ngx_http_ssl_module.c index afeb68462..3af21178b 100644 --- a/src/http/modules/ngx_http_ssl_module.c +++ b/src/http/modules/ngx_http_ssl_module.c @@ -416,7 +416,7 @@ ngx_http_ssl_alpn_select(ngx_ssl_conn_t *ssl_conn, const unsigned char **out, unsigned char *outlen, const unsigned char *in, unsigned int inlen, void *arg) { -#if (NGX_HTTP_QUIC) +#if (NGX_HTTP_V3) const char *fmt; #endif unsigned int srvlen; @@ -424,10 +424,10 @@ ngx_http_ssl_alpn_select(ngx_ssl_conn_t *ssl_conn, const unsigned char **out, #if (NGX_DEBUG) unsigned int i; #endif -#if (NGX_HTTP_V2 || NGX_HTTP_QUIC) +#if (NGX_HTTP_V2 || NGX_HTTP_V3) ngx_http_connection_t *hc; #endif -#if (NGX_HTTP_V2 || NGX_HTTP_QUIC || NGX_DEBUG) +#if (NGX_HTTP_V2 || NGX_HTTP_V3 || NGX_DEBUG) ngx_connection_t *c; c = ngx_ssl_get_connection(ssl_conn); @@ -441,7 +441,7 @@ ngx_http_ssl_alpn_select(ngx_ssl_conn_t *ssl_conn, const unsigned char **out, } #endif -#if (NGX_HTTP_V2 || NGX_HTTP_QUIC) +#if (NGX_HTTP_V2 || NGX_HTTP_V3) hc = c->data; #endif @@ -451,17 +451,14 @@ ngx_http_ssl_alpn_select(ngx_ssl_conn_t *ssl_conn, const unsigned char **out, srvlen = sizeof(NGX_HTTP_V2_ALPN_PROTO NGX_HTTP_ALPN_PROTOS) - 1; } else #endif -#if (NGX_HTTP_QUIC) - if (hc->addr_conf->quic) { #if (NGX_HTTP_V3) + if (hc->addr_conf->quic) { if (hc->addr_conf->http3) { srv = (unsigned char *) NGX_HTTP_V3_ALPN_PROTO; srvlen = sizeof(NGX_HTTP_V3_ALPN_PROTO) - 1; fmt = NGX_HTTP_V3_ALPN_DRAFT_FMT; - } else -#endif - { + } else { srv = (unsigned char *) NGX_HTTP_QUIC_ALPN_PROTO; srvlen = sizeof(NGX_HTTP_QUIC_ALPN_PROTO) - 1; fmt = NGX_HTTP_QUIC_ALPN_DRAFT_FMT; -- cgit v1.2.3 From d84c1f7885cc898f626057c314cdae4047c5d513 Mon Sep 17 00:00:00 2001 From: Roman Arutyunyan Date: Sat, 4 Dec 2021 10:52:55 +0300 Subject: HTTP/3: http3_hq directive and NGX_HTTP_V3_HQ macro. Listen quic parameter is no longer supported. --- src/http/modules/ngx_http_ssl_module.c | 41 +++++++++++++++++++--------------- 1 file changed, 23 insertions(+), 18 deletions(-) (limited to 'src/http/modules/ngx_http_ssl_module.c') diff --git a/src/http/modules/ngx_http_ssl_module.c b/src/http/modules/ngx_http_ssl_module.c index 3af21178b..f43e51eac 100644 --- a/src/http/modules/ngx_http_ssl_module.c +++ b/src/http/modules/ngx_http_ssl_module.c @@ -417,18 +417,21 @@ ngx_http_ssl_alpn_select(ngx_ssl_conn_t *ssl_conn, const unsigned char **out, void *arg) { #if (NGX_HTTP_V3) - const char *fmt; + const char *fmt; #endif - unsigned int srvlen; - unsigned char *srv; + unsigned int srvlen; + unsigned char *srv; #if (NGX_DEBUG) - unsigned int i; + unsigned int i; #endif #if (NGX_HTTP_V2 || NGX_HTTP_V3) - ngx_http_connection_t *hc; + ngx_http_connection_t *hc; +#endif +#if (NGX_HTTP_V3 && NGX_HTTP_V3_HQ) + ngx_http_v3_srv_conf_t *h3scf; #endif #if (NGX_HTTP_V2 || NGX_HTTP_V3 || NGX_DEBUG) - ngx_connection_t *c; + ngx_connection_t *c; c = ngx_ssl_get_connection(ssl_conn); #endif @@ -452,16 +455,21 @@ ngx_http_ssl_alpn_select(ngx_ssl_conn_t *ssl_conn, const unsigned char **out, } else #endif #if (NGX_HTTP_V3) - if (hc->addr_conf->quic) { - if (hc->addr_conf->http3) { + if (hc->addr_conf->http3) { + +#if (NGX_HTTP_V3_HQ) + h3scf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_v3_module); + + if (h3scf->hq) { + srv = (unsigned char *) NGX_HTTP_V3_HQ_ALPN_PROTO; + srvlen = sizeof(NGX_HTTP_V3_HQ_ALPN_PROTO) - 1; + fmt = NGX_HTTP_V3_HQ_ALPN_DRAFT_FMT; + } else +#endif + { srv = (unsigned char *) NGX_HTTP_V3_ALPN_PROTO; srvlen = sizeof(NGX_HTTP_V3_ALPN_PROTO) - 1; fmt = NGX_HTTP_V3_ALPN_DRAFT_FMT; - - } else { - srv = (unsigned char *) NGX_HTTP_QUIC_ALPN_PROTO; - srvlen = sizeof(NGX_HTTP_QUIC_ALPN_PROTO) - 1; - fmt = NGX_HTTP_QUIC_ALPN_DRAFT_FMT; } /* QUIC draft */ @@ -1317,16 +1325,13 @@ ngx_http_ssl_init(ngx_conf_t *cf) addr = port[p].addrs.elts; for (a = 0; a < port[p].addrs.nelts; a++) { - if (!addr[a].opt.ssl && !addr[a].opt.quic) { + if (!addr[a].opt.ssl && !addr[a].opt.http3) { continue; } if (addr[a].opt.http3) { name = "http3"; - } else if (addr[a].opt.quic) { - name = "quic"; - } else { name = "ssl"; } @@ -1336,7 +1341,7 @@ ngx_http_ssl_init(ngx_conf_t *cf) if (sscf->certificates) { - if (addr[a].opt.quic && !(sscf->protocols & NGX_SSL_TLSv1_3)) { + if (addr[a].opt.http3 && !(sscf->protocols & NGX_SSL_TLSv1_3)) { ngx_log_error(NGX_LOG_EMERG, cf->log, 0, "\"ssl_protocols\" must enable TLSv1.3 for " "the \"listen ... %s\" directive in %s:%ui", -- cgit v1.2.3 From 5efdec71581f9402dd7132267d68240ab2f8870b Mon Sep 17 00:00:00 2001 From: Sergey Kandaurov Date: Wed, 26 Jan 2022 14:15:40 +0300 Subject: HTTP/3: removed draft versions support in ALPN. --- src/http/modules/ngx_http_ssl_module.c | 15 --------------- 1 file changed, 15 deletions(-) (limited to 'src/http/modules/ngx_http_ssl_module.c') diff --git a/src/http/modules/ngx_http_ssl_module.c b/src/http/modules/ngx_http_ssl_module.c index 1ecbe439f..64ad9ee2f 100644 --- a/src/http/modules/ngx_http_ssl_module.c +++ b/src/http/modules/ngx_http_ssl_module.c @@ -419,9 +419,6 @@ ngx_http_ssl_alpn_select(ngx_ssl_conn_t *ssl_conn, const unsigned char **out, unsigned char *outlen, const unsigned char *in, unsigned int inlen, void *arg) { -#if (NGX_HTTP_V3) - const char *fmt; -#endif unsigned int srvlen; unsigned char *srv; #if (NGX_DEBUG) @@ -466,23 +463,11 @@ ngx_http_ssl_alpn_select(ngx_ssl_conn_t *ssl_conn, const unsigned char **out, if (h3scf->hq) { srv = (unsigned char *) NGX_HTTP_V3_HQ_ALPN_PROTO; srvlen = sizeof(NGX_HTTP_V3_HQ_ALPN_PROTO) - 1; - fmt = NGX_HTTP_V3_HQ_ALPN_DRAFT_FMT; } else #endif { srv = (unsigned char *) NGX_HTTP_V3_ALPN_PROTO; srvlen = sizeof(NGX_HTTP_V3_ALPN_PROTO) - 1; - fmt = NGX_HTTP_V3_ALPN_DRAFT_FMT; - } - - /* QUIC draft */ - - if (ngx_quic_version(c) > 1) { - srv = ngx_pnalloc(c->pool, sizeof("\x05h3-xx") - 1); - if (srv == NULL) { - return SSL_TLSEXT_ERR_NOACK; - } - srvlen = ngx_sprintf(srv, fmt, ngx_quic_version(c)) - srv; } } else -- cgit v1.2.3 From a36ebf7e95baebf445b0973bd270bc009b0b0e9a Mon Sep 17 00:00:00 2001 From: Roman Arutyunyan Date: Wed, 22 Feb 2023 19:16:53 +0400 Subject: QUIC: OpenSSL compatibility layer. The change allows to compile QUIC with OpenSSL which lacks BoringSSL QUIC API. This implementation does not support 0-RTT. --- src/http/modules/ngx_http_ssl_module.c | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) (limited to 'src/http/modules/ngx_http_ssl_module.c') diff --git a/src/http/modules/ngx_http_ssl_module.c b/src/http/modules/ngx_http_ssl_module.c index 265cb3162..62ec13cf0 100644 --- a/src/http/modules/ngx_http_ssl_module.c +++ b/src/http/modules/ngx_http_ssl_module.c @@ -9,6 +9,10 @@ #include #include +#if (NGX_QUIC_OPENSSL_COMPAT) +#include +#endif + typedef ngx_int_t (*ngx_ssl_variable_handler_pt)(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s); @@ -1317,16 +1321,22 @@ ngx_http_ssl_init(ngx_conf_t *cf) continue; } + cscf = addr[a].default_server; + sscf = cscf->ctx->srv_conf[ngx_http_ssl_module.ctx_index]; + if (addr[a].opt.http3) { name = "http3"; +#if (NGX_QUIC_OPENSSL_COMPAT) + if (ngx_quic_compat_init(cf, sscf->ssl.ctx) != NGX_OK) { + return NGX_ERROR; + } +#endif + } else { name = "ssl"; } - cscf = addr[a].default_server; - sscf = cscf->ctx->srv_conf[ngx_http_ssl_module.ctx_index]; - if (sscf->certificates) { if (addr[a].opt.http3 && !(sscf->protocols & NGX_SSL_TLSv1_3)) { -- cgit v1.2.3 From 815ef96124176baef4e940c4beaec158305b368a Mon Sep 17 00:00:00 2001 From: Roman Arutyunyan Date: Mon, 27 Feb 2023 14:00:56 +0400 Subject: HTTP/3: "quic" parameter of "listen" directive. Now "listen" directve has a new "quic" parameter which enables QUIC protocol for the address. Further, to enable HTTP/3, a new directive "http3" is introduced. The hq-interop protocol is enabled by "http3_hq" as before. Now application protocol is chosen by ALPN. Previously used "http3" parameter of "listen" is deprecated. --- src/http/modules/ngx_http_ssl_module.c | 29 ++++++++++++++++++----------- 1 file changed, 18 insertions(+), 11 deletions(-) (limited to 'src/http/modules/ngx_http_ssl_module.c') diff --git a/src/http/modules/ngx_http_ssl_module.c b/src/http/modules/ngx_http_ssl_module.c index 62ec13cf0..8167157e2 100644 --- a/src/http/modules/ngx_http_ssl_module.c +++ b/src/http/modules/ngx_http_ssl_module.c @@ -431,7 +431,7 @@ ngx_http_ssl_alpn_select(ngx_ssl_conn_t *ssl_conn, const unsigned char **out, #if (NGX_HTTP_V2 || NGX_HTTP_V3) ngx_http_connection_t *hc; #endif -#if (NGX_HTTP_V3 && NGX_HTTP_V3_HQ) +#if (NGX_HTTP_V3) ngx_http_v3_srv_conf_t *h3scf; #endif #if (NGX_HTTP_V2 || NGX_HTTP_V3 || NGX_DEBUG) @@ -459,19 +459,26 @@ ngx_http_ssl_alpn_select(ngx_ssl_conn_t *ssl_conn, const unsigned char **out, } else #endif #if (NGX_HTTP_V3) - if (hc->addr_conf->http3) { + if (hc->addr_conf->quic) { -#if (NGX_HTTP_V3_HQ) h3scf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_v3_module); - if (h3scf->hq) { + if (h3scf->enable && h3scf->enable_hq) { + srv = (unsigned char *) NGX_HTTP_V3_ALPN_PROTO + NGX_HTTP_V3_HQ_ALPN_PROTO; + srvlen = sizeof(NGX_HTTP_V3_ALPN_PROTO NGX_HTTP_V3_HQ_ALPN_PROTO) + - 1; + + } else if (h3scf->enable_hq) { srv = (unsigned char *) NGX_HTTP_V3_HQ_ALPN_PROTO; srvlen = sizeof(NGX_HTTP_V3_HQ_ALPN_PROTO) - 1; - } else -#endif - { + + } else if (h3scf->enable || hc->addr_conf->http3) { srv = (unsigned char *) NGX_HTTP_V3_ALPN_PROTO; srvlen = sizeof(NGX_HTTP_V3_ALPN_PROTO) - 1; + + } else { + return SSL_TLSEXT_ERR_ALERT_FATAL; } } else @@ -1317,15 +1324,15 @@ ngx_http_ssl_init(ngx_conf_t *cf) addr = port[p].addrs.elts; for (a = 0; a < port[p].addrs.nelts; a++) { - if (!addr[a].opt.ssl && !addr[a].opt.http3) { + if (!addr[a].opt.ssl && !addr[a].opt.quic) { continue; } cscf = addr[a].default_server; sscf = cscf->ctx->srv_conf[ngx_http_ssl_module.ctx_index]; - if (addr[a].opt.http3) { - name = "http3"; + if (addr[a].opt.quic) { + name = "quic"; #if (NGX_QUIC_OPENSSL_COMPAT) if (ngx_quic_compat_init(cf, sscf->ssl.ctx) != NGX_OK) { @@ -1339,7 +1346,7 @@ ngx_http_ssl_init(ngx_conf_t *cf) if (sscf->certificates) { - if (addr[a].opt.http3 && !(sscf->protocols & NGX_SSL_TLSv1_3)) { + if (addr[a].opt.quic && !(sscf->protocols & NGX_SSL_TLSv1_3)) { ngx_log_error(NGX_LOG_EMERG, cf->log, 0, "\"ssl_protocols\" must enable TLSv1.3 for " "the \"listen ... %s\" directive in %s:%ui", -- cgit v1.2.3 From 4d472cd792cc9699e014995c9f41c3e3e048e975 Mon Sep 17 00:00:00 2001 From: Sergey Kandaurov Date: Fri, 24 Mar 2023 19:49:50 +0400 Subject: HTTP/3: fixed OpenSSL compatibility layer initialization. SSL context is not present if the default server has neither certificates nor ssl_reject_handshake enabled. Previously, this led to null pointer dereference before it would be caught with configuration checks. Additionally, non-default servers with distinct SSL contexts need to initialize compatibility layer in order to complete a QUIC handshake. --- src/http/modules/ngx_http_ssl_module.c | 40 ++++++++++++++++++++++++++++++---- 1 file changed, 36 insertions(+), 4 deletions(-) (limited to 'src/http/modules/ngx_http_ssl_module.c') diff --git a/src/http/modules/ngx_http_ssl_module.c b/src/http/modules/ngx_http_ssl_module.c index 8167157e2..d92ec403e 100644 --- a/src/http/modules/ngx_http_ssl_module.c +++ b/src/http/modules/ngx_http_ssl_module.c @@ -56,6 +56,10 @@ static char *ngx_http_ssl_conf_command_check(ngx_conf_t *cf, void *post, void *data); static ngx_int_t ngx_http_ssl_init(ngx_conf_t *cf); +#if (NGX_QUIC_OPENSSL_COMPAT) +static ngx_int_t ngx_http_ssl_quic_compat_init(ngx_conf_t *cf, + ngx_http_conf_addr_t *addr); +#endif static ngx_conf_bitmask_t ngx_http_ssl_protocols[] = { @@ -1328,14 +1332,11 @@ ngx_http_ssl_init(ngx_conf_t *cf) continue; } - cscf = addr[a].default_server; - sscf = cscf->ctx->srv_conf[ngx_http_ssl_module.ctx_index]; - if (addr[a].opt.quic) { name = "quic"; #if (NGX_QUIC_OPENSSL_COMPAT) - if (ngx_quic_compat_init(cf, sscf->ssl.ctx) != NGX_OK) { + if (ngx_http_ssl_quic_compat_init(cf, &addr[a]) != NGX_OK) { return NGX_ERROR; } #endif @@ -1344,6 +1345,9 @@ ngx_http_ssl_init(ngx_conf_t *cf) name = "ssl"; } + cscf = addr[a].default_server; + sscf = cscf->ctx->srv_conf[ngx_http_ssl_module.ctx_index]; + if (sscf->certificates) { if (addr[a].opt.quic && !(sscf->protocols & NGX_SSL_TLSv1_3)) { @@ -1391,3 +1395,31 @@ ngx_http_ssl_init(ngx_conf_t *cf) return NGX_OK; } + + +#if (NGX_QUIC_OPENSSL_COMPAT) + +static ngx_int_t +ngx_http_ssl_quic_compat_init(ngx_conf_t *cf, ngx_http_conf_addr_t *addr) +{ + ngx_uint_t s; + ngx_http_ssl_srv_conf_t *sscf; + ngx_http_core_srv_conf_t **cscfp, *cscf; + + cscfp = addr->servers.elts; + for (s = 0; s < addr->servers.nelts; s++) { + + cscf = cscfp[s]; + sscf = cscf->ctx->srv_conf[ngx_http_ssl_module.ctx_index]; + + if (sscf->certificates || sscf->reject_handshake) { + if (ngx_quic_compat_init(cf, sscf->ssl.ctx) != NGX_OK) { + return NGX_ERROR; + } + } + } + + return NGX_OK; +} + +#endif -- cgit v1.2.3 From 2ce3eeeeb76318e414b62d399da70872d2de23d8 Mon Sep 17 00:00:00 2001 From: Roman Arutyunyan Date: Thu, 11 May 2023 13:22:10 +0400 Subject: HTTP/3: removed "http3" parameter of "listen" directive. The parameter has been deprecated since c851a2ed5ce8. --- src/http/modules/ngx_http_ssl_module.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src/http/modules/ngx_http_ssl_module.c') diff --git a/src/http/modules/ngx_http_ssl_module.c b/src/http/modules/ngx_http_ssl_module.c index c0d6bae06..d2ca475d3 100644 --- a/src/http/modules/ngx_http_ssl_module.c +++ b/src/http/modules/ngx_http_ssl_module.c @@ -477,7 +477,7 @@ ngx_http_ssl_alpn_select(ngx_ssl_conn_t *ssl_conn, const unsigned char **out, srv = (unsigned char *) NGX_HTTP_V3_HQ_ALPN_PROTO; srvlen = sizeof(NGX_HTTP_V3_HQ_ALPN_PROTO) - 1; - } else if (h3scf->enable || hc->addr_conf->http3) { + } else if (h3scf->enable) { srv = (unsigned char *) NGX_HTTP_V3_ALPN_PROTO; srvlen = sizeof(NGX_HTTP_V3_ALPN_PROTO) - 1; -- cgit v1.2.3