Fixed client certificate verification.

For ngx_http_process_request() part to work, this required to set both
r->http_connection->ssl and c->ssl on a QUIC stream.  To avoid damaging
global SSL object, ngx_ssl_shutdown() is managed to ignore QUIC streams.

diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
index 91b415caa8e2f368e336c414a64b191a35d0cac1..2fd25444685e4ea1b1d8006152d9cba12b26fb0a 100644 (file)
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -2735,6 +2735,11 @@ ngx_ssl_shutdown(ngx_connection_t *c)
     int        n, sslerr, mode;
     ngx_err_t  err;
 
+    if (c->qs) {
+        /* QUIC streams inherit SSL object */
+        return NGX_OK;
+    }
+
     if (SSL_in_init(c->ssl->connection)) {
         /*
          * OpenSSL 1.0.2f complains if SSL_shutdown() is called during

diff --git a/src/event/ngx_event_quic.c b/src/event/ngx_event_quic.c
index a4a293a141be7911a1bd13f2cf37a8f14f2f02e1..a466ac184e9c949953605d4ad3ff0cfc0849627e 100644 (file)
--- a/src/event/ngx_event_quic.c
+++ b/src/event/ngx_event_quic.c
@@ -1470,6 +1470,7 @@ ngx_quic_create_stream(ngx_connection_t *c, ngx_uint_t id)
     sn->c->sockaddr = c->sockaddr;
     sn->c->local_sockaddr = c->local_sockaddr;
     sn->c->addr_text = c->addr_text;
+    sn->c->ssl = c->ssl;
 
     rev = sn->c->read;
     wev = sn->c->write;

diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c
index acd708cf67fa5c6899981dd0cb32edbe4821cb95..890e5374b4d175d6b1a01262bb4d024826fbdc32 100644 (file)
--- a/src/http/ngx_http_request.c
+++ b/src/http/ngx_http_request.c
@@ -225,6 +225,7 @@ ngx_http_init_connection(ngx_connection_t *c)
     if (c->type == SOCK_DGRAM) {
         hc = ngx_pcalloc(c->pool, sizeof(ngx_http_v3_connection_t));
         hc->quic = 1;
+        hc->ssl = 1;
 
     } else
 #endif