当我尝试打开到新编译的 NGINX QUIC 实例(1.19.6)的 http3 连接时出现此错误(并超时)。
SSL_do_handshake() failed (SSL: error:10000118:SSL routines:OPENSSL_internal:NO_SUPPORTED_VERSIONS_ENABLED)
然而,同一台服务器在其他协议(HTTP 1.1 和 2.0)上却能完美运行。
看起来 Boringssl 的设置方式或 Nginx 的使用方式存在一些问题?
我是如何创建 BORINGSSL 的
cd boringssl; mkdir build ; cd build ; cmake -GNinja ..
ninja
NGINX 详细信息
~/nginx-quic# nginx -V
nginx version: nginx/1.19.6
built by gcc 9.3.0 (Ubuntu 9.3.0-17ubuntu1~20.04)
built with OpenSSL 1.1.1 (compatible; BoringSSL) (running with BoringSSL)
TLS SNI support enabled
configure arguments: --with-debug --with-http_v3_module --with-cc-opt=-I../boringssl/include --with-ld-opt='-L../boringssl/build/ssl -L../boringssl/build/crypto' --with-http_quic_module --with-stream_quic_module --with-http_image_filter_module --with-http_sub_module --with-stream --add-module=/usr/local/src/ngx_brotli --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --pid-path=/var/run/nginx.pid
我如何构建 NGINX QUIC:
cd ~/nginx-quic ;
./auto/configure --with-debug --with-http_v3_module \
--with-cc-opt="-I../boringssl/include" \
--with-ld-opt="-L../boringssl/build/ssl \
-L../boringssl/build/crypto" \
--with-http_quic_module --with-stream_quic_module --with-http_image_filter_module --with-http_sub_module --with-stream --add-module=/usr/local/src/ngx_brotli --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --pid-path=/var/run/nginx.pid
我的 NGINX 构建配置摘要:
Configuration summary
+ using system PCRE library
+ using system OpenSSL library
+ using system zlib library
nginx path prefix: "/etc/nginx"
nginx binary file: "/usr/sbin/nginx"
nginx modules path: "/usr/lib/nginx/modules"
nginx configuration prefix: "/etc/nginx"
nginx configuration file: "/etc/nginx/nginx.conf"
nginx pid file: "/var/run/nginx.pid"
nginx error log file: "/var/log/nginx/error.log"
nginx http access log file: "/etc/nginx/logs/access.log"
nginx http client request body temporary files: "client_body_temp"
nginx http proxy temporary files: "proxy_temp"
nginx http fastcgi temporary files: "fastcgi_temp"
nginx http uwsgi temporary files: "uwsgi_temp"
nginx http scgi temporary files: "scgi_temp"
我的网站配置
listen 80;
listen [::]:80;
listen 443 ssl http2 fastopen=150;
listen [::]:443 ipv6only=on ssl fastopen=150;
include snippets/ssl-params.conf;
server_name blah.blah;
root /var/wordpress;
index index.html index.htm index.php;
access_log /var/log/nginx/xx.log;
error_log /var/log/nginx/xx-error_log;
ssl_early_data on;
listen 443 http3 reuseport;
listen [::]:443 http3 reuseport;
add_header Alt-Svc '$http3=":8443"; ma=86400';
在 nginx.conf 中我添加了以下内容:
ssl_protocols TLSv1.3; #disabled 1.1 & 1.2
使用http1.1时的OpenSSL连接细节
issuer=C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3045 bytes and written 386 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
尝试 HTTP3 时
* Trying 106.3.2.12:443...
* Sent QUIC client Initial, ALPN: h3-29,h3-28,h3-27
* Connection timed out after 300000 milliseconds
* Closing connection 0