NGINX-QUIC-BORINGSSL——已启用不支持的版本)

NGINX-QUIC-BORINGSSL——已启用不支持的版本)

当我尝试打开到新编译的 NGINX QUIC 实例(1.19.6)的 http3 连接时出现此错误(并超时)。

SSL_do_handshake() failed (SSL: error:10000118:SSL routines:OPENSSL_internal:NO_SUPPORTED_VERSIONS_ENABLED)

然而,同一台服务器在其他协议(HTTP 1.1 和 2.0)上却能完美运行。

看起来 Boringssl 的设置方式或 Nginx 的使用方式存在一些问题?

我是如何创建 BORINGSSL 的

cd boringssl; mkdir build ; cd build ; cmake -GNinja ..
ninja

NGINX 详细信息

~/nginx-quic# nginx -V


nginx version: nginx/1.19.6
built by gcc 9.3.0 (Ubuntu 9.3.0-17ubuntu1~20.04)
built with OpenSSL 1.1.1 (compatible; BoringSSL) (running with BoringSSL)
TLS SNI support enabled
configure arguments: --with-debug --with-http_v3_module --with-cc-opt=-I../boringssl/include --with-ld-opt='-L../boringssl/build/ssl -L../boringssl/build/crypto' --with-http_quic_module --with-stream_quic_module --with-http_image_filter_module --with-http_sub_module --with-stream --add-module=/usr/local/src/ngx_brotli --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --pid-path=/var/run/nginx.pid

我如何构建 NGINX QUIC:

cd ~/nginx-quic ;
./auto/configure --with-debug --with-http_v3_module       \
                       --with-cc-opt="-I../boringssl/include"   \
                       --with-ld-opt="-L../boringssl/build/ssl  \
                                      -L../boringssl/build/crypto"    \
--with-http_quic_module  --with-stream_quic_module   --with-http_image_filter_module --with-http_sub_module --with-stream --add-module=/usr/local/src/ngx_brotli    --prefix=/etc/nginx  --sbin-path=/usr/sbin/nginx   --modules-path=/usr/lib/nginx/modules   --conf-path=/etc/nginx/nginx.conf  --error-log-path=/var/log/nginx/error.log --pid-path=/var/run/nginx.pid  

我的 NGINX 构建配置摘要:

Configuration summary
  + using system PCRE library
  + using system OpenSSL library
  + using system zlib library

  nginx path prefix: "/etc/nginx"
  nginx binary file: "/usr/sbin/nginx"
  nginx modules path: "/usr/lib/nginx/modules"
  nginx configuration prefix: "/etc/nginx"
  nginx configuration file: "/etc/nginx/nginx.conf"
  nginx pid file: "/var/run/nginx.pid"
  nginx error log file: "/var/log/nginx/error.log"
  nginx http access log file: "/etc/nginx/logs/access.log"
  nginx http client request body temporary files: "client_body_temp"
  nginx http proxy temporary files: "proxy_temp"
  nginx http fastcgi temporary files: "fastcgi_temp"
  nginx http uwsgi temporary files: "uwsgi_temp"
  nginx http scgi temporary files: "scgi_temp"

我的网站配置

            listen 80;
            listen [::]:80;
            listen 443 ssl http2 fastopen=150;
            listen   [::]:443 ipv6only=on ssl  fastopen=150;
            include snippets/ssl-params.conf;
            server_name blah.blah;
            root /var/wordpress;
            index index.html index.htm index.php;
            access_log /var/log/nginx/xx.log;
            error_log /var/log/nginx/xx-error_log;
            ssl_early_data on;
            listen 443 http3 reuseport;
            listen [::]:443 http3 reuseport;
            add_header Alt-Svc '$http3=":8443"; ma=86400';

在 nginx.conf 中我添加了以下内容:

           ssl_protocols  TLSv1.3; #disabled 1.1 & 1.2

使用http1.1时的OpenSSL连接细节

issuer=C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3045 bytes and written 386 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)

尝试 HTTP3 时

*   Trying 106.3.2.12:443...
* Sent QUIC client Initial, ALPN: h3-29,h3-28,h3-27
* Connection timed out after 300000 milliseconds
* Closing connection 0

相关内容