> On 6 Dec 2018, at 02:39, Honza Prachař <jan.prac...@gmail.com> wrote:
>
> Hello! FYI there is an issue with TLS 1.3 Early data in OpenSSL –
> https://github.com/openssl/openssl/issues/7757
>
> So maybe you would want to consider ignoring Early data with HTTP/2 and
> OpenSSL. Or try to fix the problem on the nginx side, i.e. do not call
> SSL_read_early_data() until all pending data is written with
> SSL_write_early_data().
Hello.
This is not strictly related to HTTP/2.
I could reproduce it with s_client -early_data over HTTP/1.1,
where 1st request is sent in 0-RTT, and 2nd - after handshake.
This quick workaround helped me. The idea is that we block reading
if SSL_write_early_data returned SSL_ERROR_WANT_WRITE, until one of
the next SSL_write_early_data will succeed. In practice, we won't
read until there's also no more data to send. For static content,
that means that we will continue to read only after the whole file
was sent. This doesn't look perfect but seems to work.
diff -r 2117637f64e9 src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c Tue Nov 27 17:40:21 2018 +0300
+++ b/src/event/ngx_event_openssl.c Thu Dec 06 14:51:18 2018 +0000
@@ -2352,6 +2352,7 @@
if (sslerr == SSL_ERROR_WANT_WRITE) {
+#if 0
if (c->ssl->saved_read_handler) {
c->read->handler = c->ssl->saved_read_handler;
@@ -2364,6 +2365,11 @@
ngx_post_event(c->read, &ngx_posted_events);
}
+#endif
+ if (c->ssl->saved_read_handler == NULL) {
+ c->ssl->saved_read_handler = c->read->handler;
+ c->read->handler = ngx_ssl_read_handler;
+ }
c->write->ready = 0;
return NGX_AGAIN;
--
Sergey Kandaurov
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
