# HG changeset patch
# User Roman Arutyunyan <a...@nginx.com>
# Date 1685258227 -14400
# Sun May 28 11:17:07 2023 +0400
# Node ID 5b46de0dda837d97afbec7484931223c52d53905
# Parent 8eae1b4f1c5528b063351804168a6085f5f50b42
QUIC: fixed compat with ciphers other than AES128 (ticket #2500).
Previously, rec.level field was not uninitialized in SSL_provide_quic_data().
As a result, its value was always ssl_encryption_initial. Later in
ngx_quic_ciphers() such level resulted in resetting the cipher to
TLS1_3_CK_AES_128_GCM_SHA256 and using AES128 to encrypt the packet.
Now the level is initialized and the right cipher is used.
diff --git a/src/event/quic/ngx_event_quic_openssl_compat.c
b/src/event/quic/ngx_event_quic_openssl_compat.c
--- a/src/event/quic/ngx_event_quic_openssl_compat.c
+++ b/src/event/quic/ngx_event_quic_openssl_compat.c
@@ -463,6 +463,7 @@ SSL_provide_quic_data(SSL *ssl, enum ssl
rec.log = c->log;
rec.number = com->read_record++;
rec.keys = &com->keys;
+ rec.level = level;
if (level == ssl_encryption_initial) {
n = ngx_min(len, 65535);
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx-devel
