From 0b75042d514aab916718dd7ee7d1abd2e8661bb1 Mon Sep 17 00:00:00 2001 From: swananan Date: Thu, 11 Sep 2025 23:58:19 +0800 Subject: [PATCH 1/2] bugfix: add HTTP/3 QUIC SSL Lua yield patch macro protection --- .travis.yml | 2 +- README.markdown | 8 ++++++++ src/ngx_http_lua_ssl_certby.c | 6 ++++-- src/ngx_http_lua_ssl_client_helloby.c | 6 ++++-- src/ngx_http_lua_util.c | 2 +- src/ngx_http_lua_util.h | 2 +- 6 files changed, 19 insertions(+), 7 deletions(-) diff --git a/.travis.yml b/.travis.yml index f48c9a75bc..c87e5d78b2 100644 --- a/.travis.yml +++ b/.travis.yml @@ -87,7 +87,7 @@ install: - wget https://github.com/openresty/openresty-deps-prebuild/releases/download/v20230902/boringssl-20230902-x64-focal.tar.gz - wget https://github.com/openresty/openresty-deps-prebuild/releases/download/v20230902/curl-h3-x64-focal.tar.gz - git clone https://github.com/openresty/test-nginx.git - - git clone https://github.com/openresty/openresty.git ../openresty + - git clone https://github.com/swananan/openresty.git ../openresty -b add-http3-quic-ssl-lua-yield-patch-protection - git clone https://github.com/openresty/no-pool-nginx.git ../no-pool-nginx - git clone https://github.com/openresty/openresty-devel-utils.git - git clone https://github.com/openresty/mockeagain.git diff --git a/README.markdown b/README.markdown index 3d5b46cac3..03a9a66055 100644 --- a/README.markdown +++ b/README.markdown @@ -2879,6 +2879,8 @@ patches to the standard Nginx core: +**Note for HTTP/3 (QUIC) users**: When using this directive with HTTP/3 connections, certain yield operations may fail if the QUIC SSL Lua yield patch is not applied to your OpenSSL installation. OpenResty packages include this patch by default, but if you are building lua-nginx-module separately, you may need to apply the patch manually to ensure proper yield/resume functionality for HTTP/3 connections in SSL Lua phases. The patch can be found at: [nginx-1.27.1-quic_ssl_lua_yield.patch](https://github.com/openresty/openresty/blob/master/patches/nginx/1.27.1/nginx-1.27.1-quic_ssl_lua_yield.patch) + This directive was first introduced in the `v0.10.21` release. [Back to TOC](#directives) @@ -2896,6 +2898,8 @@ Equivalent to [ssl_client_hello_by_lua_block](#ssl_client_hello_by_lua_block), e When a relative path like `foo/bar.lua` is given, they will be turned into the absolute path relative to the `server prefix` path determined by the `-p PATH` command-line option while starting the Nginx server. +**Note for HTTP/3 (QUIC) users**: When using this directive with HTTP/3 connections, certain yield operations may fail if the QUIC SSL Lua yield patch is not applied to your OpenSSL installation. OpenResty packages include this patch by default, but if you are building lua-nginx-module separately, you may need to apply the patch manually to ensure proper yield/resume functionality for HTTP/3 connections in SSL Lua phases. The patch can be found at: [nginx-1.27.1-quic_ssl_lua_yield.patch](https://github.com/openresty/openresty/blob/master/patches/nginx/1.27.1/nginx-1.27.1-quic_ssl_lua_yield.patch) + This directive was first introduced in the `v0.10.21` release. [Back to TOC](#directives) @@ -2989,6 +2993,8 @@ patches to the standard Nginx core: +**Note for HTTP/3 (QUIC) users**: When using this directive with HTTP/3 connections, certain yield operations may fail if the QUIC SSL Lua yield patch is not applied to your OpenSSL installation. OpenResty packages include this patch by default, but if you are building lua-nginx-module separately, you may need to apply the patch manually to ensure proper yield/resume functionality for HTTP/3 connections in SSL Lua phases. The patch can be found at: [nginx-1.27.1-quic_ssl_lua_yield.patch](https://github.com/openresty/openresty/blob/master/patches/nginx/1.27.1/nginx-1.27.1-quic_ssl_lua_yield.patch) + This directive was first introduced in the `v0.10.0` release. [Back to TOC](#directives) @@ -3006,6 +3012,8 @@ Equivalent to [ssl_certificate_by_lua_block](#ssl_certificate_by_lua_block), exc When a relative path like `foo/bar.lua` is given, they will be turned into the absolute path relative to the `server prefix` path determined by the `-p PATH` command-line option while starting the Nginx server. +**Note for HTTP/3 (QUIC) users**: When using this directive with HTTP/3 connections, certain yield operations may fail if the QUIC SSL Lua yield patch is not applied to your OpenSSL installation. OpenResty packages include this patch by default, but if you are building lua-nginx-module separately, you may need to apply the patch manually to ensure proper yield/resume functionality for HTTP/3 connections in SSL Lua phases. The patch can be found at: [nginx-1.27.1-quic_ssl_lua_yield.patch](https://github.com/openresty/openresty/blob/master/patches/nginx/1.27.1/nginx-1.27.1-quic_ssl_lua_yield.patch) + This directive was first introduced in the `v0.10.0` release. [Back to TOC](#directives) diff --git a/src/ngx_http_lua_ssl_certby.c b/src/ngx_http_lua_ssl_certby.c index 2abee0ef4b..9a2d63fcf0 100644 --- a/src/ngx_http_lua_ssl_certby.c +++ b/src/ngx_http_lua_ssl_certby.c @@ -390,9 +390,11 @@ ngx_http_lua_ssl_cert_done(void *data) ngx_post_event(c->write, &ngx_posted_events); -#if (NGX_HTTP_V3) && OPENSSL_VERSION_NUMBER >= 0x1000205fL -# if (NGX_QUIC_OPENSSL_COMPAT) +#if (HAVE_QUIC_SSL_LUA_YIELD_PATCH && NGX_HTTP_V3) +# if OPENSSL_VERSION_NUMBER >= 0x1000205fL +# if (NGX_QUIC_OPENSSL_COMPAT) ngx_http_lua_resume_quic_ssl_handshake(c); +# endif # endif #endif } diff --git a/src/ngx_http_lua_ssl_client_helloby.c b/src/ngx_http_lua_ssl_client_helloby.c index 81b7a01f51..42a91c1604 100644 --- a/src/ngx_http_lua_ssl_client_helloby.c +++ b/src/ngx_http_lua_ssl_client_helloby.c @@ -381,9 +381,11 @@ ngx_http_lua_ssl_client_hello_done(void *data) ngx_post_event(c->write, &ngx_posted_events); -#if (NGX_HTTP_V3) && defined(SSL_ERROR_WANT_CLIENT_HELLO_CB) -# if (NGX_QUIC_OPENSSL_COMPAT) +#if (HAVE_QUIC_SSL_LUA_YIELD_PATCH && NGX_HTTP_V3) +# if defined(SSL_ERROR_WANT_CLIENT_HELLO_CB) +# if (NGX_QUIC_OPENSSL_COMPAT) ngx_http_lua_resume_quic_ssl_handshake(c); +# endif # endif #endif } diff --git a/src/ngx_http_lua_util.c b/src/ngx_http_lua_util.c index d47c691000..5bc3b02807 100644 --- a/src/ngx_http_lua_util.c +++ b/src/ngx_http_lua_util.c @@ -4574,7 +4574,7 @@ ngx_http_lua_ffi_bypass_if_checks(ngx_http_request_t *r) } -#if (NGX_HTTP_V3) +#if (HAVE_QUIC_SSL_LUA_YIELD_PATCH && NGX_HTTP_V3) void ngx_http_lua_resume_quic_ssl_handshake(ngx_connection_t *c) { diff --git a/src/ngx_http_lua_util.h b/src/ngx_http_lua_util.h index d76508868c..eab4d4eba2 100644 --- a/src/ngx_http_lua_util.h +++ b/src/ngx_http_lua_util.h @@ -267,7 +267,7 @@ ngx_addr_t *ngx_http_lua_parse_addr(lua_State *L, u_char *text, size_t len); size_t ngx_http_lua_escape_log(u_char *dst, u_char *src, size_t size); -#if (NGX_HTTP_V3) +#if (HAVE_QUIC_SSL_LUA_YIELD_PATCH && NGX_HTTP_V3) void ngx_http_lua_resume_quic_ssl_handshake(ngx_connection_t *c); #endif From eb6115e3415547492ea134aa1a9659ba3a2f1a50 Mon Sep 17 00:00:00 2001 From: lijunlong Date: Sun, 14 Sep 2025 18:51:02 +0800 Subject: [PATCH 2/2] update travis --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index c87e5d78b2..fc39846390 100644 --- a/.travis.yml +++ b/.travis.yml @@ -87,7 +87,7 @@ install: - wget https://github.com/openresty/openresty-deps-prebuild/releases/download/v20230902/boringssl-20230902-x64-focal.tar.gz - wget https://github.com/openresty/openresty-deps-prebuild/releases/download/v20230902/curl-h3-x64-focal.tar.gz - git clone https://github.com/openresty/test-nginx.git - - git clone https://github.com/swananan/openresty.git ../openresty -b add-http3-quic-ssl-lua-yield-patch-protection + - git clone https://github.com/openresty/openresty.git - git clone https://github.com/openresty/no-pool-nginx.git ../no-pool-nginx - git clone https://github.com/openresty/openresty-devel-utils.git - git clone https://github.com/openresty/mockeagain.git