After enabling mTLS, the HTTP3 protocol fails to take effect. #394
Description
Environment
Include the result of the following commands:
nginx version: nginx/1.27.3 built by gcc 13.2.1 20240309 (Alpine 13.2.1_git20240309) built with OpenSSL 3.3.0 9 Apr 2024 (running with OpenSSL 3.3.2 3 Sep 2024) TLS SNI support enabled configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --with-perl_modules_path=/usr/lib/perl5/vendor_perl --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-http_v3_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-Os -fstack-clash-protection -Wformat -Werror=format-security -fno-plt -g' --with-ld-opt='-Wl,--as-needed,-O1,--sort-common -Wl,-z,pack-relative-relocs'Linux OpenWrt 5.15.28 #0 SMP Mon Mar 14 06:45:28 2022 x86_64 Linux
Description
I enabled TLS on my server using a normal Let's Encrypt certificate and used a self-signed certificate for client authentication. When "ssl_client_verify" is set to "off", the Edge browser can communicate with the server normally using the HTTP3 protocol. However, when "ssl_client_verify" is set to "on", the browser always uses the HTTP2 protocol to communicate with the server.
nginx configuration
server {
listen 8087 ssl;
http2 on;
http3 on;
ssl_early_data on;
quic_retry on;
listen 8087 quic reuseport;
server_name xxxx.xxxx.com;
ssl_certificate /etc/nginx/conf.d/certs/xxxx.xxxx.com/cert.pem;
ssl_certificate_key /etc/nginx/conf.d/certs/xxxx.xxxx.com/key.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_client_certificate /etc/nginx/conf.d/certs/xxxx.xxxx.com/client.crt;
ssl_verify_client on;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+ECDSA+AES128:EECDH+aRS
ssl_prefer_server_ciphers on;
client_max_body_size 4321M;
error_page 495 496 497 =444 /444.html;
location = /444.html {
internal;
return 444;
}
location / {
proxy_pass http://10.0.0.13:8080/;
add_header Alt-Svc 'h3=":8087"; ma=86400';
}
}