From d0b788c0bd1593691f565853fac0f56ee59ba951 Mon Sep 17 00:00:00 2001
From: Sergey Kandaurov <pluknet@nginx.com>
Date: Tue, 7 Dec 2021 15:49:51 +0300
Subject: [PATCH] QUIC: clear SSL_OP_ENABLE_MIDDLEBOX_COMPAT on SSL context
 switch.

The SSL_OP_ENABLE_MIDDLEBOX_COMPAT option is provided by QuicTLS and enabled
by default in the newly created SSL contexts.  SSL_set_quic_method() is used
to clear it, which is required for SSL handshake to work on QUIC connections.
Switching context in the ngx_http_ssl_servername() SNI callback overrides SSL
options from the new SSL context.  This results in the option set again.
Fix is to explicitly clear it when switching to another SSL context.

Initially reported here (in Russian):
http://mailman.nginx.org/pipermail/nginx-ru/2021-November/063989.html
---
 src/http/ngx_http_request.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c
index e8907c100..32a26379c 100644
--- a/src/http/ngx_http_request.c
+++ b/src/http/ngx_http_request.c
@@ -953,6 +953,14 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
 
 #ifdef SSL_OP_NO_RENEGOTIATION
         SSL_set_options(ssl_conn, SSL_OP_NO_RENEGOTIATION);
+#endif
+
+#ifdef SSL_OP_ENABLE_MIDDLEBOX_COMPAT
+#if (NGX_HTTP_QUIC)
+        if (c->listening->quic) {
+            SSL_clear_options(ssl_conn, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
+        }
+#endif
 #endif
     }