Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Is the ngx_stream_ssl_preread_module of stream support the x25519kyber768draft00? #184

Open
QbsuranAlang opened this issue Sep 14, 2024 · 1 comment
Open

Is the ngx_stream_ssl_preread_module of stream support the x25519kyber768draft00? #184

QbsuranAlang opened this issue Sep 14, 2024 · 1 comment

Comments

@QbsuranAlang
Copy link

The chrome add a type of key share call x25519kyber768draft00 which is very large. In my test, it has 1263 bytes.

It lets the ClientHello fragmented into multi segments.(At least 2 segments)

As I known, at this phase(SSL preread), nginx calls read() with MSG_PEEK once and only once. It must not call twice to get the next segment. Due to some feature of MSG_PEEK with kernel things.

It causes a lots of IPS, IDS, WAFm SSLi and so on cannot work as well.

Is nginx affected? I don't have environment to simulate.
@arut
Copy link
Contributor

arut commented Sep 16, 2024

Why do you think recv(MSG_PEEK) can only be called once?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@arut @QbsuranAlang