quiche icon indicating copy to clipboard operation
quiche copied to clipboard
verified publisher icon cloudflare

quiche: duplicate handshake

Open lilongyan-huawei opened this issue 4 years ago • 1 comments

Hi, there client: quiche: 10.102.201.12 server: nginx+quiche: 129.227.195.83 the handshake costs 2-rtt, the problem recur occasionally. seem as caused by packet out-ordering image

lilongyan-huawei avatar Sep 17 '21 02:09 lilongyan-huawei 


# General HTTP/3 setup
http {
    include       mime.types;
    default_type  application/octet-stream;

    # Required for HTTP/3
    ssl_prefer_server_ciphers off;

    # Enable QUIC and HTTP/3
    ssl_protocols TLSv1.3;
    ssl_certificate /etc/nginx/ssl/cert.pem;
    ssl_certificate_key /etc/nginx/ssl/key.pem;
    ssl_session_cache shared:SSL:10m;

    # Specific settings for QUIC and HTTP/3
    ssl_conf_command Options X25519:P-256;
    ssl_conf_command Ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256;

    # Add Alt-Svc header to negotiate HTTP/3
    add_header Alt-Svc 'h3-29=":443"; ma=86400'; # HTTP/3-29

    # Cache settings
    ssl_session_timeout 1d;
    ssl_session_tickets off;
    ssl_stapling on;
    ssl_stapling_verify on;

    # QUIC specific tuning to address handshake issues
    quic_retry off; # Retry is off to prevent 1-RTT retry delay
    quic_initial_rtt 200ms; # Set an initial RTT value
    quic_max_ack_delay 25ms; # Limit the time for delayed acks
    quic_max_reordering_threshold 3; # Tolerate packet reordering by 3 packets
    quic_buffer_size 8k; # Buffer size for QUIC packets
    quic_idle_timeout 60s; # Timeout for idle connections

    # Enable QUIC for the listener
    listen 443 ssl http2 quic;      # For HTTP/3
    listen [::]:443 ssl http2 quic; # For IPv6 support with HTTP/3

    # Ensure sufficient read/write buffer size for QUIC handshake packets
    ssl_read_buffer_size 64k;
    ssl_write_buffer_size 64k;
}

# Virtual host
server {
    server_name example.com;

    listen 443 ssl http2 quic; # HTTP/2 and HTTP/3 support
    listen [::]:443 ssl http2 quic; # IPv6 support

    ssl_certificate /etc/nginx/ssl/example.com.crt;
    ssl_certificate_key /etc/nginx/ssl/example.com.key;

    # Root path and index files
    root /var/www/example.com;
    index index.html;

    # HTTP/3 specific settings for this host
    add_header Alt-Svc 'h3-29=":443"; ma=86400'; # HTTP/3 advertisement

    location / {
        try_files $uri $uri/ =404;
    }
}

ljluestc avatar Oct 18 '24 04:10 ljluestc

As of https://github.com/cloudflare/quiche/commit/e434e42173f73bb533f6a39cd853eac752731fd9 the nginx patch was removed from quiche. Hence we're closing this issue.

LPardue avatar May 08 '25 21:05 LPardue