nginx.git, branch release-1.15.5 nginx nginx-1.15.5-RELEASE 2018-10-02T15:13:51+00:00 Maxim Dounin mdounin@mdounin.ru 2018-10-02T15:13:51+00:00 c040ab4bbf393b39489c4cf9ebb21109b2c15a00 






SSL: fixed segfault on renegotiation (ticket #1646).
2018-10-02T14:46:18+00:00

Maxim Dounin
mdounin@mdounin.ru

2018-10-02T14:46:18+00:00

53803b4780be15d8014be183d4161091fd5f3376

In e3ba4026c02d (1.15.4) nginx own renegotiation checks were disabled
if SSL_OP_NO_RENEGOTIATION is available.  But since SSL_OP_NO_RENEGOTIATION
is only set on a connection, not in an SSL context, SSL_clear_option()
removed it as long as a matching virtual server was found.  This resulted
in a segmentation fault similar to the one fixed in a6902a941279 (1.9.8),
affecting nginx built with OpenSSL 1.1.0h or higher.

To fix this, SSL_OP_NO_RENEGOTIATION is now explicitly set in
ngx_http_ssl_servername() after adjusting options.  Additionally, instead
of c->ssl->renegotiation we now check c->ssl->handshaked, which seems
to be a more correct flag to test, and will prevent the segmentation fault
from happening even if SSL_OP_NO_RENEGOTIATION is not working.





In e3ba4026c02d (1.15.4) nginx own renegotiation checks were disabled
if SSL_OP_NO_RENEGOTIATION is available.  But since SSL_OP_NO_RENEGOTIATION
is only set on a connection, not in an SSL context, SSL_clear_option()
removed it as long as a matching virtual server was found.  This resulted
in a segmentation fault similar to the one fixed in a6902a941279 (1.9.8),
affecting nginx built with OpenSSL 1.1.0h or higher.

To fix this, SSL_OP_NO_RENEGOTIATION is now explicitly set in
ngx_http_ssl_servername() after adjusting options.  Additionally, instead
of c->ssl->renegotiation we now check c->ssl->handshaked, which seems
to be a more correct flag to test, and will prevent the segmentation fault
from happening even if SSL_OP_NO_RENEGOTIATION is not working.







Fixed off-by-one error in shared zone initialization.
2018-10-02T10:32:52+00:00

Ruslan Ermilov
ru@nginx.com

2018-10-02T10:32:52+00:00

df0dfa634d54904ea9e0714547547131a6b2da10

On systems without atomic ops, not enough space was allocated
for mutex's file name during shared zone initialization.





On systems without atomic ops, not enough space was allocated
for mutex's file name during shared zone initialization.







SSL: fixed unlocked access to sess_id->len.
2018-09-25T11:07:59+00:00

Ruslan Ermilov
ru@nginx.com

2018-09-25T11:07:59+00:00

a50dec6d6ac480b70b4fdf51507a1eda8a015e1b












Version bump.
2018-09-27T10:05:39+00:00

Ruslan Ermilov
ru@nginx.com

2018-09-27T10:05:39+00:00

99e06c69c535b545399baab352b4acfcd653647b












release-1.15.4 tag
2018-09-25T15:11:39+00:00

Maxim Dounin
mdounin@mdounin.ru

2018-09-25T15:11:39+00:00

31c0b30137320ff8254319eda45fe156a748d5b5












nginx-1.15.4-RELEASE
2018-09-25T15:11:39+00:00

Maxim Dounin
mdounin@mdounin.ru

2018-09-25T15:11:39+00:00

e4cf3f603a8c2fc35e1e1da4add85a8f07a9b74f












SSL: logging level of "no suitable signature algorithm".
2018-09-25T11:00:04+00:00

Maxim Dounin
mdounin@mdounin.ru

2018-09-25T11:00:04+00:00

b7edec61c3f37ebce5f55c4ec613b2275c11a7d7

The "no suitable signature algorithm" errors are reported by OpenSSL 1.1.1
when using TLSv1.3 if there are no shared signature algorithms.  In
particular, this can happen if the client limits available signature
algorithms to something we don't have a certificate for, or to an empty
list.  For example, the following command:

    openssl s_client -connect 127.0.0.1:8443 -sigalgs rsa_pkcs1_sha1

will always result in the "no suitable signature algorithm" error
as the "rsa_pkcs1_sha1" algorithm refers solely to signatures which
appear in certificates and not defined for use in TLS 1.3 handshake
messages.

The SSL_R_NO_COMMON_SIGNATURE_ALGORITHMS error is what BoringSSL returns
in the same situation.





The "no suitable signature algorithm" errors are reported by OpenSSL 1.1.1
when using TLSv1.3 if there are no shared signature algorithms.  In
particular, this can happen if the client limits available signature
algorithms to something we don't have a certificate for, or to an empty
list.  For example, the following command:

    openssl s_client -connect 127.0.0.1:8443 -sigalgs rsa_pkcs1_sha1

will always result in the "no suitable signature algorithm" error
as the "rsa_pkcs1_sha1" algorithm refers solely to signatures which
appear in certificates and not defined for use in TLS 1.3 handshake
messages.

The SSL_R_NO_COMMON_SIGNATURE_ALGORITHMS error is what BoringSSL returns
in the same situation.







SSL: logging level of "no suitable key share".
2018-09-25T10:59:53+00:00

Maxim Dounin
mdounin@mdounin.ru

2018-09-25T10:59:53+00:00

31ef0c47ca676c6640dc535fd5720a831b4c046c

The "no suitable key share" errors are reported by OpenSSL 1.1.1 when
using TLSv1.3 if there are no shared groups (that is, elliptic curves).
In particular, it is easy enough to trigger by using only a single
curve in ssl_ecdh_curve:

    ssl_ecdh_curve secp384r1;

and using a different curve in the client:

    openssl s_client -connect 127.0.0.1:443 -curves prime256v1

On the client side it is seen as "sslv3 alert handshake failure",
"SSL alert number 40":

0:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:ssl/record/rec_layer_s3.c:1528:SSL alert number 40

It can be also triggered with default ssl_ecdh_curve by using a curve
which is not in the default list (X25519, prime256v1, X448, secp521r1,
secp384r1):

    openssl s_client -connect 127.0.0.1:8443 -curves brainpoolP512r1

Given that many clients hardcode prime256v1, these errors might become
a common problem with TLSv1.3 if ssl_ecdh_curve is redefined.  Previously
this resulted in not using ECDH with such clients, but with TLSv1.3 it
is no longer possible and will result in a handshake failure.

The SSL_R_NO_SHARED_GROUP error is what BoringSSL returns in the same
situation.

Seen at:

https://serverfault.com/questions/932102/nginx-ssl-handshake-error-no-suitable-key-share





The "no suitable key share" errors are reported by OpenSSL 1.1.1 when
using TLSv1.3 if there are no shared groups (that is, elliptic curves).
In particular, it is easy enough to trigger by using only a single
curve in ssl_ecdh_curve:

    ssl_ecdh_curve secp384r1;

and using a different curve in the client:

    openssl s_client -connect 127.0.0.1:443 -curves prime256v1

On the client side it is seen as "sslv3 alert handshake failure",
"SSL alert number 40":

0:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:ssl/record/rec_layer_s3.c:1528:SSL alert number 40

It can be also triggered with default ssl_ecdh_curve by using a curve
which is not in the default list (X25519, prime256v1, X448, secp521r1,
secp384r1):

    openssl s_client -connect 127.0.0.1:8443 -curves brainpoolP512r1

Given that many clients hardcode prime256v1, these errors might become
a common problem with TLSv1.3 if ssl_ecdh_curve is redefined.  Previously
this resulted in not using ECDH with such clients, but with TLSv1.3 it
is no longer possible and will result in a handshake failure.

The SSL_R_NO_SHARED_GROUP error is what BoringSSL returns in the same
situation.

Seen at:

https://serverfault.com/questions/932102/nginx-ssl-handshake-error-no-suitable-key-share







Cache: status must be less then 599 in *_cache_valid directives.
2018-09-24T17:26:46+00:00

Gena Makhomed
gmm@csdoc.com

2018-09-24T17:26:46+00:00

1065455289d72b140f9e63a420b531eaae2d4039

Previously, configurations with typo, for example

    fastcgi_cache_valid 200301 302 5m;

successfully pass configuration test. Adding check for status
codes > 599, and such configurations are now properly rejected.





Previously, configurations with typo, for example

    fastcgi_cache_valid 200301 302 5m;

successfully pass configuration test. Adding check for status
codes > 599, and such configurations are now properly rejected.