nginx.git, branch release-1.27.4

nginx-1.27.4-RELEASE

2025-02-05T16:13:42+00:00

SNI: added restriction for TLSv1.3 cross-SNI session resumption.

2025-02-05T16:11:42+00:00

In OpenSSL, session resumption always happens in the default SSL context,
prior to invoking the SNI callback.  Further, unlike in TLSv1.2 and older
protocols, SSL_get_servername() returns values received in the resumption
handshake, which may be different from the value in the initial handshake.
Notably, this makes the restriction added in b720f650b insufficient for
sessions resumed with different SNI server name.

Considering the example from b720f650b, previously, a client was able to
request example.org by presenting a certificate for example.org, then to
resume and request example.com.

The fix is to reject handshakes resumed with a different server name, if
verification of client certificates is enabled in a corresponding server
configuration.

Added "keepalive_min_timeout" directive.

2025-02-05T10:08:01+00:00

The directive sets a timeout during which a keepalive connection will
not be closed by nginx for connection reuse or graceful shutdown.

The change allows clients that send multiple requests over the same
connection without delay or with a small delay between them, to avoid
receiving a TCP RST in response to one of them.  This excludes network
issues and non-graceful shutdown.  As a side-effect, it also addresses
the TCP reset problem described in RFC 9112, Section 9.6, when the last
sent HTTP response could be damaged by a followup TCP RST.  It is important
for non-idempotent requests, which cannot be retried by client.

It is not recommended to set keepalive_min_timeout to large values as
this can introduce an additional delay during graceful shutdown and may
restrict nginx from effective connection reuse.

Misc: moved documentation in generated ZIP archive.

2025-01-30T14:21:43+00:00

The recently added GitHub files now reside in the docs directory.

Configure: fixed --with-libatomic=DIR with recent libatomic_ops.

2025-01-30T13:16:10+00:00

The build location of the resulting libatomic_ops.a was changed in v7.4.0
after converting libatomic_ops to use libtool.  The fix is to use library
from the install path, this allows building with both old and new versions.

Initially reported here:
https://mailman.nginx.org/pipermail/nginx/2018-April/056054.html

QUIC: added missing casts in iov_base assignments.

2025-01-28T16:00:42+00:00

This is consistent with the rest of the code and fixes build on systems
with non-standard definition of struct iovec (Solaris, Illumos).

Upstream: fixed --with-compat build without SSL, broken by 454ad0e.

2025-01-23T18:50:13+00:00

SSL: avoid using mismatched certificate/key cached pairs.

2025-01-17T00:37:46+00:00

This can happen with certificates and certificate keys specified
with variables due to partial cache update in various scenarios:
- cache expiration with only one element of pair evicted
- on-disk update with non-cacheable encrypted keys
- non-atomic on-disk update

The fix is to retry with fresh data on X509_R_KEY_VALUES_MISMATCH.

Upstream: caching certificates and certificate keys with variables.

2025-01-17T00:37:46+00:00

Caching is enabled with proxy_ssl_certificate_cache and friends.

Co-authored-by: Aleksei Bavshin

SSL: cache revalidation of file based dynamic certificates.

2025-01-17T00:37:46+00:00

Revalidation is based on file modification time and uniq file index,
and happens after the cache object validity time is expired.