nginx.git, branch release-1.29.1 nginx nginx-1.29.1-RELEASE 2025-08-13T14:33:41+00:00 Sergey Kandaurov pluknet@nginx.com 2025-08-12T14:46:04+00:00 0024724f2f77ac4fa0d7394e859608d6844a5914 






Updated OpenSSL used for win32 builds.
2025-08-13T14:33:41+00:00

Sergey Kandaurov
pluknet@nginx.com

2025-08-13T13:55:56+00:00

cc1c07ca33865bb632ae9b48b13c51dbb5389483












Mail: logging upstream to the error log with "smtp_auth none;".
2025-08-13T14:20:34+00:00

Sergey Kandaurov
pluknet@nginx.com

2025-07-21T13:44:28+00:00

239e10793adb1e32847095ba6c1d14249bf19a5c

Previously, it was never logged because of missing login.





Previously, it was never logged because of missing login.







Mail: reset stale auth credentials with "smtp_auth none;".
2025-08-13T14:20:34+00:00

Sergey Kandaurov
pluknet@nginx.com

2025-07-07T19:48:44+00:00

9c02c84a7443f3d736a1a5eb3f596de9af8a0c9c

They might be reused in a session if an SMTP client proceeded
unauthenticated after previous invalid authentication attempts.
This could confuse an authentication server when passing stale
credentials along with "Auth-Method: none".

The condition to send the "Auth-Salt" header is similarly refined.





They might be reused in a session if an SMTP client proceeded
unauthenticated after previous invalid authentication attempts.
This could confuse an authentication server when passing stale
credentials along with "Auth-Method: none".

The condition to send the "Auth-Salt" header is similarly refined.







Mail: improved error handling in plain/login/cram-md5 auth methods.
2025-08-13T14:20:34+00:00

Sergey Kandaurov
pluknet@nginx.com

2025-08-12T11:55:02+00:00

765642b86e0df1b5ef37f42522be7d08d95909c9

Previously, login and password storage could be left in inconsistent
state in a session after decoding errors.





Previously, login and password storage could be left in inconsistent
state in a session after decoding errors.







Auth basic: fixed file descriptor leak on memory allocation error.
2025-08-11T16:57:47+00:00

Sergey Kandaurov
pluknet@nginx.com

2025-08-08T15:44:27+00:00

034f15bbc251ed72018d8396e7eeb3bf30fd789b

Found by Coverity (CID 1662016).





Found by Coverity (CID 1662016).







SSL: support for compressed server certificates with OpenSSL.
2025-08-03T15:15:16+00:00

Sergey Kandaurov
pluknet@nginx.com

2025-07-09T15:02:09+00:00

251444fcf4434bfddbe3394a568c51d4f7bd857f

The ssl_certificate_compression directive allows to send compressed
server certificates.  In OpenSSL, they are pre-compressed on startup.
To simplify configuration, the SSL_OP_NO_TX_CERTIFICATE_COMPRESSION
option is automatically cleared if certificates were pre-compressed.

SSL_CTX_compress_certs() may return an error in legitimate cases,
e.g., when none of compression algorithms is available or if the
resulting compressed size is larger than the original one, thus it
is silently ignored.

Certificate compression is supported in Chrome with brotli only,
in Safari with zlib only, and in Firefox with all listed algorithms.
It is supported since Ubuntu 24.10, which has OpenSSL with enabled
zlib and zstd support.

The actual list of algorithms supported in OpenSSL depends on how
the library was configured; it can be brotli, zlib, zstd as listed
in RFC 8879.





The ssl_certificate_compression directive allows to send compressed
server certificates.  In OpenSSL, they are pre-compressed on startup.
To simplify configuration, the SSL_OP_NO_TX_CERTIFICATE_COMPRESSION
option is automatically cleared if certificates were pre-compressed.

SSL_CTX_compress_certs() may return an error in legitimate cases,
e.g., when none of compression algorithms is available or if the
resulting compressed size is larger than the original one, thus it
is silently ignored.

Certificate compression is supported in Chrome with brotli only,
in Safari with zlib only, and in Firefox with all listed algorithms.
It is supported since Ubuntu 24.10, which has OpenSSL with enabled
zlib and zstd support.

The actual list of algorithms supported in OpenSSL depends on how
the library was configured; it can be brotli, zlib, zstd as listed
in RFC 8879.







SSL: disabled certificate compression by default with OpenSSL.
2025-08-03T15:15:16+00:00

Sergey Kandaurov
pluknet@nginx.com

2025-07-15T11:55:26+00:00

ed99269eed283e474590bbe951bad1d74b721955

Certificate compression is supported since OpenSSL 3.2, it is enabled
automatically as negotiated in a TLSv1.3 handshake.

Using certificate compression and decompression in runtime may be
suboptimal in terms of CPU and memory consumption in certain typical
scenarios, hence it is disabled by default on both server and client
sides.  It can be enabled with ssl_conf_command and similar directives
in upstream as appropriate, for example:

    ssl_conf_command Options RxCertificateCompression;
    ssl_conf_command Options TxCertificateCompression;

Compressing server certificates requires additional support, this is
addressed separately.





Certificate compression is supported since OpenSSL 3.2, it is enabled
automatically as negotiated in a TLSv1.3 handshake.

Using certificate compression and decompression in runtime may be
suboptimal in terms of CPU and memory consumption in certain typical
scenarios, hence it is disabled by default on both server and client
sides.  It can be enabled with ssl_conf_command and similar directives
in upstream as appropriate, for example:

    ssl_conf_command Options RxCertificateCompression;
    ssl_conf_command Options TxCertificateCompression;

Compressing server certificates requires additional support, this is
addressed separately.







Updated ngx_http_process_multi_header_lines() comments.
2025-08-03T06:07:07+00:00

Sergey Kandaurov
pluknet@nginx.com

2025-07-31T17:31:27+00:00

f4005126d78d19f1efd4f8fb4cad916d8976d97a

Missed in fcf4331a0.





Missed in fcf4331a0.







HTTP/3: improved invalid ":authority" error message.
2025-08-03T06:07:07+00:00

Sergey Kandaurov
pluknet@nginx.com

2025-07-30T13:43:44+00:00

372659114ed9b7a406093890ec2bdf437925ce64