nginx.git/auto/lib/openssl, branch no-short-read-checks nginx QUIC: using QUIC API introduced in OpenSSL 3.5. 2025-05-23T11:00:47+00:00 Sergey Kandaurov pluknet@nginx.com 2025-02-13T13:00:56+00:00 6a134dfd4888fc3850d22294687cfb3940994c69 Similarly to the QUIC API originated in BoringSSL, this API allows to register custom TLS callbacks for an external QUIC implementation. See the SSL_set_quic_tls_cbs manual page for details. Due to a different approach used in OpenSSL 3.5, handling of CRYPTO frames was streamlined to always write an incoming CRYPTO buffer to the crypto context. Using SSL_provide_quic_data(), this results in transient allocation of chain links and buffers for CRYPTO frames received in order. Testing didn't reveal performance degradation of QUIC handshakes, https://github.com/nginx/nginx/pull/646 provides specific results. 
Similarly to the QUIC API originated in BoringSSL, this API allows
to register custom TLS callbacks for an external QUIC implementation.
See the SSL_set_quic_tls_cbs manual page for details.

Due to a different approach used in OpenSSL 3.5, handling of CRYPTO
frames was streamlined to always write an incoming CRYPTO buffer to
the crypto context.  Using SSL_provide_quic_data(), this results in
transient allocation of chain links and buffers for CRYPTO frames
received in order.  Testing didn't reveal performance degradation of
QUIC handshakes, https://github.com/nginx/nginx/pull/646 provides
specific results.
QUIC: defined SSL API macros in a single place. 2025-05-23T11:00:47+00:00 Sergey Kandaurov pluknet@nginx.com 2025-05-20T23:54:45+00:00 e561f7dbcfc27f5f648e5151de0796e691cbc1b0 All definitions now set in ngx_event_quic.h, this includes moving NGX_QUIC_OPENSSL_COMPAT from autotests to compile time. Further, to improve code readability, a new NGX_QUIC_QUICTLS_API macro is used for QuicTLS that provides old BoringSSL QUIC API. 
All definitions now set in ngx_event_quic.h, this includes moving
NGX_QUIC_OPENSSL_COMPAT from autotests to compile time.  Further,
to improve code readability, a new NGX_QUIC_QUICTLS_API macro is
used for QuicTLS that provides old BoringSSL QUIC API.
Win32: added detection of ARM64 target. 2025-04-18T19:57:26+00:00 Aleksei Bavshin a.bavshin@nginx.com 2025-01-14T19:11:28+00:00 020b1db7eb187d4a9a5f1d6154c664a463473b36 This extends the target selection implemented in dad6ec3aa63f to support Windows ARM64 platforms. OpenSSL support for VC-WIN64-ARM target first appeared in 1.1.1 and is present in all currently supported (3.x) branches. As a side effect, ARM64 Windows builds will get 16-byte alignment along with the rest of non-x86 platforms. This is safe, as malloc on 64-bit Windows guarantees the fundamental alignment of allocations, 16 bytes. 
This extends the target selection implemented in dad6ec3aa63f to support
Windows ARM64 platforms.  OpenSSL support for VC-WIN64-ARM target first
appeared in 1.1.1 and is present in all currently supported (3.x)
branches.

As a side effect, ARM64 Windows builds will get 16-byte alignment along
with the rest of non-x86 platforms.  This is safe, as malloc on 64-bit
Windows guarantees the fundamental alignment of allocations, 16 bytes.
Configure: added support for Homebrew on Apple Silicon. 2024-02-26T20:00:43+00:00 Piotr Sikora piotr@aviatrix.com 2024-02-26T20:00:43+00:00 2deded362ee052564e7359d53c81973c16b18e72 Signed-off-by: Piotr Sikora <piotr@aviatrix.com> 
Signed-off-by: Piotr Sikora <piotr@aviatrix.com>
SSL: avoid using OpenSSL config in build directory (ticket #2404). 2023-06-20T22:29:53+00:00 Maxim Dounin mdounin@mdounin.ru 2023-06-20T22:29:53+00:00 bdea5b703ff6f6fcf98ac8dd4e1e9e5c9ad05017 With this change, the NGX_OPENSSL_NO_CONFIG macro is defined when nginx is asked to build OpenSSL itself. And with this macro automatic loading of OpenSSL configuration (from the build directory) is prevented unless the OPENSSL_CONF environment variable is explicitly set. Note that not loading configuration is broken in OpenSSL 1.1.1 and 1.1.1a (fixed in OpenSSL 1.1.1b, see https://github.com/openssl/openssl/issues/7350). If nginx is used to compile these OpenSSL versions, configuring nginx with NGX_OPENSSL_NO_CONFIG explicitly set to 0 might be used as a workaround. 
With this change, the NGX_OPENSSL_NO_CONFIG macro is defined when nginx
is asked to build OpenSSL itself.  And with this macro automatic loading
of OpenSSL configuration (from the build directory) is prevented unless
the OPENSSL_CONF environment variable is explicitly set.

Note that not loading configuration is broken in OpenSSL 1.1.1 and 1.1.1a
(fixed in OpenSSL 1.1.1b, see https://github.com/openssl/openssl/issues/7350).
If nginx is used to compile these OpenSSL versions, configuring nginx with
NGX_OPENSSL_NO_CONFIG explicitly set to 0 might be used as a workaround.
Merged with the default branch. 2023-03-29T07:14:25+00:00 Sergey Kandaurov pluknet@nginx.com 2023-03-29T07:14:25+00:00 e8fbc967470b39513248cd961ccccf7a032831ea 






Win32: OpenSSL compilation for x64 targets with MSVC.
2023-02-23T15:16:08+00:00

Maxim Dounin
mdounin@mdounin.ru

2023-02-23T15:16:08+00:00

dad6ec3aa63fbd3b427d74842fa659f7a0b82f3b

To ensure proper target selection the NGX_MACHINE variable is now set
based on the MSVC compiler output, and the OpenSSL target is set based
on it.

This is not important as long as "no-asm" is used (as in misc/GNUmakefile
and win32 build instructions), but might be beneficial if someone is trying
to build OpenSSL with assembler code.





To ensure proper target selection the NGX_MACHINE variable is now set
based on the MSVC compiler output, and the OpenSSL target is set based
on it.

This is not important as long as "no-asm" is used (as in misc/GNUmakefile
and win32 build instructions), but might be beneficial if someone is trying
to build OpenSSL with assembler code.







QUIC: OpenSSL compatibility layer.
2023-02-22T15:16:53+00:00

Roman Arutyunyan
arut@nginx.com

2023-02-22T15:16:53+00:00

a36ebf7e95baebf445b0973bd270bc009b0b0e9a

The change allows to compile QUIC with OpenSSL which lacks BoringSSL QUIC API.

This implementation does not support 0-RTT.





The change allows to compile QUIC with OpenSSL which lacks BoringSSL QUIC API.

This implementation does not support 0-RTT.







Win32: disabled threads support in OpenSSL builds.
2022-09-06T21:47:31+00:00

Maxim Dounin
mdounin@mdounin.ru

2022-09-06T21:47:31+00:00

fb0890aee646ec4bb2b5c57f113f5bed433be7cc

Threads are disabled during UNIX builds (see b329c0ab1a48), and also not
needed for Windows builds.

This used to be the default before OpenSSL 1.1.0.





Threads are disabled during UNIX builds (see b329c0ab1a48), and also not
needed for Windows builds.

This used to be the default before OpenSSL 1.1.0.







Merged with the default branch.
2022-10-20T12:41:36+00:00

Sergey Kandaurov
pluknet@nginx.com

2022-10-20T12:41:36+00:00

3123fac3e764b4706881ffcb8f8b554c1628c5e0