nginx.git/src/event/ngx_event_openssl.c, branch release-1.29.2 nginx SSL: fixed "key values mismatch" with object cache inheritance. 2025-10-06T08:56:42+00:00 Sergey Kandaurov pluknet@nginx.com 2025-05-29T13:49:48+00:00 a144d828cb70f788e2f8b06e820af95ae2e28f75 In rare cases, it was possible to get into this error state on reload with improperly updated file timestamps for certificate and key pairs. The fix is to retry on X509_R_KEY_VALUES_MISMATCH, similar to 5d5d9adcc. Additionally, loading SSL certificate is updated to avoid certificates discarded on retry to appear in ssl->certs and in extra chain. 
In rare cases, it was possible to get into this error state on reload
with improperly updated file timestamps for certificate and key pairs.

The fix is to retry on X509_R_KEY_VALUES_MISMATCH, similar to 5d5d9adcc.
Additionally, loading SSL certificate is updated to avoid certificates
discarded on retry to appear in ssl->certs and in extra chain.
SNI: support for early ClientHello callback with BoringSSL. 2025-09-25T15:25:08+00:00 Sergey Kandaurov pluknet@nginx.com 2025-09-22T15:55:16+00:00 7f9ced0ce0d70ae60f46ef3ed759efa75e711db4 This brings feature parity with OpenSSL after the previous change, making it possible to set SSL protocols per virtual server. 
This brings feature parity with OpenSSL after the previous change,
making it possible to set SSL protocols per virtual server.
SNI: using the ClientHello callback. 2025-09-25T15:25:08+00:00 Sergey Kandaurov pluknet@nginx.com 2025-01-27T20:53:15+00:00 0373fe5d98c1515640e74fa6f4d32fac1f1d3ab2 The change introduces an SNI based virtual server selection during early ClientHello processing. The callback is available since OpenSSL 1.1.1; for older OpenSSL versions, the previous behaviour is kept. Using the ClientHello callback sets a reasonable processing order for the "server_name" TLS extension. Notably, session resumption decision now happens after applying server configuration chosen by SNI, useful with enabled verification of client certificates, which brings consistency with BoringSSL behaviour. The change supersedes and reverts a fix made in 46b9f5d38 for TLSv1.3 resumed sessions. In addition, since the callback is invoked prior to the protocol version negotiation, this makes it possible to set "ssl_protocols" on a per-virtual server basis. To keep the $ssl_server_name variable working with TLSv1.2 resumed sessions, as previously fixed in fd97b2a80, a limited server name callback is preserved in order to acknowledge the extension. Note that to allow third-party modules to properly chain the call to ngx_ssl_client_hello_callback(), the servername callback function is passed through exdata. 
The change introduces an SNI based virtual server selection during
early ClientHello processing.  The callback is available since
OpenSSL 1.1.1; for older OpenSSL versions, the previous behaviour
is kept.

Using the ClientHello callback sets a reasonable processing order
for the "server_name" TLS extension.  Notably, session resumption
decision now happens after applying server configuration chosen by
SNI, useful with enabled verification of client certificates, which
brings consistency with BoringSSL behaviour.  The change supersedes
and reverts a fix made in 46b9f5d38 for TLSv1.3 resumed sessions.

In addition, since the callback is invoked prior to the protocol
version negotiation, this makes it possible to set "ssl_protocols"
on a per-virtual server basis.

To keep the $ssl_server_name variable working with TLSv1.2 resumed
sessions, as previously fixed in fd97b2a80, a limited server name
callback is preserved in order to acknowledge the extension.

Note that to allow third-party modules to properly chain the call to
ngx_ssl_client_hello_callback(), the servername callback function is
passed through exdata.
SSL: support for compressed server certificates with OpenSSL. 2025-08-03T15:15:16+00:00 Sergey Kandaurov pluknet@nginx.com 2025-07-09T15:02:09+00:00 251444fcf4434bfddbe3394a568c51d4f7bd857f The ssl_certificate_compression directive allows to send compressed server certificates. In OpenSSL, they are pre-compressed on startup. To simplify configuration, the SSL_OP_NO_TX_CERTIFICATE_COMPRESSION option is automatically cleared if certificates were pre-compressed. SSL_CTX_compress_certs() may return an error in legitimate cases, e.g., when none of compression algorithms is available or if the resulting compressed size is larger than the original one, thus it is silently ignored. Certificate compression is supported in Chrome with brotli only, in Safari with zlib only, and in Firefox with all listed algorithms. It is supported since Ubuntu 24.10, which has OpenSSL with enabled zlib and zstd support. The actual list of algorithms supported in OpenSSL depends on how the library was configured; it can be brotli, zlib, zstd as listed in RFC 8879. 
The ssl_certificate_compression directive allows to send compressed
server certificates.  In OpenSSL, they are pre-compressed on startup.
To simplify configuration, the SSL_OP_NO_TX_CERTIFICATE_COMPRESSION
option is automatically cleared if certificates were pre-compressed.

SSL_CTX_compress_certs() may return an error in legitimate cases,
e.g., when none of compression algorithms is available or if the
resulting compressed size is larger than the original one, thus it
is silently ignored.

Certificate compression is supported in Chrome with brotli only,
in Safari with zlib only, and in Firefox with all listed algorithms.
It is supported since Ubuntu 24.10, which has OpenSSL with enabled
zlib and zstd support.

The actual list of algorithms supported in OpenSSL depends on how
the library was configured; it can be brotli, zlib, zstd as listed
in RFC 8879.
SSL: disabled certificate compression by default with OpenSSL. 2025-08-03T15:15:16+00:00 Sergey Kandaurov pluknet@nginx.com 2025-07-15T11:55:26+00:00 ed99269eed283e474590bbe951bad1d74b721955 Certificate compression is supported since OpenSSL 3.2, it is enabled automatically as negotiated in a TLSv1.3 handshake. Using certificate compression and decompression in runtime may be suboptimal in terms of CPU and memory consumption in certain typical scenarios, hence it is disabled by default on both server and client sides. It can be enabled with ssl_conf_command and similar directives in upstream as appropriate, for example: ssl_conf_command Options RxCertificateCompression; ssl_conf_command Options TxCertificateCompression; Compressing server certificates requires additional support, this is addressed separately. 
Certificate compression is supported since OpenSSL 3.2, it is enabled
automatically as negotiated in a TLSv1.3 handshake.

Using certificate compression and decompression in runtime may be
suboptimal in terms of CPU and memory consumption in certain typical
scenarios, hence it is disabled by default on both server and client
sides.  It can be enabled with ssl_conf_command and similar directives
in upstream as appropriate, for example:

    ssl_conf_command Options RxCertificateCompression;
    ssl_conf_command Options TxCertificateCompression;

Compressing server certificates requires additional support, this is
addressed separately.
SSL: fixed testing OPENSSL_VERSION_NUMBER for OpenSSL 3.0+. 2025-07-10T15:00:45+00:00 Sergey Kandaurov pluknet@nginx.com 2025-07-08T14:07:04+00:00 a5ca38f30392e93aadc32cf5955c29fddcaa3871 Prior to OpenSSL 3.0, OPENSSL_VERSION_NUMBER used the following format: MNNFFPPS: major minor fix patch status Where the status nibble (S) has 0+ for development and f for release. The format was changed in OpenSSL 3.0.0, where it is always zero: MNN00PP0: major minor patch 
Prior to OpenSSL 3.0, OPENSSL_VERSION_NUMBER used the following format:

MNNFFPPS: major minor fix patch status

Where the status nibble (S) has 0+ for development and f for release.

The format was changed in OpenSSL 3.0.0, where it is always zero:

MNN00PP0: major minor patch
SSL: SSL_group_to_name() compatibility macro. 2025-07-10T15:00:45+00:00 Sergey Kandaurov pluknet@nginx.com 2025-07-08T13:59:50+00:00 a5d60c30d3d494291dd7e2ddde4536a439bab5bf No functional changes. 
No functional changes.
QUIC: logging level of handshake errors. 2025-05-23T11:00:47+00:00 Sergey Kandaurov pluknet@nginx.com 2025-05-06T11:09:28+00:00 ef9cd3214ff3d9d1513da8927423f42184dcf8e5 Various errors reported by SSL_do_handshake() are now logged at the "info" or "crit" level, akin to handshakes on regular TCP connections. 
Various errors reported by SSL_do_handshake() are now logged at the
"info" or "crit" level, akin to handshakes on regular TCP connections.
SSL: fixed build with OPENSSL_NO_DH. 2025-04-25T10:56:31+00:00 Sergey Kandaurov pluknet@nginx.com 2025-04-16T16:58:57+00:00 adda7041582d8565ee1e5e7dfe740db85398e1ce 






SSL: external groups support in $ssl_curve and $ssl_curves.
2025-04-10T14:51:10+00:00

Sergey Kandaurov
pluknet@nginx.com

2025-04-03T11:29:31+00:00

b6e7eb0f5792d7a52d2675ee3906e502d63c48e3

Starting with OpenSSL 3.0, groups may be added externally with pluggable
KEM providers.  Using SSL_get_negotiated_group(), which makes lookup in a
static table with known groups, doesn't allow to list such groups by names
leaving them in hex.  Adding X25519MLKEM768 to the default group list in
OpenSSL 3.5 made this problem more visible.  SSL_get0_group_name() and,
apparently, SSL_group_to_name() allow to resolve such provider-implemented
groups, which is also "generally preferred" over SSL_get_negotiated_group()
as documented in OpenSSL git commit 93d4f6133f.

This change makes external groups listing by name using SSL_group_to_name()
available since OpenSSL 3.0.  To preserve "prime256v1" naming for the group
0x0017, and to avoid breaking BoringSSL and older OpenSSL versions support,
it is used supplementary for a group that appears to be unknown.

See https://github.com/openssl/openssl/issues/27137 for related discussion.





Starting with OpenSSL 3.0, groups may be added externally with pluggable
KEM providers.  Using SSL_get_negotiated_group(), which makes lookup in a
static table with known groups, doesn't allow to list such groups by names
leaving them in hex.  Adding X25519MLKEM768 to the default group list in
OpenSSL 3.5 made this problem more visible.  SSL_get0_group_name() and,
apparently, SSL_group_to_name() allow to resolve such provider-implemented
groups, which is also "generally preferred" over SSL_get_negotiated_group()
as documented in OpenSSL git commit 93d4f6133f.

This change makes external groups listing by name using SSL_group_to_name()
available since OpenSSL 3.0.  To preserve "prime256v1" naming for the group
0x0017, and to avoid breaking BoringSSL and older OpenSSL versions support,
it is used supplementary for a group that appears to be unknown.

See https://github.com/openssl/openssl/issues/27137 for related discussion.