nginx.git/src/event/ngx_event_openssl_cache.c, branch release-1.28.3 nginx SSL: fixed "key values mismatch" with object cache inheritance. 2025-12-23T18:40:33+00:00 Sergey Kandaurov pluknet@nginx.com 2025-05-29T13:49:48+00:00 592bda7bb6c202e48da8e4181de936f70edff58e In rare cases, it was possible to get into this error state on reload with improperly updated file timestamps for certificate and key pairs. The fix is to retry on X509_R_KEY_VALUES_MISMATCH, similar to 5d5d9adcc. Additionally, loading SSL certificate is updated to avoid certificates discarded on retry to appear in ssl->certs and in extra chain. 
In rare cases, it was possible to get into this error state on reload
with improperly updated file timestamps for certificate and key pairs.

The fix is to retry on X509_R_KEY_VALUES_MISMATCH, similar to 5d5d9adcc.
Additionally, loading SSL certificate is updated to avoid certificates
discarded on retry to appear in ssl->certs and in extra chain.
Use NULL instead of 0 for null pointer constant. 2025-12-23T18:40:33+00:00 Andrew Clayton a.clayton@nginx.com 2025-05-21T21:30:20+00:00 a39be5d9d296b72091f3181eea58303ac8d0828f There were a few random places where 0 was being used as a null pointer constant. We have a NULL macro for this very purpose, use it. There is also some interest in actually deprecating the use of 0 as a null pointer constant in C. This was found with -Wzero-as-null-pointer-constant which was enabled for C in GCC 15 (not enabled with Wall or Wextra... yet). Link: <https://gcc.gnu.org/bugzilla/show_bug.cgi?id=117059> 
There were a few random places where 0 was being used as a null pointer
constant.

We have a NULL macro for this very purpose, use it.

There is also some interest in actually deprecating the use of 0 as a
null pointer constant in C.

This was found with -Wzero-as-null-pointer-constant which was enabled
for C in GCC 15 (not enabled with Wall or Wextra... yet).

Link: <https://gcc.gnu.org/bugzilla/show_bug.cgi?id=117059>
SSL: avoid using mismatched certificate/key cached pairs. 2025-01-17T00:37:46+00:00 Sergey Kandaurov pluknet@nginx.com 2025-01-08T13:50:33+00:00 5d5d9adccfeaff7d5926737ee5dfa43937fe5899 This can happen with certificates and certificate keys specified with variables due to partial cache update in various scenarios: - cache expiration with only one element of pair evicted - on-disk update with non-cacheable encrypted keys - non-atomic on-disk update The fix is to retry with fresh data on X509_R_KEY_VALUES_MISMATCH. 
This can happen with certificates and certificate keys specified
with variables due to partial cache update in various scenarios:
- cache expiration with only one element of pair evicted
- on-disk update with non-cacheable encrypted keys
- non-atomic on-disk update

The fix is to retry with fresh data on X509_R_KEY_VALUES_MISMATCH.
SSL: cache revalidation of file based dynamic certificates. 2025-01-17T00:37:46+00:00 Sergey Kandaurov pluknet@nginx.com 2025-01-13T17:40:04+00:00 4b96ad14f3607ab39b160715aeba721097ac4da4 Revalidation is based on file modification time and uniq file index, and happens after the cache object validity time is expired. 
Revalidation is based on file modification time and uniq file index,
and happens after the cache object validity time is expired.
SSL: caching certificates and certificate keys with variables. 2025-01-17T00:37:46+00:00 Sergey Kandaurov pluknet@nginx.com 2024-10-29T12:25:11+00:00 0e756d67aa1e42e3b1b360936eb4d6c06bced2c1 A new directive "ssl_certificate_cache max=N [valid=time] [inactive=time]" enables caching of SSL certificate chain and secret key objects specified by "ssl_certificate" and "ssl_certificate_key" directives with variables. Co-authored-by: Aleksei Bavshin <a.bavshin@nginx.com> 
A new directive "ssl_certificate_cache max=N [valid=time] [inactive=time]"
enables caching of SSL certificate chain and secret key objects specified
by "ssl_certificate" and "ssl_certificate_key" directives with variables.

Co-authored-by: Aleksei Bavshin <a.bavshin@nginx.com>
SSL: encrypted certificate keys are exempt from object cache. 2025-01-17T00:37:46+00:00 Sergey Kandaurov pluknet@nginx.com 2024-12-18T16:09:58+00:00 7677d5646aeb761b8b9da5af3eb10c008aae3f90 SSL object cache, as previously introduced in 1.27.2, did not take into account encrypted certificate keys that might be unexpectedly fetched from the cache regardless of the matching passphrase. To avoid this, caching of encrypted certificate keys is now disabled based on the passphrase callback invocation. A notable exception is encrypted certificate keys configured without ssl_password_file. They are loaded once resulting in the passphrase prompt on startup and reused in other contexts as applicable. 
SSL object cache, as previously introduced in 1.27.2, did not take
into account encrypted certificate keys that might be unexpectedly
fetched from the cache regardless of the matching passphrase.  To
avoid this, caching of encrypted certificate keys is now disabled
based on the passphrase callback invocation.

A notable exception is encrypted certificate keys configured without
ssl_password_file.  They are loaded once resulting in the passphrase
prompt on startup and reused in other contexts as applicable.
SSL: object cache inheritance from the old configuration cycle. 2025-01-17T00:37:46+00:00 Sergey Kandaurov pluknet@nginx.com 2024-12-18T16:03:35+00:00 8311e14ae614529aabe9e72e87051d191b723fb4 Memory based objects are always inherited, engine based objects are never inherited to adhere the volatile nature of engines, file based objects are inherited subject to modification time and file index. The previous behaviour to bypass cache from the old configuration cycle is preserved with a new directive "ssl_object_cache_inheritable off;". 
Memory based objects are always inherited, engine based objects are
never inherited to adhere the volatile nature of engines, file based
objects are inherited subject to modification time and file index.

The previous behaviour to bypass cache from the old configuration cycle
is preserved with a new directive "ssl_object_cache_inheritable off;".
SSL: error message default in object caching API. 2024-11-19T17:37:03+00:00 Sergey Kandaurov pluknet@nginx.com 2024-10-28T20:50:40+00:00 0ebc3242d99d3b9d00891b3cddda11ff9c2e86c4 This change initializes the "err" variable, used to produce a meaningful diagnostics on error path, to a good safe value. 
This change initializes the "err" variable, used to produce a meaningful
diagnostics on error path, to a good safe value.
SSL: caching CA certificates. 2024-10-01T13:59:24+00:00 Sergey Kandaurov pluknet@nginx.com 2024-09-09T15:05:58+00:00 5917e9de5a45bb7288c1c433db840d1a4c6290f3 This can potentially provide a large amount of savings, because CA certificates can be quite large. Based on previous work by Mini Hawthorne. 
This can potentially provide a large amount of savings,
because CA certificates can be quite large.

Based on previous work by Mini Hawthorne.
SSL: caching CRLs. 2024-10-01T13:59:24+00:00 Sergey Kandaurov pluknet@nginx.com 2024-09-09T15:05:31+00:00 61314518de74fcb3af954ea6e6cb2820307676d0 Based on previous work by Mini Hawthorne. 
Based on previous work by Mini Hawthorne.