nginx.git/src/event, branch release-1.10.3 nginx Upstream: fixed cache corruption and socket leaks with aio_write. 2017-01-20T18:14:19+00:00 Maxim Dounin mdounin@mdounin.ru 2017-01-20T18:14:19+00:00 be7975abe328856a80e5041151265fef259b3547 The ngx_event_pipe() function wasn't called on write events with wev->delayed set. As a result, threaded writing results weren't properly collected in ngx_event_pipe_write_to_downstream() when a write event was triggered for a completed write. Further, this wasn't detected, as p->aio was reset by a thread completion handler, and results were later collected in ngx_event_pipe_read_upstream() instead of scheduling a new write of additional data. If this happened on the last reading from an upstream, last part of the response was never written to the cache file. Similar problems might also happen in case of timeouts when writing to client, as this also results in ngx_event_pipe() not being called on write events. In this scenario socket leaks were observed. Fix is to check if p->writing is set in ngx_event_pipe_read_upstream(), and therefore collect results of previous write operations in case of read events as well, similar to how we do so in ngx_event_pipe_write_downstream(). This is enough to fix the wev->delayed case. Additionally, we now call ngx_event_pipe() from ngx_http_upstream_process_request() if there are uncollected write operations (p->writing and !p->aio). This also fixes the wev->timedout case. 
The ngx_event_pipe() function wasn't called on write events with
wev->delayed set.  As a result, threaded writing results weren't
properly collected in ngx_event_pipe_write_to_downstream() when a
write event was triggered for a completed write.

Further, this wasn't detected, as p->aio was reset by a thread completion
handler, and results were later collected in ngx_event_pipe_read_upstream()
instead of scheduling a new write of additional data.  If this happened
on the last reading from an upstream, last part of the response was never
written to the cache file.

Similar problems might also happen in case of timeouts when writing to
client, as this also results in ngx_event_pipe() not being called on write
events.  In this scenario socket leaks were observed.

Fix is to check if p->writing is set in ngx_event_pipe_read_upstream(), and
therefore collect results of previous write operations in case of read events
as well, similar to how we do so in ngx_event_pipe_write_downstream().
This is enough to fix the wev->delayed case.  Additionally, we now call
ngx_event_pipe() from ngx_http_upstream_process_request() if there are
uncollected write operations (p->writing and !p->aio).  This also fixes
the wev->timedout case.
SSL: default DH parameters compatible with OpenSSL 1.1.0. 2016-10-18T14:25:38+00:00 Maxim Dounin mdounin@mdounin.ru 2016-10-18T14:25:38+00:00 789abf2b8cfd184555a09f7001b59e82c003c43c This is a direct commit to stable as there is no corresponding code in mainline, default DH parameters were removed in 1aa9650a8154. 
This is a direct commit to stable as there is no corresponding code
in mainline, default DH parameters were removed in 1aa9650a8154.
Event pipe: do not set file's thread_handler if not needed. 2016-09-01T17:05:23+00:00 Maxim Dounin mdounin@mdounin.ru 2016-09-01T17:05:23+00:00 09453e10d03571ecb32fe8bc77d4bcc7e10fcf3a This fixes a problem with aio threads and sendfile with aio_write switched off, as observed with range requests after fc72784b1f52 (1.9.13). Potential problems with sendfile in threads were previously described in 9fd738b85fad, and this seems to be one of them. The problem occurred as file's thread_handler was set to NULL by event pipe code after a sendfile thread task was scheduled. As a result, no sendfile completion code was executed, and the same buffer was additionally sent using non-threaded sendfile. Fix is to avoid modifying file's thread_handler if aio_write is switched off. Note that with "aio_write on" it is still possible that sendfile will use thread_handler as set by event pipe. This is believed to be safe though, as handlers used are compatible. 
This fixes a problem with aio threads and sendfile with aio_write switched
off, as observed with range requests after fc72784b1f52 (1.9.13).  Potential
problems with sendfile in threads were previously described in 9fd738b85fad,
and this seems to be one of them.

The problem occurred as file's thread_handler was set to NULL by event pipe
code after a sendfile thread task was scheduled.  As a result, no sendfile
completion code was executed, and the same buffer was additionally sent
using non-threaded sendfile.  Fix is to avoid modifying file's thread_handler
if aio_write is switched off.

Note that with "aio_write on" it is still possible that sendfile will use
thread_handler as set by event pipe.  This is believed to be safe though,
as handlers used are compatible.
SSL: adopted session ticket handling for OpenSSL 1.1.0. 2016-08-22T15:53:21+00:00 Sergey Kandaurov pluknet@nginx.com 2016-08-22T15:53:21+00:00 63260a6842e1b9c4dbe28c669ff2c74a63f8df5c Return 1 in the SSL_CTX_set_tlsext_ticket_key_cb() callback function to indicate that a new session ticket is created, as per documentation. Until 1.1.0, OpenSSL didn't make a distinction between non-negative return values. See https://git.openssl.org/?p=openssl.git;a=commitdiff;h=5c753de for details. 
Return 1 in the SSL_CTX_set_tlsext_ticket_key_cb() callback function
to indicate that a new session ticket is created, as per documentation.
Until 1.1.0, OpenSSL didn't make a distinction between non-negative
return values.

See https://git.openssl.org/?p=openssl.git;a=commitdiff;h=5c753de for details.
SSL: guarded SSL_R_NO_CIPHERS_PASSED not present in OpenSSL 1.1.0. 2016-08-08T10:44:49+00:00 Sergey Kandaurov pluknet@nginx.com 2016-08-08T10:44:49+00:00 f3dfbb5d1fd00659e886a1cdb56cc07a68340e6d It was removed in OpenSSL 1.1.0 Beta 3 (pre-release 6). It was not used since OpenSSL 1.0.1n and 1.0.2b. 
It was removed in OpenSSL 1.1.0 Beta 3 (pre-release 6).  It was
not used since OpenSSL 1.0.1n and 1.0.2b.
Removed redundant "u" format specifier. 2016-04-08T12:03:38+00:00 Ruslan Ermilov ru@nginx.com 2016-04-08T12:03:38+00:00 37a3a2b2e8ef3202045e4095d894f806ed5e7654 It is implied for "x" and "X". 
It is implied for "x" and "X".
Fixed spelling. 2016-04-07T08:50:13+00:00 Josh Soref timeless@gmail.com 2016-04-07T08:50:13+00:00 73d27510c0d7022384a611269af22ff01634c6d0 






SSL: SSLeay_version() is deprecated in OpenSSL 1.1.0.
2016-03-31T20:38:38+00:00

Maxim Dounin
mdounin@mdounin.ru

2016-03-31T20:38:38+00:00

2e251b1c342370b8b3365cf30eca2cf61d9ef559

SSLeay_version() and SSLeay() are no longer available if OPENSSL_API_COMPAT
is set to 0x10100000L.  Switched to using OpenSSL_version() instead.

Additionally, we now compare version strings instead of version numbers,
and this correctly works for LibreSSL as well.





SSLeay_version() and SSLeay() are no longer available if OPENSSL_API_COMPAT
is set to 0x10100000L.  Switched to using OpenSSL_version() instead.

Additionally, we now compare version strings instead of version numbers,
and this correctly works for LibreSSL as well.







SSL: X509 was made opaque in OpenSSL 1.1.0.
2016-03-31T20:38:37+00:00

Sergey Kandaurov
pluknet@nginx.com

2016-03-31T20:38:37+00:00

d8fbce1deb24a174f327786684f862cc39b5ac0a

To increment reference counters we now use newly introduced X509_up_ref()
function.





To increment reference counters we now use newly introduced X509_up_ref()
function.







SSL: EVP_MD_CTX was made opaque in OpenSSL 1.1.0.
2016-03-31T20:38:36+00:00

Sergey Kandaurov
pluknet@nginx.com

2016-03-31T20:38:36+00:00

66feb8c6f01a682e93f11e2c80c59bf425d70af9