nginx.git/src/event, branch release-1.11.6 nginx SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. 2016-10-21T13:28:39+00:00 Dmitry Volyntsev xeioex@nginx.com 2016-10-21T13:28:39+00:00 71c93a8e09b2dc911005e254f1b9c16a9ac49fad Originally, the variables kept a result of X509_NAME_oneline(), which is, according to the official documentation, a legacy function. It produces a non standard output form and has various quirks and inconsistencies. The RFC2253 compliant behavior is introduced for these variables. The original variables are available through $ssl_client_s_dn_legacy and $ssl_client_i_dn_legacy. 
Originally, the variables kept a result of X509_NAME_oneline(),
which is, according to the official documentation, a legacy
function.  It produces a non standard output form and has
various quirks and inconsistencies.

The RFC2253 compliant behavior is introduced for these variables.
The original variables are available through $ssl_client_s_dn_legacy
and $ssl_client_i_dn_legacy.
SSL: overcame possible buffer over-read in ngx_ssl_error(). 2016-10-18T17:46:06+00:00 Valentin Bartenev vbart@nginx.com 2016-10-18T17:46:06+00:00 841737915c97ae07f626c8199c24679151bebfcd It appeared that ERR_error_string_n() cannot handle zero buffer size well enough and causes over-read. The problem has also been fixed in OpenSSL: https://git.openssl.org/?p=openssl.git;h=e5c1361580d8de79682958b04a5f0d262e680f8b 
It appeared that ERR_error_string_n() cannot handle zero buffer size well enough
and causes over-read.

The problem has also been fixed in OpenSSL:
https://git.openssl.org/?p=openssl.git;h=e5c1361580d8de79682958b04a5f0d262e680f8b
Modules compatibility: compatibility with NGX_HTTP_SSL. 2016-10-10T15:44:17+00:00 Maxim Dounin mdounin@mdounin.ru 2016-10-10T15:44:17+00:00 8fd8c32ccf7987f51d774edfcf7f5a65c75c137a With this change it is now possible to load modules compiled without the "--with-http_ssl_module" configure option into nginx binary compiled with it, and vice versa (if a module doesn't use ssl-specific functions), assuming both use the "--with-compat" option. 
With this change it is now possible to load modules compiled without
the "--with-http_ssl_module" configure option into nginx binary compiled
with it, and vice versa (if a module doesn't use ssl-specific functions),
assuming both use the "--with-compat" option.
Modules compatibility: compatibility with NGX_HAVE_FILE_AIO. 2016-10-10T15:44:17+00:00 Maxim Dounin mdounin@mdounin.ru 2016-10-10T15:44:17+00:00 844c78556bc93343dd1c3c9236b5c16f4e2eac39 With this change it is now possible to load modules compiled without the "--with-file-aio" configure option into nginx binary compiled with it, and vice versa, assuming both use the "--with-compat" option. 
With this change it is now possible to load modules compiled without
the "--with-file-aio" configure option into nginx binary compiled with it,
and vice versa, assuming both use the "--with-compat" option.
Modules compatibility: compatibility with NGX_THREADS. 2016-10-10T15:44:17+00:00 Maxim Dounin mdounin@mdounin.ru 2016-10-10T15:44:17+00:00 9f6e8673f40f7532bf3059bda41e05b545520dd3 With this change it is now possible to load modules compiled without the "--with-threads" configure option into nginx binary compiled with it, and vice versa (if a module does not use thread-specific functions), assuming both use the "--with-compat" option. 
With this change it is now possible to load modules compiled without
the "--with-threads" configure option into nginx binary compiled with it,
and vice versa (if a module does not use thread-specific functions),
assuming both use the "--with-compat" option.
SSL: use X509_check_host() with LibreSSL. 2016-10-04T14:26:45+00:00 Maxim Dounin mdounin@mdounin.ru 2016-10-04T14:26:45+00:00 3c44339bfed78c9ad3549edf2b7408c15d3ae51c Explicit checks for OPENSSL_VERSION_NUMBER replaced with checks for X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT, thus allowing X509_check_host() to be used with other libraries. In particular, X509_check_host() was introduced in LibreSSL 2.5.0. 
Explicit checks for OPENSSL_VERSION_NUMBER replaced with checks
for X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT, thus allowing X509_check_host()
to be used with other libraries.  In particular, X509_check_host() was
introduced in LibreSSL 2.5.0.
Introduced the NGX_COMPAT macro. 2016-09-29T12:28:24+00:00 Ruslan Ermilov ru@nginx.com 2016-09-29T12:28:24+00:00 c40de746829971f2edbf9faeae64d4516cb5466e When enabled, some structures are padded to be size compatible with their NGINX Plus versions. 
When enabled, some structures are padded to be size compatible
with their NGINX Plus versions.
Modules compatibility: peer.notify. 2016-09-29T15:05:59+00:00 Maxim Dounin mdounin@mdounin.ru 2016-09-29T15:05:59+00:00 07c914c0cbca39816cd824f64638ebd85cfc1c49 This callback can be used to notify balancer about various events. For now, it is only used in nginx-plus. 
This callback can be used to notify balancer about various events.
For now, it is only used in nginx-plus.
Fixed log levels of configuration parsing errors. 2016-09-20T12:07:16+00:00 Valentin Bartenev vbart@nginx.com 2016-09-20T12:07:16+00:00 89f82c1155d0e2291f30819c38d438e112ba569a All the errors that prevent loading configuration must be printed on the "emerg" log level. Previously, nginx might silently fail to load configuration in some cases as the default log level is "error". 
All the errors that prevent loading configuration must be printed on the "emerg"
log level.  Previously, nginx might silently fail to load configuration in some
cases as the default log level is "error".
Removed influence of some options on structures. 2016-09-20T09:30:52+00:00 Ruslan Ermilov ru@nginx.com 2016-09-20T09:30:52+00:00 1fd83ac0c83b2ffffbe5fdbaec61be4f1b39171b