nginx.git/src/event, branch release-1.11.7 nginx SSL: $ssl_curves (ticket #1088). 2016-12-05T19:23:23+00:00 Maxim Dounin mdounin@mdounin.ru 2016-12-05T19:23:23+00:00 551091951a479e2f512062c51bdcc6157a211164 The variable contains a list of curves as supported by the client. Known curves are listed by their names, unknown ones are shown in hex, e.g., "0x001d:prime256v1:secp521r1:secp384r1". Note that OpenSSL uses session data for SSL_get1_curves(), and it doesn't store full list of curves supported by the client when serializing a session. As a result $ssl_curves is only available for new sessions (and will be empty for reused ones). The variable is only meaningful when using OpenSSL 1.0.2 and above. With older versions the variable is empty. 
The variable contains a list of curves as supported by the client.
Known curves are listed by their names, unknown ones are shown
in hex, e.g., "0x001d:prime256v1:secp521r1:secp384r1".

Note that OpenSSL uses session data for SSL_get1_curves(), and
it doesn't store full list of curves supported by the client when
serializing a session.  As a result $ssl_curves is only available
for new sessions (and will be empty for reused ones).

The variable is only meaningful when using OpenSSL 1.0.2 and above.
With older versions the variable is empty.
SSL: $ssl_ciphers (ticket #870). 2016-12-05T19:23:23+00:00 Maxim Dounin mdounin@mdounin.ru 2016-12-05T19:23:23+00:00 2daf78867bb60bee5e5ca517f20339211391635b The variable contains list of ciphers as supported by the client. Known ciphers are listed by their names, unknown ones are shown in hex, e.g., ""AES128-SHA:AES256-SHA:0x00ff". The variable is fully supported only when using OpenSSL 1.0.2 and above. With older version there is an attempt to provide some information using SSL_get_shared_ciphers(). It only lists known ciphers though. Moreover, as OpenSSL uses session data for SSL_get_shared_ciphers(), and it doesn't store relevant data when serializing a session. As a result $ssl_ciphers is only available for new sessions (and not available for reused ones) when using OpenSSL older than 1.0.2. 
The variable contains list of ciphers as supported by the client.
Known ciphers are listed by their names, unknown ones are shown
in hex, e.g., ""AES128-SHA:AES256-SHA:0x00ff".

The variable is fully supported only when using OpenSSL 1.0.2 and above.
With older version there is an attempt to provide some information
using SSL_get_shared_ciphers().  It only lists known ciphers though.
Moreover, as OpenSSL uses session data for SSL_get_shared_ciphers(),
and it doesn't store relevant data when serializing a session.  As
a result $ssl_ciphers is only available for new sessions (and not
available for reused ones) when using OpenSSL older than 1.0.2.
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. 2016-12-05T19:23:23+00:00 Maxim Dounin mdounin@mdounin.ru 2016-12-05T19:23:23+00:00 53092ad782c4647c212ff3b23870f7927da9e293 






SSL: $ssl_client_verify extended with a failure reason.
2016-12-05T19:23:22+00:00

Maxim Dounin
mdounin@mdounin.ru

2016-12-05T19:23:22+00:00

919f53632940cfa9b9f24fdffeaf1f3d5b4fc700

Now in case of a verification failure $ssl_client_verify contains
"FAILED:<reason>", similar to Apache's SSL_CLIENT_VERIFY, e.g.,
"FAILED:certificate has expired".

Detailed description of possible errors can be found in the verify(1)
manual page as provided by OpenSSL.





Now in case of a verification failure $ssl_client_verify contains
"FAILED:<reason>", similar to Apache's SSL_CLIENT_VERIFY, e.g.,
"FAILED:certificate has expired".

Detailed description of possible errors can be found in the verify(1)
manual page as provided by OpenSSL.







OCSP stapling: improved error logging context.
2016-12-05T19:23:22+00:00

Maxim Dounin
mdounin@mdounin.ru

2016-12-05T19:23:22+00:00

27bcceb24bb562e080d1f894e8310ac74187173e

It now logs the IP address of the responder used (if it's already known),
as well as the certificate name.





It now logs the IP address of the responder used (if it's already known),
as well as the certificate name.







OCSP stapling: added certificate name to warnings.
2016-12-05T19:23:22+00:00

Maxim Dounin
mdounin@mdounin.ru

2016-12-05T19:23:22+00:00

af07f8d093508c86ae6b2268ab4d4fea8f1dfd2d












OCSP stapling: added http response status logging.
2016-12-05T19:23:22+00:00

Maxim Dounin
mdounin@mdounin.ru

2016-12-05T19:23:22+00:00

0a1290b739f5b14cafa7a51e5ac92fd145059f45












OCSP stapling: style.
2016-12-05T19:23:22+00:00

Maxim Dounin
mdounin@mdounin.ru

2016-12-05T19:23:22+00:00

d80352c759f7281bc62f3fdcfa01d683c5dc12b9












Events: improved error event handling for UDP sockets.
2016-11-21T13:03:42+00:00

Dmitry Volyntsev
xeioex@nginx.com

2016-11-21T13:03:42+00:00

433fdbf8b6f2e60acd510cbd6ac1e4f67b17d52d

Normally, the epoll module calls the read and write handlers depending
on whether EPOLLIN and EPOLLOUT are reported by epoll_wait().  No error
processing is done in the module, the handlers are expected to get an
error when doing I/O.

If an error event is reported without EPOLLIN and EPOLLOUT, the module
set both EPOLLIN and EPOLLOUT to ensure the error event is handled at
least in one active handler.

This works well unless the error is delivered along with only one of
EPOLLIN or EPOLLOUT, and the corresponding handler does not do any I/O.
For example, it happened when getting EPOLLERR|EPOLLOUT from
epoll_wait() upon receiving "ICMP port unreachable" while proxying UDP.
As the write handler had nothing to send it was not able to detect and
log an error, and did not switch to the next upstream.

The fix is to unconditionally set EPOLLIN and EPOLLOUT in case of an
error event.  In the aforementioned case, this causes the read handler
to be called which does recv() and detects an error.

In addition to the epoll module, analogous changes were made in
devpoll/eventport/poll.





Normally, the epoll module calls the read and write handlers depending
on whether EPOLLIN and EPOLLOUT are reported by epoll_wait().  No error
processing is done in the module, the handlers are expected to get an
error when doing I/O.

If an error event is reported without EPOLLIN and EPOLLOUT, the module
set both EPOLLIN and EPOLLOUT to ensure the error event is handled at
least in one active handler.

This works well unless the error is delivered along with only one of
EPOLLIN or EPOLLOUT, and the corresponding handler does not do any I/O.
For example, it happened when getting EPOLLERR|EPOLLOUT from
epoll_wait() upon receiving "ICMP port unreachable" while proxying UDP.
As the write handler had nothing to send it was not able to detect and
log an error, and did not switch to the next upstream.

The fix is to unconditionally set EPOLLIN and EPOLLOUT in case of an
error event.  In the aforementioned case, this causes the read handler
to be called which does recv() and detects an error.

In addition to the epoll module, analogous changes were made in
devpoll/eventport/poll.







SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
2016-10-21T13:28:39+00:00

Dmitry Volyntsev
xeioex@nginx.com

2016-10-21T13:28:39+00:00

71c93a8e09b2dc911005e254f1b9c16a9ac49fad

Originally, the variables kept a result of X509_NAME_oneline(),
which is, according to the official documentation, a legacy
function.  It produces a non standard output form and has
various quirks and inconsistencies.

The RFC2253 compliant behavior is introduced for these variables.
The original variables are available through $ssl_client_s_dn_legacy
and $ssl_client_i_dn_legacy.





Originally, the variables kept a result of X509_NAME_oneline(),
which is, according to the official documentation, a legacy
function.  It produces a non standard output form and has
various quirks and inconsistencies.

The RFC2253 compliant behavior is introduced for these variables.
The original variables are available through $ssl_client_s_dn_legacy
and $ssl_client_i_dn_legacy.