nginx.git/src/event, branch release-1.13.0 nginx SSL: compatibility with OpenSSL master branch. 2017-04-18T13:08:46+00:00 Sergey Kandaurov pluknet@nginx.com 2017-04-18T13:08:46+00:00 e8c579a18716395911201d3d5114c03ee018afc9 The SSL_CTRL_SET_CURVES_LIST macro is removed in the OpenSSL master branch. SSL_CTX_set1_curves_list is preserved as compatibility with previous versions. 
The SSL_CTRL_SET_CURVES_LIST macro is removed in the OpenSSL master branch.
SSL_CTX_set1_curves_list is preserved as compatibility with previous versions.
SSL: disabled renegotiation detection in client mode. 2017-04-18T13:08:44+00:00 Sergey Kandaurov pluknet@nginx.com 2017-04-18T13:08:44+00:00 36be79301e513a97ec170950b6c9216100b2c264 CVE-2009-3555 is no longer relevant and mitigated by the renegotiation info extension (secure renegotiation). On the other hand, unexpected renegotiation still introduces potential security risks, and hence we do not allow renegotiation on the server side, as we never request renegotiation. On the client side the situation is different though. There are backends which explicitly request renegotiation, and disabled renegotiation introduces interoperability problems. This change allows renegotiation on the client side, and fixes interoperability problems as observed with such backends (ticket #872). Additionally, with TLSv1.3 the SSL_CB_HANDSHAKE_START flag is currently set by OpenSSL when receiving a NewSessionTicket message, and was detected by nginx as a renegotiation attempt. This looks like a bug in OpenSSL, though this change also allows better interoperability till the problem is fixed. 
CVE-2009-3555 is no longer relevant and mitigated by the renegotiation
info extension (secure renegotiation).  On the other hand, unexpected
renegotiation still introduces potential security risks, and hence we do
not allow renegotiation on the server side, as we never request renegotiation.

On the client side the situation is different though.  There are backends
which explicitly request renegotiation, and disabled renegotiation
introduces interoperability problems.  This change allows renegotiation
on the client side, and fixes interoperability problems as observed with
such backends (ticket #872).

Additionally, with TLSv1.3 the SSL_CB_HANDSHAKE_START flag is currently set
by OpenSSL when receiving a NewSessionTicket message, and was detected by
nginx as a renegotiation attempt.  This looks like a bug in OpenSSL, though
this change also allows better interoperability till the problem is fixed.
SSL: added support for TLSv1.3 in ssl_protocols directive. 2017-04-18T12:12:38+00:00 Sergey Kandaurov pluknet@nginx.com 2017-04-18T12:12:38+00:00 9a37eb3a62130473596e0e4c2e388d80bdb14956 Support for the TLSv1.3 protocol will be introduced in OpenSSL 1.1.1. 
Support for the TLSv1.3 protocol will be introduced in OpenSSL 1.1.1.
Core: set nginx_shared_zone name via ngx_str_set(). 2017-03-28T08:28:51+00:00 Ruslan Ermilov ru@nginx.com 2017-03-28T08:28:51+00:00 eb017e75cf1b1d82179935b0e23d0c3451b33a87 






Fixed a comment.
2017-03-17T09:09:31+00:00

Ruslan Ermilov
ru@nginx.com

2017-03-17T09:09:31+00:00

05f5a7325d939ade37daf1e2d4b34f4e83d49aff












Cancelable timers are now preserved if there are other timers.
2017-03-07T15:51:15+00:00

Maxim Dounin
mdounin@mdounin.ru

2017-03-07T15:51:15+00:00

1a58418ae76a96c830a0536432e96a9ad051bc58

There is no need to cancel timers early if there are other timers blocking
shutdown anyway.  Preserving such timers allows nginx to continue some
periodic work till the shutdown is actually possible.

With the new approach, timers with ev->cancelable are simply ignored when
checking if there are any timers left during shutdown.





There is no need to cancel timers early if there are other timers blocking
shutdown anyway.  Preserving such timers allows nginx to continue some
periodic work till the shutdown is actually possible.

With the new approach, timers with ev->cancelable are simply ignored when
checking if there are any timers left during shutdown.







Added missing "static" specifiers found by gcc -Wtraditional.
2017-03-06T08:09:47+00:00

Ruslan Ermilov
ru@nginx.com

2017-03-06T08:09:47+00:00

0f89206a1078a216961d974ed5bcf6464b65cbdf












Added missing static specifiers.
2017-03-02T13:46:00+00:00

Eran Kornblau
erankor@gmail.com

2017-03-02T13:46:00+00:00

0759f088a532ec48170ca03d694cc103757a0f4c












SSL: clear error queue after OPENSSL_init_ssl().
2017-02-06T15:38:06+00:00

Sergey Kandaurov
pluknet@nginx.com

2017-02-06T15:38:06+00:00

9af7dc2b44acb388f27e492ddc82116d082d02ab

The function may leave error in the error queue while returning success,
e.g., when taking a DSO reference to itself as of OpenSSL 1.1.0d:
https://git.openssl.org/?p=openssl.git;a=commit;h=4af9f7f

Notably, this fixes alert seen with statically linked OpenSSL on some platforms.

While here, check OPENSSL_init_ssl() return value.





The function may leave error in the error queue while returning success,
e.g., when taking a DSO reference to itself as of OpenSSL 1.1.0d:
https://git.openssl.org/?p=openssl.git;a=commit;h=4af9f7f

Notably, this fixes alert seen with statically linked OpenSSL on some platforms.

While here, check OPENSSL_init_ssl() return value.







Upstream: fixed cache corruption and socket leaks with aio_write.
2017-01-20T18:14:19+00:00

Maxim Dounin
mdounin@mdounin.ru

2017-01-20T18:14:19+00:00

e66073c4d3a3d25b001dee617ee22d2a969ceab2

The ngx_event_pipe() function wasn't called on write events with
wev->delayed set.  As a result, threaded writing results weren't
properly collected in ngx_event_pipe_write_to_downstream() when a
write event was triggered for a completed write.

Further, this wasn't detected, as p->aio was reset by a thread completion
handler, and results were later collected in ngx_event_pipe_read_upstream()
instead of scheduling a new write of additional data.  If this happened
on the last reading from an upstream, last part of the response was never
written to the cache file.

Similar problems might also happen in case of timeouts when writing to
client, as this also results in ngx_event_pipe() not being called on write
events.  In this scenario socket leaks were observed.

Fix is to check if p->writing is set in ngx_event_pipe_read_upstream(), and
therefore collect results of previous write operations in case of read events
as well, similar to how we do so in ngx_event_pipe_write_downstream().
This is enough to fix the wev->delayed case.  Additionally, we now call
ngx_event_pipe() from ngx_http_upstream_process_request() if there are
uncollected write operations (p->writing and !p->aio).  This also fixes
the wev->timedout case.





The ngx_event_pipe() function wasn't called on write events with
wev->delayed set.  As a result, threaded writing results weren't
properly collected in ngx_event_pipe_write_to_downstream() when a
write event was triggered for a completed write.

Further, this wasn't detected, as p->aio was reset by a thread completion
handler, and results were later collected in ngx_event_pipe_read_upstream()
instead of scheduling a new write of additional data.  If this happened
on the last reading from an upstream, last part of the response was never
written to the cache file.

Similar problems might also happen in case of timeouts when writing to
client, as this also results in ngx_event_pipe() not being called on write
events.  In this scenario socket leaks were observed.

Fix is to check if p->writing is set in ngx_event_pipe_read_upstream(), and
therefore collect results of previous write operations in case of read events
as well, similar to how we do so in ngx_event_pipe_write_downstream().
This is enough to fix the wev->delayed case.  Additionally, we now call
ngx_event_pipe() from ngx_http_upstream_process_request() if there are
uncollected write operations (p->writing and !p->aio).  This also fixes
the wev->timedout case.