nginx.git/src/event, branch release-1.15.2 nginx SSL: save sessions for upstream peers using a callback function. 2018-07-17T09:53:23+00:00 Sergey Kandaurov pluknet@nginx.com 2018-07-17T09:53:23+00:00 d5a27006e03174aa518f6c849d377a130a7c705c In TLSv1.3, NewSessionTicket messages arrive after the handshake and can come at any time. Therefore we use a callback to save the session when we know about it. This approach works for < TLSv1.3 as well. The callback function is set once per location on merge phase. Since SSL_get_session() in BoringSSL returns an unresumable session for TLSv1.3, peer save_session() methods have been updated as well to use a session supplied within the callback. To preserve API, the session is cached in c->ssl->session. It is preferably accessed in save_session() methods by ngx_ssl_get_session() and ngx_ssl_get0_session() wrappers. 
In TLSv1.3, NewSessionTicket messages arrive after the handshake and
can come at any time.  Therefore we use a callback to save the session
when we know about it.  This approach works for < TLSv1.3 as well.
The callback function is set once per location on merge phase.

Since SSL_get_session() in BoringSSL returns an unresumable session for
TLSv1.3, peer save_session() methods have been updated as well to use a
session supplied within the callback.  To preserve API, the session is
cached in c->ssl->session.  It is preferably accessed in save_session()
methods by ngx_ssl_get_session() and ngx_ssl_get0_session() wrappers.
SSL: use of the SSL_OP_NO_RENEGOTIATION option (ticket #1376). 2018-07-16T14:47:48+00:00 Maxim Dounin mdounin@mdounin.ru 2018-07-16T14:47:48+00:00 e1bebd05cb75fa6e8be5f4f942028501c9b22821 The SSL_OP_NO_RENEGOTIATION option is available in OpenSSL 1.1.0h+ and can save some CPU cycles on renegotiation attempts. 
The SSL_OP_NO_RENEGOTIATION option is available in OpenSSL 1.1.0h+ and can
save some CPU cycles on renegotiation attempts.
SSL: fixed SSL_clear_options() usage with OpenSSL 1.1.0+. 2018-07-16T14:47:20+00:00 Maxim Dounin mdounin@mdounin.ru 2018-07-16T14:47:20+00:00 14561299025b1a85dc7e7d9b5d793a0fa95fd393 In OpenSSL 1.1.0 the SSL_CTRL_CLEAR_OPTIONS macro was removed, so conditional compilation test on it results in SSL_clear_options() and SSL_CTX_clear_options() not being used. Notably, this caused "ssl_prefer_server_ciphers off" to not work in SNI-based virtual servers if server preference was switched on in the default server. It looks like the only possible fix is to test OPENSSL_VERSION_NUMBER explicitly. 
In OpenSSL 1.1.0 the SSL_CTRL_CLEAR_OPTIONS macro was removed, so
conditional compilation test on it results in SSL_clear_options()
and SSL_CTX_clear_options() not being used.  Notably, this caused
"ssl_prefer_server_ciphers off" to not work in SNI-based virtual
servers if server preference was switched on in the default server.

It looks like the only possible fix is to test OPENSSL_VERSION_NUMBER
explicitly.
SSL: logging levels of "unsupported protocol", "version too low". 2018-07-16T14:47:18+00:00 Maxim Dounin mdounin@mdounin.ru 2018-07-16T14:47:18+00:00 b1734fd800ec612f539f9c1699665d0685c2f9e8 Starting with OpenSSL 1.1.0, SSL_R_UNSUPPORTED_PROTOCOL instead of SSL_R_UNKNOWN_PROTOCOL is reported when a protocol is disabled via an SSL_OP_NO_* option. Additionally, SSL_R_VERSION_TOO_LOW is reported when using MinProtocol or when seclevel checks (as set by @SECLEVEL=n in the cipher string) rejects a protocol, and this is what happens with SSLv3 and @SECLEVEL=1, which is the default. There is also the SSL_R_VERSION_TOO_HIGH error code, but it looks like it is not possible to trigger it. 
Starting with OpenSSL 1.1.0, SSL_R_UNSUPPORTED_PROTOCOL instead of
SSL_R_UNKNOWN_PROTOCOL is reported when a protocol is disabled via
an SSL_OP_NO_* option.

Additionally, SSL_R_VERSION_TOO_LOW is reported when using MinProtocol
or when seclevel checks (as set by @SECLEVEL=n in the cipher string)
rejects a protocol, and this is what happens with SSLv3 and @SECLEVEL=1,
which is the default.

There is also the SSL_R_VERSION_TOO_HIGH error code, but it looks like
it is not possible to trigger it.
Events: added configuration check on the number of connections. 2018-07-12T16:50:07+00:00 Maxim Dounin mdounin@mdounin.ru 2018-07-12T16:50:07+00:00 85b44b46fb851fc933e3c053ab2c45e5b92f85c9 There should be at least one worker connection for each listening socket, plus an additional connection for channel between worker and master, or starting worker processes will fail. 
There should be at least one worker connection for each listening socket,
plus an additional connection for channel between worker and master,
or starting worker processes will fail.
Events: moved sockets cloning to ngx_event_init_conf(). 2018-07-12T16:50:02+00:00 Maxim Dounin mdounin@mdounin.ru 2018-07-12T16:50:02+00:00 751bdd3bb2b6ff54be09c37ff328f258fed520fb Previously, listenings sockets were not cloned if the worker_processes directive was specified after "listen ... reuseport". This also simplifies upcoming configuration check on the number of worker connections, as it needs to know the number of listening sockets before cloning. 
Previously, listenings sockets were not cloned if the worker_processes
directive was specified after "listen ... reuseport".

This also simplifies upcoming configuration check on the number
of worker connections, as it needs to know the number of listening
sockets before cloning.
SSL: logging level of "https proxy request" errors. 2018-07-05T17:45:29+00:00 Maxim Dounin mdounin@mdounin.ru 2018-07-05T17:45:29+00:00 f206a112c6f9b1701a2dbb8c45340b9dfc964f0b The "http request" and "https proxy request" errors cannot happen with HTTP due to pre-handshake checks in ngx_http_ssl_handshake(), but can happen when SSL is used in stream and mail modules. 
The "http request" and "https proxy request" errors cannot happen
with HTTP due to pre-handshake checks in ngx_http_ssl_handshake(),
but can happen when SSL is used in stream and mail modules.
SSL: removed extra prototype. 2018-06-06T10:31:05+00:00 Sergey Kandaurov pluknet@nginx.com 2018-06-06T10:31:05+00:00 1ef7b1ef61cbf1e7b014bbaf1c5eb80fef448f79 






Added missing space after ngx_close_socket_n.
2018-06-05T14:41:34+00:00

Maxim Dounin
mdounin@mdounin.ru

2018-06-05T14:41:34+00:00

8dc0f75d0b6568a107ec3800679ca5ad3d40a9b2












Stream: udp streams.
2018-06-04T16:50:00+00:00

Roman Arutyunyan
arut@nginx.com

2018-06-04T16:50:00+00:00

96b6f215b846e59af249892f1c109f3efe92fbc1

Previously, only one client packet could be processed in a udp stream session
even though multiple response packets were supported.  Now multiple packets
coming from the same client address and port are delivered to the same stream
session.

If it's required to maintain a single stream of data, nginx should be
configured in a way that all packets from a client are delivered to the same
worker.  On Linux and DragonFly BSD the "reuseport" parameter should be
specified for this.  Other systems do not currently provide appropriate
mechanisms.  For these systems a single stream of udp packets is only
guaranteed in single-worker configurations.

The proxy_response directive now specifies how many packets are expected in
response to a single client packet.





Previously, only one client packet could be processed in a udp stream session
even though multiple response packets were supported.  Now multiple packets
coming from the same client address and port are delivered to the same stream
session.

If it's required to maintain a single stream of data, nginx should be
configured in a way that all packets from a client are delivered to the same
worker.  On Linux and DragonFly BSD the "reuseport" parameter should be
specified for this.  Other systems do not currently provide appropriate
mechanisms.  For these systems a single stream of udp packets is only
guaranteed in single-worker configurations.

The proxy_response directive now specifies how many packets are expected in
response to a single client packet.