nginx.git/src/event, branch release-1.15.3 nginx SSL: fixed build with LibreSSL 2.8.0 (ticket #1605). 2018-08-10T17:49:06+00:00 Maxim Dounin mdounin@mdounin.ru 2018-08-10T17:49:06+00:00 1b1b632eed84197863b7cc6a00579968362a700b LibreSSL 2.8.0 "added const annotations to many existing APIs from OpenSSL, making interoperability easier for downstream applications". This includes the const change in the SSL_CTX_sess_set_get_cb() callback function (see 9dd43f4ef67e), which breaks compilation. To fix this, added a condition on how we redefine OPENSSL_VERSION_NUMBER when working with LibreSSL (see 382fc7069e3a). With LibreSSL 2.8.0, we now set OPENSSL_VERSION_NUMBER to 0x1010000fL (OpenSSL 1.1.0), so the appropriate conditions in the code will use "const" as it happens with OpenSSL 1.1.0 and later versions. 
LibreSSL 2.8.0 "added const annotations to many existing APIs from OpenSSL,
making interoperability easier for downstream applications".  This includes
the const change in the SSL_CTX_sess_set_get_cb() callback function (see
9dd43f4ef67e), which breaks compilation.

To fix this, added a condition on how we redefine OPENSSL_VERSION_NUMBER
when working with LibreSSL (see 382fc7069e3a).  With LibreSSL 2.8.0,
we now set OPENSSL_VERSION_NUMBER to 0x1010000fL (OpenSSL 1.1.0), so the
appropriate conditions in the code will use "const" as it happens with
OpenSSL 1.1.0 and later versions.
SSL: support for TLSv1.3 early data with BoringSSL. 2018-08-06T23:16:07+00:00 Maxim Dounin mdounin@mdounin.ru 2018-08-06T23:16:07+00:00 3b1589173f28fccb5816669f3ff4c9ac1e9b573c Early data AKA 0-RTT mode is enabled as long as "ssl_early_data on" is specified in the configuration (default is off). The $ssl_early_data variable evaluates to "1" if the SSL handshake isn't yet completed, and can be used to set the Early-Data header as per draft-ietf-httpbis-replay-04. 
Early data AKA 0-RTT mode is enabled as long as "ssl_early_data on" is
specified in the configuration (default is off).

The $ssl_early_data variable evaluates to "1" if the SSL handshake
isn't yet completed, and can be used to set the Early-Data header as
per draft-ietf-httpbis-replay-04.
SSL: enabled TLSv1.3 with BoringSSL. 2018-08-06T23:15:28+00:00 Maxim Dounin mdounin@mdounin.ru 2018-08-06T23:15:28+00:00 9f30fda1c2e24058e91a8c637c0717b32be399da BoringSSL currently requires SSL_CTX_set_max_proto_version(TLS1_3_VERSION) to be able to enable TLS 1.3. This is because by default max protocol version is set to TLS 1.2, and the SSL_OP_NO_* options are merely used as a blacklist within the version range specified using the SSL_CTX_set_min_proto_version() and SSL_CTX_set_max_proto_version() functions. With this change, we now call SSL_CTX_set_max_proto_version() with an explicit maximum version set. This enables TLS 1.3 with BoringSSL. As a side effect, this change also limits maximum protocol version to the newest protocol we know about, TLS 1.3. This seems to be a good change, as enabling unknown protocols might have unexpected results. Additionally, we now explicitly call SSL_CTX_set_min_proto_version() with 0. This is expected to help with Debian system-wide default of MinProtocol set to TLSv1.2, see http://mailman.nginx.org/pipermail/nginx-ru/2017-October/060411.html. Note that there is no SSL_CTX_set_min_proto_version macro in BoringSSL, so we call SSL_CTX_set_min_proto_version() and SSL_CTX_set_max_proto_version() as long as the TLS1_3_VERSION macro is defined. 
BoringSSL currently requires SSL_CTX_set_max_proto_version(TLS1_3_VERSION)
to be able to enable TLS 1.3.  This is because by default max protocol
version is set to TLS 1.2, and the SSL_OP_NO_* options are merely used
as a blacklist within the version range specified using the
SSL_CTX_set_min_proto_version() and SSL_CTX_set_max_proto_version()
functions.

With this change, we now call SSL_CTX_set_max_proto_version() with an
explicit maximum version set.  This enables TLS 1.3 with BoringSSL.
As a side effect, this change also limits maximum protocol version to
the newest protocol we know about, TLS 1.3.  This seems to be a good
change, as enabling unknown protocols might have unexpected results.

Additionally, we now explicitly call SSL_CTX_set_min_proto_version()
with 0.  This is expected to help with Debian system-wide default
of MinProtocol set to TLSv1.2, see
http://mailman.nginx.org/pipermail/nginx-ru/2017-October/060411.html.

Note that there is no SSL_CTX_set_min_proto_version macro in BoringSSL,
so we call SSL_CTX_set_min_proto_version() and SSL_CTX_set_max_proto_version()
as long as the TLS1_3_VERSION macro is defined.
SSL: save sessions for upstream peers using a callback function. 2018-07-17T09:53:23+00:00 Sergey Kandaurov pluknet@nginx.com 2018-07-17T09:53:23+00:00 d5a27006e03174aa518f6c849d377a130a7c705c In TLSv1.3, NewSessionTicket messages arrive after the handshake and can come at any time. Therefore we use a callback to save the session when we know about it. This approach works for < TLSv1.3 as well. The callback function is set once per location on merge phase. Since SSL_get_session() in BoringSSL returns an unresumable session for TLSv1.3, peer save_session() methods have been updated as well to use a session supplied within the callback. To preserve API, the session is cached in c->ssl->session. It is preferably accessed in save_session() methods by ngx_ssl_get_session() and ngx_ssl_get0_session() wrappers. 
In TLSv1.3, NewSessionTicket messages arrive after the handshake and
can come at any time.  Therefore we use a callback to save the session
when we know about it.  This approach works for < TLSv1.3 as well.
The callback function is set once per location on merge phase.

Since SSL_get_session() in BoringSSL returns an unresumable session for
TLSv1.3, peer save_session() methods have been updated as well to use a
session supplied within the callback.  To preserve API, the session is
cached in c->ssl->session.  It is preferably accessed in save_session()
methods by ngx_ssl_get_session() and ngx_ssl_get0_session() wrappers.
SSL: use of the SSL_OP_NO_RENEGOTIATION option (ticket #1376). 2018-07-16T14:47:48+00:00 Maxim Dounin mdounin@mdounin.ru 2018-07-16T14:47:48+00:00 e1bebd05cb75fa6e8be5f4f942028501c9b22821 The SSL_OP_NO_RENEGOTIATION option is available in OpenSSL 1.1.0h+ and can save some CPU cycles on renegotiation attempts. 
The SSL_OP_NO_RENEGOTIATION option is available in OpenSSL 1.1.0h+ and can
save some CPU cycles on renegotiation attempts.
SSL: fixed SSL_clear_options() usage with OpenSSL 1.1.0+. 2018-07-16T14:47:20+00:00 Maxim Dounin mdounin@mdounin.ru 2018-07-16T14:47:20+00:00 14561299025b1a85dc7e7d9b5d793a0fa95fd393 In OpenSSL 1.1.0 the SSL_CTRL_CLEAR_OPTIONS macro was removed, so conditional compilation test on it results in SSL_clear_options() and SSL_CTX_clear_options() not being used. Notably, this caused "ssl_prefer_server_ciphers off" to not work in SNI-based virtual servers if server preference was switched on in the default server. It looks like the only possible fix is to test OPENSSL_VERSION_NUMBER explicitly. 
In OpenSSL 1.1.0 the SSL_CTRL_CLEAR_OPTIONS macro was removed, so
conditional compilation test on it results in SSL_clear_options()
and SSL_CTX_clear_options() not being used.  Notably, this caused
"ssl_prefer_server_ciphers off" to not work in SNI-based virtual
servers if server preference was switched on in the default server.

It looks like the only possible fix is to test OPENSSL_VERSION_NUMBER
explicitly.
SSL: logging levels of "unsupported protocol", "version too low". 2018-07-16T14:47:18+00:00 Maxim Dounin mdounin@mdounin.ru 2018-07-16T14:47:18+00:00 b1734fd800ec612f539f9c1699665d0685c2f9e8 Starting with OpenSSL 1.1.0, SSL_R_UNSUPPORTED_PROTOCOL instead of SSL_R_UNKNOWN_PROTOCOL is reported when a protocol is disabled via an SSL_OP_NO_* option. Additionally, SSL_R_VERSION_TOO_LOW is reported when using MinProtocol or when seclevel checks (as set by @SECLEVEL=n in the cipher string) rejects a protocol, and this is what happens with SSLv3 and @SECLEVEL=1, which is the default. There is also the SSL_R_VERSION_TOO_HIGH error code, but it looks like it is not possible to trigger it. 
Starting with OpenSSL 1.1.0, SSL_R_UNSUPPORTED_PROTOCOL instead of
SSL_R_UNKNOWN_PROTOCOL is reported when a protocol is disabled via
an SSL_OP_NO_* option.

Additionally, SSL_R_VERSION_TOO_LOW is reported when using MinProtocol
or when seclevel checks (as set by @SECLEVEL=n in the cipher string)
rejects a protocol, and this is what happens with SSLv3 and @SECLEVEL=1,
which is the default.

There is also the SSL_R_VERSION_TOO_HIGH error code, but it looks like
it is not possible to trigger it.
Events: added configuration check on the number of connections. 2018-07-12T16:50:07+00:00 Maxim Dounin mdounin@mdounin.ru 2018-07-12T16:50:07+00:00 85b44b46fb851fc933e3c053ab2c45e5b92f85c9 There should be at least one worker connection for each listening socket, plus an additional connection for channel between worker and master, or starting worker processes will fail. 
There should be at least one worker connection for each listening socket,
plus an additional connection for channel between worker and master,
or starting worker processes will fail.
Events: moved sockets cloning to ngx_event_init_conf(). 2018-07-12T16:50:02+00:00 Maxim Dounin mdounin@mdounin.ru 2018-07-12T16:50:02+00:00 751bdd3bb2b6ff54be09c37ff328f258fed520fb Previously, listenings sockets were not cloned if the worker_processes directive was specified after "listen ... reuseport". This also simplifies upcoming configuration check on the number of worker connections, as it needs to know the number of listening sockets before cloning. 
Previously, listenings sockets were not cloned if the worker_processes
directive was specified after "listen ... reuseport".

This also simplifies upcoming configuration check on the number
of worker connections, as it needs to know the number of listening
sockets before cloning.
SSL: logging level of "https proxy request" errors. 2018-07-05T17:45:29+00:00 Maxim Dounin mdounin@mdounin.ru 2018-07-05T17:45:29+00:00 f206a112c6f9b1701a2dbb8c45340b9dfc964f0b The "http request" and "https proxy request" errors cannot happen with HTTP due to pre-handshake checks in ngx_http_ssl_handshake(), but can happen when SSL is used in stream and mail modules. 
The "http request" and "https proxy request" errors cannot happen
with HTTP due to pre-handshake checks in ngx_http_ssl_handshake(),
but can happen when SSL is used in stream and mail modules.