nginx.git/src/event, branch release-1.15.9 nginx SSL: adjusted session id context with dynamic certificates. 2019-02-25T13:42:54+00:00 Maxim Dounin mdounin@mdounin.ru 2019-02-25T13:42:54+00:00 ecfab06cb20959219c9aadc2ef59507488e4fa99 Dynamic certificates re-introduce problem with incorrect session reuse (AKA "virtual host confusion", CVE-2014-3616), since there are no server certificates to generate session id context from. To prevent this, session id context is now generated from ssl_certificate directives as specified in the configuration. This approach prevents incorrect session reuse in most cases, while still allowing sharing sessions across multiple machines with ssl_session_ticket_key set as long as configurations are identical. 
Dynamic certificates re-introduce problem with incorrect session
reuse (AKA "virtual host confusion", CVE-2014-3616), since there are
no server certificates to generate session id context from.

To prevent this, session id context is now generated from ssl_certificate
directives as specified in the configuration.  This approach prevents
incorrect session reuse in most cases, while still allowing sharing
sessions across multiple machines with ssl_session_ticket_key set as
long as configurations are identical.
SSL: passwords support for dynamic certificate loading. 2019-02-25T13:42:23+00:00 Maxim Dounin mdounin@mdounin.ru 2019-02-25T13:42:23+00:00 8772a0e0892e632c37f3b92b1d287ed9b473cb13 Passwords have to be copied to the configuration pool to be used at runtime. Also, to prevent blocking on stdin (with "daemon off;") an empty password list is provided. To make things simpler, password handling was modified to allow an empty array (with 0 elements and elts set to NULL) as an equivalent of an array with 1 empty password. 
Passwords have to be copied to the configuration pool to be used
at runtime.  Also, to prevent blocking on stdin (with "daemon off;")
an empty password list is provided.

To make things simpler, password handling was modified to allow
an empty array (with 0 elements and elts set to NULL) as an equivalent
of an array with 1 empty password.
SSL: loading of connection-specific certificates. 2019-02-25T13:41:44+00:00 Maxim Dounin mdounin@mdounin.ru 2019-02-25T13:41:44+00:00 9ff7ba3d00b5c4bf951551e173baddb59f2bbcff 






SSL: reworked ngx_ssl_certificate().
2019-02-25T13:41:28+00:00

Maxim Dounin
mdounin@mdounin.ru

2019-02-25T13:41:28+00:00

20c8700ae7bc297c00886ae89d7e6c74e533282b

This makes it possible to reuse certificate loading at runtime,
as introduced in the following patches.

Additionally, this improves error logging, so nginx will now log
human-friendly messages "cannot load certificate" instead of only
referring to sometimes cryptic names of OpenSSL functions.





This makes it possible to reuse certificate loading at runtime,
as introduced in the following patches.

Additionally, this improves error logging, so nginx will now log
human-friendly messages "cannot load certificate" instead of only
referring to sometimes cryptic names of OpenSSL functions.







SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
2019-02-25T13:41:15+00:00

Maxim Dounin
mdounin@mdounin.ru

2019-02-25T13:41:15+00:00

2d7faa2311608fc2ce1bc47c15748c2b2ea22463

The "(SSL:)" snippet currently appears in logs when nginx code uses
ngx_ssl_error() to log an error, but OpenSSL's error queue is empty.
This can happen either because the error wasn't in fact from OpenSSL,
or because OpenSSL did not indicate the error in the error queue
for some reason.

In particular, currently "(SSL:)" can be seen in errors at least in
the following cases:

- When SSL_write() fails due to a syscall error,
  "[info] ... SSL_write() failed (SSL:) (32: Broken pipe)...".

- When loading a certificate with no data in it,
  "[emerg] PEM_read_bio_X509_AUX(...) failed (SSL:)".
  This can easily happen due to an additional empty line before
  the end line, so all lines of the certificate are interpreted
  as header lines.

- When trying to configure an unknown curve,
  "[emerg] SSL_CTX_set1_curves_list("foo") failed (SSL:)".

Likely there are other cases as well.

With this change, "(SSL:...)" will be only added to the error message
if there is something in the error queue.  This is expected to make
logs more readable in the above cases.  Additionally, with this change
it is now possible to use ngx_ssl_error() to log errors when some
of the possible errors are not from OpenSSL and not expected to have
anything in the error queue.





The "(SSL:)" snippet currently appears in logs when nginx code uses
ngx_ssl_error() to log an error, but OpenSSL's error queue is empty.
This can happen either because the error wasn't in fact from OpenSSL,
or because OpenSSL did not indicate the error in the error queue
for some reason.

In particular, currently "(SSL:)" can be seen in errors at least in
the following cases:

- When SSL_write() fails due to a syscall error,
  "[info] ... SSL_write() failed (SSL:) (32: Broken pipe)...".

- When loading a certificate with no data in it,
  "[emerg] PEM_read_bio_X509_AUX(...) failed (SSL:)".
  This can easily happen due to an additional empty line before
  the end line, so all lines of the certificate are interpreted
  as header lines.

- When trying to configure an unknown curve,
  "[emerg] SSL_CTX_set1_curves_list("foo") failed (SSL:)".

Likely there are other cases as well.

With this change, "(SSL:...)" will be only added to the error message
if there is something in the error queue.  This is expected to make
logs more readable in the above cases.  Additionally, with this change
it is now possible to use ngx_ssl_error() to log errors when some
of the possible errors are not from OpenSSL and not expected to have
anything in the error queue.







SSL: fixed EVP_DigestFinal_ex() error message.
2019-02-07T16:39:35+00:00

Sergey Kandaurov
pluknet@nginx.com

2019-02-07T16:39:35+00:00

fc66ccce02767061c334ce6636fbd4e22819b58f












SSL: separate checks for errors in ngx_ssl_read_password_file().
2019-01-31T16:36:51+00:00

Maxim Dounin
mdounin@mdounin.ru

2019-01-31T16:36:51+00:00

f7d53c4ae4cf126570bc8290773eb84671632aac

Checking multiple errors at once is a bad practice, as in general
it is not guaranteed that an object can be used after the error.
In this particular case, checking errors after multiple allocations
can result in excessive errors being logged when there is no memory
available.





Checking multiple errors at once is a bad practice, as in general
it is not guaranteed that an object can be used after the error.
In this particular case, checking errors after multiple allocations
can result in excessive errors being logged when there is no memory
available.







SSL: explicitly zero out session ticket keys.
2019-01-31T16:28:07+00:00

Ruslan Ermilov
ru@nginx.com

2019-01-31T16:28:07+00:00

80f105b054b6d7da2da8650f763471f27b47a562












Modules compatibility: down flag in ngx_peer_connection_t.
2019-01-31T14:25:03+00:00

Roman Arutyunyan
arut@nginx.com

2019-01-31T14:25:03+00:00

94fa2bb4cb4ab6140607e129ff1609378e379a09












Removed --test-build-eventport workaround for old FreeBSD versions.
2019-01-28T14:34:02+00:00

Sergey Kandaurov
pluknet@nginx.com

2019-01-28T14:34:02+00:00

a05e7555ce2ffa91f9b071f896e2541580628477