nginx.git/src/event, branch release-1.19.0 nginx Fixed format specifiers. 2020-05-23T12:53:08+00:00 Sergey Kandaurov pluknet@nginx.com 2020-05-23T12:53:08+00:00 9b87626b0bdd0e6c87d76f1a50302ca9e3df2fc1 






OCSP: certificate status cache.
2020-05-22T14:25:27+00:00

Roman Arutyunyan
arut@nginx.com

2020-05-22T14:25:27+00:00

5727f9a1e0cca082eb1f3e599e0453a7a9cfe319

When enabled, certificate status is stored in cache and is used to validate
the certificate in future requests.

New directive ssl_ocsp_cache is added to configure the cache.





When enabled, certificate status is stored in cache and is used to validate
the certificate in future requests.

New directive ssl_ocsp_cache is added to configure the cache.







SSL: client certificate validation with OCSP (ticket #1534).
2020-05-22T14:30:12+00:00

Roman Arutyunyan
arut@nginx.com

2020-05-22T14:30:12+00:00

60438ae395d83b0f8b21bf667a1e260d60c3f46a

OCSP validation for client certificates is enabled by the "ssl_ocsp" directive.
OCSP responder can be optionally specified by "ssl_ocsp_responder".

When session is reused, peer chain is not available for validation.
If the verified chain contains certificates from the peer chain not available
at the server, validation will fail.





OCSP validation for client certificates is enabled by the "ssl_ocsp" directive.
OCSP responder can be optionally specified by "ssl_ocsp_responder".

When session is reused, peer chain is not available for validation.
If the verified chain contains certificates from the peer chain not available
at the server, validation will fail.







OCSP stapling: iterate over all responder addresses.
2020-05-22T17:35:05+00:00

Roman Arutyunyan
arut@nginx.com

2020-05-22T17:35:05+00:00

aa94ee82f6040c8e2cbde3ae4de931c23fade3f3

Previously only the first responder address was used per each stapling update.
Now, in case of a network or parsing error, next address is used.

This also fixes the issue with unsupported responder address families
(ticket #1330).





Previously only the first responder address was used per each stapling update.
Now, in case of a network or parsing error, next address is used.

This also fixes the issue with unsupported responder address families
(ticket #1330).







OCSP stapling: keep extra chain in the staple object.
2020-05-17T11:24:35+00:00

Roman Arutyunyan
arut@nginx.com

2020-05-17T11:24:35+00:00

abdb9aebc6fa165cc2a77a555f309a4eec6947dd












OCSP stapling: moved response verification to a separate function.
2020-05-06T18:44:14+00:00

Roman Arutyunyan
arut@nginx.com

2020-05-06T18:44:14+00:00

3f2ac979eb3600fe285f184bfd30673e7c8de85a












SSL: reworked posted next events again.
2019-12-27T16:43:01+00:00

Maxim Dounin
mdounin@mdounin.ru

2019-12-27T16:43:01+00:00

fb34316d68511bd0986d3153dfea93d21363016d

Previous change 1ce3f01a4355 incorrectly introduced processing of the
ngx_posted_next_events queue at the end of operation, effectively making
posted next events a nop, since at the end of an event loop iteration
the queue is always empty.  Correct approach is to move events to the
ngx_posted_events queue at an iteration start, as it was done previously.

Further, in some cases the c->read event might be already in the
ngx_posted_events queue, and calling ngx_post_event() with the
ngx_posted_next_events queue won't do anything.  To make sure the event
will be correctly placed into the ngx_posted_next_events queue
we now check if it is already posted.





Previous change 1ce3f01a4355 incorrectly introduced processing of the
ngx_posted_next_events queue at the end of operation, effectively making
posted next events a nop, since at the end of an event loop iteration
the queue is always empty.  Correct approach is to move events to the
ngx_posted_events queue at an iteration start, as it was done previously.

Further, in some cases the c->read event might be already in the
ngx_posted_events queue, and calling ngx_post_event() with the
ngx_posted_next_events queue won't do anything.  To make sure the event
will be correctly placed into the ngx_posted_next_events queue
we now check if it is already posted.







SSL: reworked posted next events.
2019-12-24T14:24:59+00:00

Maxim Dounin
mdounin@mdounin.ru

2019-12-24T14:24:59+00:00

24f18aea8ce1e847362c6bfa586bc0807ebae90d

Introduced in 9d2ad2fb4423 available bytes handling in SSL relied
on connection read handler being overwritten to set the ready flag
and the amount of available bytes.  This approach is, however, does
not work properly when connection read handler is changed, for example,
when switching to a next pipelined request, and can result in unexpected
connection timeouts, see here:

http://mailman.nginx.org/pipermail/nginx-devel/2019-December/012825.html

Fix is to introduce ngx_event_process_posted_next() instead, which
will set ready and available regardless of how event handler is set.





Introduced in 9d2ad2fb4423 available bytes handling in SSL relied
on connection read handler being overwritten to set the ready flag
and the amount of available bytes.  This approach is, however, does
not work properly when connection read handler is changed, for example,
when switching to a next pipelined request, and can result in unexpected
connection timeouts, see here:

http://mailman.nginx.org/pipermail/nginx-devel/2019-December/012825.html

Fix is to introduce ngx_event_process_posted_next() instead, which
will set ready and available regardless of how event handler is set.







SSL: available bytes handling (ticket #1431).
2019-10-17T13:02:24+00:00

Maxim Dounin
mdounin@mdounin.ru

2019-10-17T13:02:24+00:00

798fcf1ab4b77441a4cdf368a6cb11dc1c0c39c8

Added code to track number of bytes available in the socket.
This makes it possible to avoid looping for a long time while
working with fast enough peer when data are added to the socket buffer
faster than we are able to read and process data.

When kernel does not provide number of bytes available, it is
retrieved using ioctl(FIONREAD) as long as a buffer is filled by
SSL_read().

It is assumed that number of bytes returned by SSL_read() is close
to the number of bytes read from the socket, as we do not use
SSL compression.  But even if it is not true for some reason, this
is not important, as we post an additional reading event anyway.

Note that data can be buffered at SSL layer, and it is not possible
to simply stop reading at some point and wait till the event will
be reported by the kernel again.  This can be only done when there
are no data in SSL buffers, and there is no good way to find out if
it's the case.

Instead of trying to figure out if SSL buffers are empty, this patch
introduces events posted for the next event loop iteration - such
events will be processed only on the next event loop iteration,
after going into the kernel and retrieving additional events.  This
seems to be simple and reliable approach.





Added code to track number of bytes available in the socket.
This makes it possible to avoid looping for a long time while
working with fast enough peer when data are added to the socket buffer
faster than we are able to read and process data.

When kernel does not provide number of bytes available, it is
retrieved using ioctl(FIONREAD) as long as a buffer is filled by
SSL_read().

It is assumed that number of bytes returned by SSL_read() is close
to the number of bytes read from the socket, as we do not use
SSL compression.  But even if it is not true for some reason, this
is not important, as we post an additional reading event anyway.

Note that data can be buffered at SSL layer, and it is not possible
to simply stop reading at some point and wait till the event will
be reported by the kernel again.  This can be only done when there
are no data in SSL buffers, and there is no good way to find out if
it's the case.

Instead of trying to figure out if SSL buffers are empty, this patch
introduces events posted for the next event loop iteration - such
events will be processed only on the next event loop iteration,
after going into the kernel and retrieving additional events.  This
seems to be simple and reliable approach.







Events: available bytes calculation via ioctl(FIONREAD).
2019-10-17T13:02:19+00:00

Maxim Dounin
mdounin@mdounin.ru

2019-10-17T13:02:19+00:00

fac4c7bdf53ee7d8fec6568f1e9fecefcde6feba

This makes it possible to avoid looping for a long time while working
with a fast enough peer when data are added to the socket buffer faster
than we are able to read and process them (ticket #1431).  This is
basically what we already do on FreeBSD with kqueue, where information
about the number of bytes in the socket buffer is returned by
the kevent() call.

With other event methods rev->available is now set to -1 when the socket
is ready for reading.  Later in ngx_recv() and ngx_recv_chain(), if
full buffer is received, real number of bytes in the socket buffer is
retrieved using ioctl(FIONREAD).  Reading more than this number of bytes
ensures that even with edge-triggered event methods the event will be
triggered again, so it is safe to stop processing of the socket and
switch to other connections.

Using ioctl(FIONREAD) only after reading a full buffer is an optimization.
With this approach we only call ioctl(FIONREAD) when there are at least
two recv()/readv() calls.





This makes it possible to avoid looping for a long time while working
with a fast enough peer when data are added to the socket buffer faster
than we are able to read and process them (ticket #1431).  This is
basically what we already do on FreeBSD with kqueue, where information
about the number of bytes in the socket buffer is returned by
the kevent() call.

With other event methods rev->available is now set to -1 when the socket
is ready for reading.  Later in ngx_recv() and ngx_recv_chain(), if
full buffer is received, real number of bytes in the socket buffer is
retrieved using ioctl(FIONREAD).  Reading more than this number of bytes
ensures that even with edge-triggered event methods the event will be
triggered again, so it is safe to stop processing of the socket and
switch to other connections.

Using ioctl(FIONREAD) only after reading a full buffer is an optimization.
With this approach we only call ioctl(FIONREAD) when there are at least
two recv()/readv() calls.