nginx.git/src/event, branch release-1.21.0 nginx Introduced the "keepalive_time" directive. 2021-04-07T21:15:48+00:00 Maxim Dounin mdounin@mdounin.ru 2021-04-07T21:15:48+00:00 d9996d6f27150bfb9c9c00d77fac940712aa1d28 Similar to lingering_time, it limits total connection lifetime before keepalive is switched off. The default is 1 hour, which is close to the total maximum connection lifetime possible with default keepalive_requests and keepalive_timeout. 
Similar to lingering_time, it limits total connection lifetime before
keepalive is switched off.  The default is 1 hour, which is close to
the total maximum connection lifetime possible with default
keepalive_requests and keepalive_timeout.
Events: fixed "port_dissociate() failed" alerts with eventport. 2021-03-28T14:45:29+00:00 Maxim Dounin mdounin@mdounin.ru 2021-03-28T14:45:29+00:00 fd0546aa33d2b28fc89753c15439f356485ad845 If an attempt is made to delete an event which was already reported, port_dissociate() returns an error. Fix is avoid doing anything if ev->active is not set. Possible alternative approach would be to avoid calling ngx_del_event() at all if ev->active is not set. This approach, however, will require something else to re-add the other event of the connection, since both read and write events are dissociated if an event is reported on a file descriptor. Currently ngx_eventport_del_event() re-associates write event if called to delete read event, and vice versa. 
If an attempt is made to delete an event which was already reported,
port_dissociate() returns an error.  Fix is avoid doing anything if
ev->active is not set.

Possible alternative approach would be to avoid calling ngx_del_event()
at all if ev->active is not set.  This approach, however, will require
something else to re-add the other event of the connection, since both
read and write events are dissociated if an event is reported on a file
descriptor.  Currently ngx_eventport_del_event() re-associates write
event if called to delete read event, and vice versa.
Events: fixed expiration of timers in the past. 2021-03-25T22:44:59+00:00 Maxim Dounin mdounin@mdounin.ru 2021-03-25T22:44:59+00:00 c108f04e85a15f4e1cc700b41999a92ce09a889d If, at the start of an event loop iteration, there are any timers in the past (including timers expiring now), the ngx_process_events() function is called with zero timeout, and returns immediately even if there are no events. But the following code only calls ngx_event_expire_timers() if time actually changed, so this results in nginx spinning in the event loop till current time changes. While such timers are not expected to appear under normal conditions, as all such timers should be removed on previous event loop iterations, they still can appear due to bugs, zero timeouts set in the configuration (if this is not explicitly handled by the code), or due to external time changes on systems without clock_gettime(CLOCK_MONOTONIC). Fix is to call ngx_event_expire_timers() unconditionally. Calling it on each event loop iteration is not expected to be significant from performance point of view, especially compared to a syscall in ngx_process_events(). 
If, at the start of an event loop iteration, there are any timers
in the past (including timers expiring now), the ngx_process_events()
function is called with zero timeout, and returns immediately even
if there are no events.  But the following code only calls
ngx_event_expire_timers() if time actually changed, so this results
in nginx spinning in the event loop till current time changes.

While such timers are not expected to appear under normal conditions,
as all such timers should be removed on previous event loop iterations,
they still can appear due to bugs, zero timeouts set in the configuration
(if this is not explicitly handled by the code), or due to external
time changes on systems without clock_gettime(CLOCK_MONOTONIC).

Fix is to call ngx_event_expire_timers() unconditionally.  Calling
it on each event loop iteration is not expected to be significant from
performance point of view, especially compared to a syscall in
ngx_process_events().
Events: fixed eventport handling in ngx_handle_read_event(). 2021-03-05T14:16:15+00:00 Maxim Dounin mdounin@mdounin.ru 2021-03-05T14:16:15+00:00 d5a31fdad50dbd28974cb0eb7f23948241a7559e The "!rev->ready" test seems to be a typo, introduced in the original commit (719:f30b1a75fd3b). The ngx_handle_write_event() code properly tests for "rev->ready" instead. Due to this typo, read events might be unexpectedly removed during proxying after an event on the other part of the proxied connection. Catched by mail proxying tests. 
The "!rev->ready" test seems to be a typo, introduced in the original
commit (719:f30b1a75fd3b).  The ngx_handle_write_event() code properly
tests for "rev->ready" instead.

Due to this typo, read events might be unexpectedly removed during
proxying after an event on the other part of the proxied connection.
Catched by mail proxying tests.
SSL: added check for debugging. 2021-02-20T15:03:04+00:00 Maxim Dounin mdounin@mdounin.ru 2021-02-20T15:03:04+00:00 ef44627852ce831407d54c09d7a100e3ca41b9a6 If debugging is not enabled, there is no need to do extra work in ngx_ssl_verify_callback() and ngx_ssl_handshake_log(). 
If debugging is not enabled, there is no need to do extra work in
ngx_ssl_verify_callback() and ngx_ssl_handshake_log().
SSL: added missed error reporting during variables evaluation. 2021-02-20T15:02:54+00:00 Maxim Dounin mdounin@mdounin.ru 2021-02-20T15:02:54+00:00 7ae100407c9b771e1067396baf1d013490b488f5 






SSL: X509_NAME_oneline() error handling.
2021-02-20T15:02:49+00:00

Maxim Dounin
mdounin@mdounin.ru

2021-02-20T15:02:49+00:00

60a8ed26f3120356b2d3e6639ffc932eb0cb8721












SSL: fixed SSL shutdown on lingering close.
2020-12-07T22:43:36+00:00

Ruslan Ermilov
ru@nginx.com

2020-12-07T22:43:36+00:00

e62a5132ca6ab74f324bf46fe91ee89e1951578c

Ensure c->recv is properly reset to ngx_recv if SSL_shutdown()
blocks on writing.

The bug had appeared in 554c6ae25ffc.





Ensure c->recv is properly reset to ngx_recv if SSL_shutdown()
blocks on writing.

The bug had appeared in 554c6ae25ffc.







Core: added format specifiers to output binary data as hex.
2020-10-28T07:56:11+00:00

Vladimir Homutov
vl@nginx.com

2020-10-28T07:56:11+00:00

3c0427373381097a9e25ccc2cb46bbc1ccac87a2

Now "s", "V", and "v" format specifiers may be prefixed with "x" (lowercase)
or "X" (uppercase) to output corresponding data in hexadecimal format.

In collaboration with Maxim Dounin.





Now "s", "V", and "v" format specifiers may be prefixed with "x" (lowercase)
or "X" (uppercase) to output corresponding data in hexadecimal format.

In collaboration with Maxim Dounin.







SSL: ssl_reject_handshake directive (ticket #195).
2020-10-22T15:02:28+00:00

Maxim Dounin
mdounin@mdounin.ru

2020-10-22T15:02:28+00:00

9cdb278454367448366354f2786b36c1fef1f92e

In some cases it might be needed to reject SSL handshake based on SNI
server name provided, for example, to make sure an invalid certificate
is not returned to clients trying to contact a name-based virtual server
without SSL configured.  Previously, a "ssl_ciphers aNULL;" was used for
this.  This workaround, however, is not compatible with TLSv1.3, in
particular, when using BoringSSL, where it is not possible to configure
TLSv1.3 ciphers at all.

With this change, the ssl_reject_handshake directive is introduced,
which instructs nginx to reject SSL handshakes with an "unrecognized_name"
alert in a particular server block.

For example, to reject handshake with names other than example.com,
one can use the following configuration:

    server {
        listen 443 ssl;
        ssl_reject_handshake on;
    }

    server {
        listen 443 ssl;
        server_name example.com;
        ssl_certificate example.com.crt;
        ssl_certificate_key example.com.key;
    }

The following configuration can be used to reject all SSL handshakes
without SNI server name provided:

    server {
        listen 443 ssl;
        ssl_reject_handshake on;
    }

    server {
        listen 443 ssl;
        server_name ~^;
        ssl_certificate example.crt;
        ssl_certificate_key example.key;
    }

Additionally, the ssl_reject_handshake directive makes configuring
certificates for the default server block optional.  If no certificates
are configured in the default server for a given listening socket,
certificates must be defined in all non-default server blocks with
the listening socket in question.





In some cases it might be needed to reject SSL handshake based on SNI
server name provided, for example, to make sure an invalid certificate
is not returned to clients trying to contact a name-based virtual server
without SSL configured.  Previously, a "ssl_ciphers aNULL;" was used for
this.  This workaround, however, is not compatible with TLSv1.3, in
particular, when using BoringSSL, where it is not possible to configure
TLSv1.3 ciphers at all.

With this change, the ssl_reject_handshake directive is introduced,
which instructs nginx to reject SSL handshakes with an "unrecognized_name"
alert in a particular server block.

For example, to reject handshake with names other than example.com,
one can use the following configuration:

    server {
        listen 443 ssl;
        ssl_reject_handshake on;
    }

    server {
        listen 443 ssl;
        server_name example.com;
        ssl_certificate example.com.crt;
        ssl_certificate_key example.com.key;
    }

The following configuration can be used to reject all SSL handshakes
without SNI server name provided:

    server {
        listen 443 ssl;
        ssl_reject_handshake on;
    }

    server {
        listen 443 ssl;
        server_name ~^;
        ssl_certificate example.crt;
        ssl_certificate_key example.key;
    }

Additionally, the ssl_reject_handshake directive makes configuring
certificates for the default server block optional.  If no certificates
are configured in the default server for a given listening socket,
certificates must be defined in all non-default server blocks with
the listening socket in question.