nginx.git/src/event, branch release-1.23.1 nginx SSL: logging levels of various errors added in OpenSSL 1.1.1. 2022-07-12T12:55:22+00:00 Maxim Dounin mdounin@mdounin.ru 2022-07-12T12:55:22+00:00 ea46b22dfb56137afc7463bc0383e52ff27c7905 Starting with OpenSSL 1.1.1, various additional errors can be reported by OpenSSL in case of client-related issues, most notably during TLSv1.3 handshakes. In particular, SSL_R_BAD_KEY_SHARE ("bad key share"), SSL_R_BAD_EXTENSION ("bad extension"), SSL_R_BAD_CIPHER ("bad cipher"), SSL_R_BAD_ECPOINT ("bad ecpoint"). These are now logged at the "info" level. 
Starting with OpenSSL 1.1.1, various additional errors can be reported
by OpenSSL in case of client-related issues, most notably during TLSv1.3
handshakes.  In particular, SSL_R_BAD_KEY_SHARE ("bad key share"),
SSL_R_BAD_EXTENSION ("bad extension"), SSL_R_BAD_CIPHER ("bad cipher"),
SSL_R_BAD_ECPOINT ("bad ecpoint").  These are now logged at the "info"
level.
SSL: logging level of "application data after close notify". 2022-02-08T14:35:27+00:00 Sergey Kandaurov pluknet@nginx.com 2022-02-08T14:35:27+00:00 828fb94e1dbe1c433edd39147ba085c4622c99ed Such fatal errors are reported by OpenSSL 1.1.1, and similarly by BoringSSL, if application data is encountered during SSL shutdown, which started to be observed on the second SSL_shutdown() call after SSL shutdown fixes made in 09fb2135a589 (1.19.2). The error means that the client continues to send application data after receiving the "close_notify" alert (ticket #2318). Previously it was reported as SSL_shutdown() error of SSL_ERROR_SYSCALL. 
Such fatal errors are reported by OpenSSL 1.1.1, and similarly by BoringSSL,
if application data is encountered during SSL shutdown, which started to be
observed on the second SSL_shutdown() call after SSL shutdown fixes made in
09fb2135a589 (1.19.2).  The error means that the client continues to send
application data after receiving the "close_notify" alert (ticket #2318).
Previously it was reported as SSL_shutdown() error of SSL_ERROR_SYSCALL.
HTTP/2: made it possible to flush response headers (ticket #1743). 2022-02-02T22:44:38+00:00 Maxim Dounin mdounin@mdounin.ru 2022-02-02T22:44:38+00:00 a52433a04c58821fd95591e474d35995292f1090 Response headers can be buffered in the SSL buffer. But stream's fake connection buffered flag did not reflect this, so any attempts to flush the buffer without sending additional data were stopped by the write filter. It does not seem to be possible to reflect this in fc->buffered though, as we never known if main connection's c->buffered corresponds to the particular stream or not. As such, fc->buffered might prevent request finalization due to sending data on some other stream. Fix is to implement handling of flush buffers when the c->need_flush_buf flag is set, similarly to the existing last buffer handling. The same flag is now used for UDP sockets in the stream module instead of explicit checking of c->type. 
Response headers can be buffered in the SSL buffer.  But stream's fake
connection buffered flag did not reflect this, so any attempts to flush
the buffer without sending additional data were stopped by the write filter.

It does not seem to be possible to reflect this in fc->buffered though, as
we never known if main connection's c->buffered corresponds to the particular
stream or not.  As such, fc->buffered might prevent request finalization
due to sending data on some other stream.

Fix is to implement handling of flush buffers when the c->need_flush_buf
flag is set, similarly to the existing last buffer handling.  The same
flag is now used for UDP sockets in the stream module instead of explicit
checking of c->type.
Core: added function for local source address cmsg. 2022-01-25T12:48:58+00:00 Vladimir Homutov vl@nginx.com 2022-01-25T12:48:58+00:00 550b40d84faccdb14673bb4091b878d1c2a5b183 






Core: made the ngx_sendmsg() function non-static.
2022-01-25T12:48:56+00:00

Vladimir Homutov
vl@nginx.com

2022-01-25T12:48:56+00:00

c67400316626a7375b15dc3068fa8c291e3838d9

The NGX_HAVE_ADDRINFO_CMSG macro is defined when at least one of methods
to deal with corresponding control message is available.





The NGX_HAVE_ADDRINFO_CMSG macro is defined when at least one of methods
to deal with corresponding control message is available.







Core: the ngx_event_udp.h header file.
2022-01-25T12:41:48+00:00

Vladimir Homutov
vl@nginx.com

2022-01-25T12:41:48+00:00

f780297bcf12eaa5942b95adb49e297314132e15












SSL: always renewing tickets with TLSv1.3 (ticket #1892).
2022-01-24T14:18:50+00:00

Maxim Dounin
mdounin@mdounin.ru

2022-01-24T14:18:50+00:00

0a407d7df825689a47ecdea4ae4cd6b2a894cb53

Chrome only uses TLS session tickets once with TLS 1.3, likely following
RFC 8446 Appendix C.4 recommendation.  With OpenSSL, this works fine with
built-in session tickets, since these are explicitly renewed in case of
TLS 1.3 on each session reuse, but results in only two connections being
reused after an initial handshake when using ssl_session_ticket_key.

Fix is to always renew TLS session tickets in case of TLS 1.3 when using
ssl_session_ticket_key, similarly to how it is done by OpenSSL internally.





Chrome only uses TLS session tickets once with TLS 1.3, likely following
RFC 8446 Appendix C.4 recommendation.  With OpenSSL, this works fine with
built-in session tickets, since these are explicitly renewed in case of
TLS 1.3 on each session reuse, but results in only two connections being
reused after an initial handshake when using ssl_session_ticket_key.

Fix is to always renew TLS session tickets in case of TLS 1.3 when using
ssl_session_ticket_key, similarly to how it is done by OpenSSL internally.







SSL: free pkey on SSL_CTX_set0_tmp_dh_pkey() failure.
2022-01-17T14:05:12+00:00

Sergey Kandaurov
pluknet@nginx.com

2022-01-17T14:05:12+00:00

429150c1fa78317bdb19de380ce709651dbc042c

The behaviour was changed in OpenSSL 3.0.1:
https://git.openssl.org/?p=openssl.git;a=commitdiff;h=bf17b7b





The behaviour was changed in OpenSSL 3.0.1:
https://git.openssl.org/?p=openssl.git;a=commitdiff;h=bf17b7b







Events: fixed balancing between workers with EPOLLEXCLUSIVE.
2021-12-29T22:08:46+00:00

Maxim Dounin
mdounin@mdounin.ru

2021-12-29T22:08:46+00:00

96c342e56035a9676180d03b4659d5b05b9c6b07

Linux with EPOLLEXCLUSIVE usually notifies only the process which was first
to add the listening socket to the epoll instance.  As a result most of the
connections are handled by the first worker process (ticket #2285).  To fix
this, we re-add the socket periodically, so other workers will get a chance
to accept connections.





Linux with EPOLLEXCLUSIVE usually notifies only the process which was first
to add the listening socket to the epoll instance.  As a result most of the
connections are handled by the first worker process (ticket #2285).  To fix
this, we re-add the socket periodically, so other workers will get a chance
to accept connections.







Support for sendfile(SF_NOCACHE).
2021-12-27T16:49:26+00:00

Maxim Dounin
mdounin@mdounin.ru

2021-12-27T16:49:26+00:00

1f01183b9e6658749934313fd72f7f16c1918b54

The SF_NOCACHE flag, introduced in FreeBSD 11 along with the new non-blocking
sendfile() implementation by glebius@, makes it possible to use sendfile()
along with the "directio" directive.





The SF_NOCACHE flag, introduced in FreeBSD 11 along with the new non-blocking
sendfile() implementation by glebius@, makes it possible to use sendfile()
along with the "directio" directive.