nginx.git/src/event, branch release-1.27.4 nginx QUIC: added missing casts in iov_base assignments. 2025-01-28T16:00:42+00:00 Aleksei Bavshin a.bavshin@nginx.com 2025-01-27T18:33:25+00:00 64d0795ac41836b6be8fcceba68f1dbb62b4035a This is consistent with the rest of the code and fixes build on systems with non-standard definition of struct iovec (Solaris, Illumos). 
This is consistent with the rest of the code and fixes build on systems
with non-standard definition of struct iovec (Solaris, Illumos).
Upstream: fixed --with-compat build without SSL, broken by 454ad0e. 2025-01-23T18:50:13+00:00 Pavel Pautov p.pautov@f5.com 2025-01-22T02:41:16+00:00 5ab4f32e9de1d0c8523d3a22fc20a3067e20b68d 






SSL: avoid using mismatched certificate/key cached pairs.
2025-01-17T00:37:46+00:00

Sergey Kandaurov
pluknet@nginx.com

2025-01-08T13:50:33+00:00

5d5d9adccfeaff7d5926737ee5dfa43937fe5899

This can happen with certificates and certificate keys specified
with variables due to partial cache update in various scenarios:
- cache expiration with only one element of pair evicted
- on-disk update with non-cacheable encrypted keys
- non-atomic on-disk update

The fix is to retry with fresh data on X509_R_KEY_VALUES_MISMATCH.





This can happen with certificates and certificate keys specified
with variables due to partial cache update in various scenarios:
- cache expiration with only one element of pair evicted
- on-disk update with non-cacheable encrypted keys
- non-atomic on-disk update

The fix is to retry with fresh data on X509_R_KEY_VALUES_MISMATCH.







SSL: cache revalidation of file based dynamic certificates.
2025-01-17T00:37:46+00:00

Sergey Kandaurov
pluknet@nginx.com

2025-01-13T17:40:04+00:00

4b96ad14f3607ab39b160715aeba721097ac4da4

Revalidation is based on file modification time and uniq file index,
and happens after the cache object validity time is expired.





Revalidation is based on file modification time and uniq file index,
and happens after the cache object validity time is expired.







SSL: caching certificates and certificate keys with variables.
2025-01-17T00:37:46+00:00

Sergey Kandaurov
pluknet@nginx.com

2024-10-29T12:25:11+00:00

0e756d67aa1e42e3b1b360936eb4d6c06bced2c1

A new directive "ssl_certificate_cache max=N [valid=time] [inactive=time]"
enables caching of SSL certificate chain and secret key objects specified
by "ssl_certificate" and "ssl_certificate_key" directives with variables.

Co-authored-by: Aleksei Bavshin <a.bavshin@nginx.com>





A new directive "ssl_certificate_cache max=N [valid=time] [inactive=time]"
enables caching of SSL certificate chain and secret key objects specified
by "ssl_certificate" and "ssl_certificate_key" directives with variables.

Co-authored-by: Aleksei Bavshin <a.bavshin@nginx.com>







SSL: encrypted certificate keys are exempt from object cache.
2025-01-17T00:37:46+00:00

Sergey Kandaurov
pluknet@nginx.com

2024-12-18T16:09:58+00:00

7677d5646aeb761b8b9da5af3eb10c008aae3f90

SSL object cache, as previously introduced in 1.27.2, did not take
into account encrypted certificate keys that might be unexpectedly
fetched from the cache regardless of the matching passphrase.  To
avoid this, caching of encrypted certificate keys is now disabled
based on the passphrase callback invocation.

A notable exception is encrypted certificate keys configured without
ssl_password_file.  They are loaded once resulting in the passphrase
prompt on startup and reused in other contexts as applicable.





SSL object cache, as previously introduced in 1.27.2, did not take
into account encrypted certificate keys that might be unexpectedly
fetched from the cache regardless of the matching passphrase.  To
avoid this, caching of encrypted certificate keys is now disabled
based on the passphrase callback invocation.

A notable exception is encrypted certificate keys configured without
ssl_password_file.  They are loaded once resulting in the passphrase
prompt on startup and reused in other contexts as applicable.







SSL: object cache inheritance from the old configuration cycle.
2025-01-17T00:37:46+00:00

Sergey Kandaurov
pluknet@nginx.com

2024-12-18T16:03:35+00:00

8311e14ae614529aabe9e72e87051d191b723fb4

Memory based objects are always inherited, engine based objects are
never inherited to adhere the volatile nature of engines, file based
objects are inherited subject to modification time and file index.

The previous behaviour to bypass cache from the old configuration cycle
is preserved with a new directive "ssl_object_cache_inheritable off;".





Memory based objects are always inherited, engine based objects are
never inherited to adhere the volatile nature of engines, file based
objects are inherited subject to modification time and file index.

The previous behaviour to bypass cache from the old configuration cycle
is preserved with a new directive "ssl_object_cache_inheritable off;".







QUIC: fixed accessing a released stream.
2024-12-27T12:14:14+00:00

Roman Arutyunyan
arut@nginx.com

2024-12-10T14:19:27+00:00

e3a9b6ad08a86e799a3d77da3f2fc507d3c9699e

While trying to close a stream in ngx_quic_close_streams() by calling its
read event handler, the next stream saved prior to that could be destroyed
recursively.  This caused a segfault while trying to access the next stream.

The way the next stream could be destroyed in HTTP/3 is the following.
A request stream read event handler ngx_http_request_handler() could
end up calling ngx_http_v3_send_cancel_stream() to report a cancelled
request stream in the decoder stream.  If sending stream cancellation
decoder instruction fails for any reason, and the decoder stream is the
next in order after the request stream, the issue is triggered.

The fix is to postpone calling read event handlers for all streams being
closed to avoid closing a released stream.





While trying to close a stream in ngx_quic_close_streams() by calling its
read event handler, the next stream saved prior to that could be destroyed
recursively.  This caused a segfault while trying to access the next stream.

The way the next stream could be destroyed in HTTP/3 is the following.
A request stream read event handler ngx_http_request_handler() could
end up calling ngx_http_v3_send_cancel_stream() to report a cancelled
request stream in the decoder stream.  If sending stream cancellation
decoder instruction fails for any reason, and the decoder stream is the
next in order after the request stream, the issue is triggered.

The fix is to postpone calling read event handlers for all streams being
closed to avoid closing a released stream.







QUIC: ignore version negotiation packets.
2024-12-26T14:58:05+00:00

Roman Arutyunyan
arut@nginx.com

2024-12-13T09:25:26+00:00

a52ba8ba0e349585e49073c168e423c12abcf597

Previously, such packets were treated as long header packets with unknown
version 0, and a version negotiation packet was sent in response.  This
could be used to set up an infinite traffic reflect loop with another nginx
instance.

Now version negotiation packets are ignored.  As per RFC 9000, Section 6.1:

  An endpoint MUST NOT send a Version Negotiation packet in response to
  receiving a Version Negotiation packet.





Previously, such packets were treated as long header packets with unknown
version 0, and a version negotiation packet was sent in response.  This
could be used to set up an infinite traffic reflect loop with another nginx
instance.

Now version negotiation packets are ignored.  As per RFC 9000, Section 6.1:

  An endpoint MUST NOT send a Version Negotiation packet in response to
  receiving a Version Negotiation packet.







QUIC: fixed client request timeout in 0-RTT scenarios.
2024-12-10T13:17:20+00:00

nandsky
lishu.zy@alibaba-inc.com

2024-11-25T07:26:29+00:00

930caed3bfc84e43bf4bd034150c17604dc5dc73

Since 0-RTT and 1-RTT data exist in the same packet number space,
ngx_quic_discard_ctx incorrectly discards 1-RTT packets when
0-RTT keys are discarded.

The issue was introduced by 58b92177e7c3c50f77f807ab3846ad5c7bbf0ebe.





Since 0-RTT and 1-RTT data exist in the same packet number space,
ngx_quic_discard_ctx incorrectly discards 1-RTT packets when
0-RTT keys are discarded.

The issue was introduced by 58b92177e7c3c50f77f807ab3846ad5c7bbf0ebe.