nginx.git/src/event, branch release-1.29.1 nginx SSL: support for compressed server certificates with OpenSSL. 2025-08-03T15:15:16+00:00 Sergey Kandaurov pluknet@nginx.com 2025-07-09T15:02:09+00:00 251444fcf4434bfddbe3394a568c51d4f7bd857f The ssl_certificate_compression directive allows to send compressed server certificates. In OpenSSL, they are pre-compressed on startup. To simplify configuration, the SSL_OP_NO_TX_CERTIFICATE_COMPRESSION option is automatically cleared if certificates were pre-compressed. SSL_CTX_compress_certs() may return an error in legitimate cases, e.g., when none of compression algorithms is available or if the resulting compressed size is larger than the original one, thus it is silently ignored. Certificate compression is supported in Chrome with brotli only, in Safari with zlib only, and in Firefox with all listed algorithms. It is supported since Ubuntu 24.10, which has OpenSSL with enabled zlib and zstd support. The actual list of algorithms supported in OpenSSL depends on how the library was configured; it can be brotli, zlib, zstd as listed in RFC 8879. 
The ssl_certificate_compression directive allows to send compressed
server certificates.  In OpenSSL, they are pre-compressed on startup.
To simplify configuration, the SSL_OP_NO_TX_CERTIFICATE_COMPRESSION
option is automatically cleared if certificates were pre-compressed.

SSL_CTX_compress_certs() may return an error in legitimate cases,
e.g., when none of compression algorithms is available or if the
resulting compressed size is larger than the original one, thus it
is silently ignored.

Certificate compression is supported in Chrome with brotli only,
in Safari with zlib only, and in Firefox with all listed algorithms.
It is supported since Ubuntu 24.10, which has OpenSSL with enabled
zlib and zstd support.

The actual list of algorithms supported in OpenSSL depends on how
the library was configured; it can be brotli, zlib, zstd as listed
in RFC 8879.
SSL: disabled certificate compression by default with OpenSSL. 2025-08-03T15:15:16+00:00 Sergey Kandaurov pluknet@nginx.com 2025-07-15T11:55:26+00:00 ed99269eed283e474590bbe951bad1d74b721955 Certificate compression is supported since OpenSSL 3.2, it is enabled automatically as negotiated in a TLSv1.3 handshake. Using certificate compression and decompression in runtime may be suboptimal in terms of CPU and memory consumption in certain typical scenarios, hence it is disabled by default on both server and client sides. It can be enabled with ssl_conf_command and similar directives in upstream as appropriate, for example: ssl_conf_command Options RxCertificateCompression; ssl_conf_command Options TxCertificateCompression; Compressing server certificates requires additional support, this is addressed separately. 
Certificate compression is supported since OpenSSL 3.2, it is enabled
automatically as negotiated in a TLSv1.3 handshake.

Using certificate compression and decompression in runtime may be
suboptimal in terms of CPU and memory consumption in certain typical
scenarios, hence it is disabled by default on both server and client
sides.  It can be enabled with ssl_conf_command and similar directives
in upstream as appropriate, for example:

    ssl_conf_command Options RxCertificateCompression;
    ssl_conf_command Options TxCertificateCompression;

Compressing server certificates requires additional support, this is
addressed separately.
Events: compatibility with NetBSD 10.0 in kqueue. 2025-07-11T12:25:51+00:00 Sergey Kandaurov pluknet@nginx.com 2025-07-10T12:59:05+00:00 c52c5698cd7640621b8e4ba8a54ccfc38f5b95ff The kevent udata field was changed from intptr_t to "void *", similar to other BSDs and Darwin. The NGX_KQUEUE_UDATA_T macro is adjusted to reflect that change, fixing -Werror=int-conversion errors. 
The kevent udata field was changed from intptr_t to "void *",
similar to other BSDs and Darwin.

The NGX_KQUEUE_UDATA_T macro is adjusted to reflect that change,
fixing -Werror=int-conversion errors.
Configure: set NGX_KQUEUE_UDATA_T at compile time. 2025-07-11T12:25:51+00:00 Sergey Kandaurov pluknet@nginx.com 2025-07-10T12:30:35+00:00 3f5f8a7f51b16097ce6d5811ea3934efdfb27dd6 The NGX_KQUEUE_UDATA_T macro is used to compensate the incompatible kqueue() API in NetBSD, it doesn't really belong to feature tests. The change limits the macro visibility to the kqueue event module. Moving from autotests also simplifies testing a particular NetBSD version as seen in a subsequent change. 
The NGX_KQUEUE_UDATA_T macro is used to compensate the incompatible
kqueue() API in NetBSD, it doesn't really belong to feature tests.

The change limits the macro visibility to the kqueue event module.
Moving from autotests also simplifies testing a particular NetBSD
version as seen in a subsequent change.
Events: fixed -Wzero-as-null-pointer-constant warnings in kqueue. 2025-07-11T12:25:51+00:00 Sergey Kandaurov pluknet@nginx.com 2025-07-08T18:45:33+00:00 0daaba5c54aeeddffff400bfc77a08a1fd71b757 The kevent udata field is special in that we maintain compatibility with NetBSD versions that predate using the "void *" type. The fix is to cast to intermediate uintptr_t that is casted back to "void *" where appropriate. 
The kevent udata field is special in that we maintain compatibility
with NetBSD versions that predate using the "void *" type.

The fix is to cast to intermediate uintptr_t that is casted back to
"void *" where appropriate.
SSL: fixed testing OPENSSL_VERSION_NUMBER for OpenSSL 3.0+. 2025-07-10T15:00:45+00:00 Sergey Kandaurov pluknet@nginx.com 2025-07-08T14:07:04+00:00 a5ca38f30392e93aadc32cf5955c29fddcaa3871 Prior to OpenSSL 3.0, OPENSSL_VERSION_NUMBER used the following format: MNNFFPPS: major minor fix patch status Where the status nibble (S) has 0+ for development and f for release. The format was changed in OpenSSL 3.0.0, where it is always zero: MNN00PP0: major minor patch 
Prior to OpenSSL 3.0, OPENSSL_VERSION_NUMBER used the following format:

MNNFFPPS: major minor fix patch status

Where the status nibble (S) has 0+ for development and f for release.

The format was changed in OpenSSL 3.0.0, where it is always zero:

MNN00PP0: major minor patch
SSL: SSL_group_to_name() compatibility macro. 2025-07-10T15:00:45+00:00 Sergey Kandaurov pluknet@nginx.com 2025-07-08T13:59:50+00:00 a5d60c30d3d494291dd7e2ddde4536a439bab5bf No functional changes. 
No functional changes.
QUIC: adjusted OpenSSL 3.5 QUIC API feature test. 2025-07-03T18:50:25+00:00 Sergey Kandaurov pluknet@nginx.com 2025-06-22T16:40:05+00:00 0bb7489cb2fcc60ce24fae2d5581c7441bfa0931 A bug with the "quic_transport_parameters" extension and SNI described in cedb855d7 is now fixed in the OpenSSL 3.5.1 release, as requested in https://github.com/openssl/openssl/pull/27706. 
A bug with the "quic_transport_parameters" extension and SNI described
in cedb855d7 is now fixed in the OpenSSL 3.5.1 release, as requested
in https://github.com/openssl/openssl/pull/27706.
QUIC: disabled OpenSSL 3.5 QUIC API support by default. 2025-06-23T18:35:09+00:00 Sergey Kandaurov pluknet@nginx.com 2025-05-27T17:56:40+00:00 cedb855d75ceefd7fe513f9c27c9364678582786 In OpenSSL 3.5.0, the "quic_transport_parameters" extension set internally by the QUIC API is cleared on the SSL context switch, which disables sending QUIC transport parameters if switching to a different server block on SNI. See the initial report in [1]. This is fixed post OpenSSL 3.5.0 [2]. The fix is anticipated in OpenSSL 3.5.1, which has not been released yet. When building with OpenSSL 3.5, OpenSSL compat layer is now used by default. The OpenSSL 3.5 QUIC API support can be switched back using --with-cc-opt='-DNGX_QUIC_OPENSSL_API=1'. [1] https://github.com/nginx/nginx/issues/711 [2] https://github.com/openssl/openssl/commit/45bd3c3798 
In OpenSSL 3.5.0, the "quic_transport_parameters" extension set
internally by the QUIC API is cleared on the SSL context switch,
which disables sending QUIC transport parameters if switching to
a different server block on SNI.  See the initial report in [1].

This is fixed post OpenSSL 3.5.0 [2].  The fix is anticipated in
OpenSSL 3.5.1, which has not been released yet.  When building
with OpenSSL 3.5, OpenSSL compat layer is now used by default.
The OpenSSL 3.5 QUIC API support can be switched back using
--with-cc-opt='-DNGX_QUIC_OPENSSL_API=1'.

[1] https://github.com/nginx/nginx/issues/711
[2] https://github.com/openssl/openssl/commit/45bd3c3798
Use NULL instead of 0 for null pointer constant. 2025-06-21T06:36:45+00:00 Andrew Clayton a.clayton@nginx.com 2025-05-21T21:30:20+00:00 4eaecc5e8aa7bbaf9e58bf56560a8b1e67d0a8b7 There were a few random places where 0 was being used as a null pointer constant. We have a NULL macro for this very purpose, use it. There is also some interest in actually deprecating the use of 0 as a null pointer constant in C. This was found with -Wzero-as-null-pointer-constant which was enabled for C in GCC 15 (not enabled with Wall or Wextra... yet). Link: <https://gcc.gnu.org/bugzilla/show_bug.cgi?id=117059> 
There were a few random places where 0 was being used as a null pointer
constant.

We have a NULL macro for this very purpose, use it.

There is also some interest in actually deprecating the use of 0 as a
null pointer constant in C.

This was found with -Wzero-as-null-pointer-constant which was enabled
for C in GCC 15 (not enabled with Wall or Wextra... yet).

Link: <https://gcc.gnu.org/bugzilla/show_bug.cgi?id=117059>