nginx.git/src/event, branch release-1.29.3 nginx SSL: $ssl_sigalg, $ssl_client_sigalg. 2025-10-24T14:22:32+00:00 Sergey Kandaurov pluknet@nginx.com 2025-10-17T16:38:17+00:00 71f8eb52b7746d6d8ddeb6efab5fc115c187be31 Variables contain the IANA name of the signature scheme[1] used to sign the TLS handshake. Variables are only meaningful when using OpenSSL 3.5 and above, with older versions they are empty. Moreover, since this data isn't stored in a serialized session, variables are only available for new sessions. [1] https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml Requested by willmafh. 
Variables contain the IANA name of the signature scheme[1] used to sign
the TLS handshake.

Variables are only meaningful when using OpenSSL 3.5 and above, with older
versions they are empty.  Moreover, since this data isn't stored in a
serialized session, variables are only available for new sessions.

[1] https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml

Requested by willmafh.
SSL: support for compressed server certificates with BoringSSL. 2025-10-08T15:56:41+00:00 Sergey Kandaurov pluknet@nginx.com 2025-07-15T18:22:53+00:00 78d1ab5a2c00839a36ff6bac661d9785fce3c1a4 BoringSSL/AWS-LC provide two callbacks for each compression algorithm, which may be used to compress and decompress certificates in runtime. This change implements compression support with zlib, as enabled with the ssl_certificate_compression directive. Compressed certificates are stored in certificate exdata and reused in subsequent connections. Notably, AWS-LC saves an X509 pointer in SSL connection, which allows to use it from SSL_get_certificate() for caching purpose. In contrast, BoringSSL reconstructs X509 on-the-fly, though given that it doesn't support multiple certificates, always replacing previously configured certificates, we use the last configured one from ssl->certs, instead. 
BoringSSL/AWS-LC provide two callbacks for each compression algorithm,
which may be used to compress and decompress certificates in runtime.
This change implements compression support with zlib, as enabled with
the ssl_certificate_compression directive.  Compressed certificates
are stored in certificate exdata and reused in subsequent connections.

Notably, AWS-LC saves an X509 pointer in SSL connection, which allows
to use it from SSL_get_certificate() for caching purpose.  In contrast,
BoringSSL reconstructs X509 on-the-fly, though given that it doesn't
support multiple certificates, always replacing previously configured
certificates, we use the last configured one from ssl->certs, instead.
SSL: fixed "key values mismatch" with object cache inheritance. 2025-10-06T08:56:42+00:00 Sergey Kandaurov pluknet@nginx.com 2025-05-29T13:49:48+00:00 a144d828cb70f788e2f8b06e820af95ae2e28f75 In rare cases, it was possible to get into this error state on reload with improperly updated file timestamps for certificate and key pairs. The fix is to retry on X509_R_KEY_VALUES_MISMATCH, similar to 5d5d9adcc. Additionally, loading SSL certificate is updated to avoid certificates discarded on retry to appear in ssl->certs and in extra chain. 
In rare cases, it was possible to get into this error state on reload
with improperly updated file timestamps for certificate and key pairs.

The fix is to retry on X509_R_KEY_VALUES_MISMATCH, similar to 5d5d9adcc.
Additionally, loading SSL certificate is updated to avoid certificates
discarded on retry to appear in ssl->certs and in extra chain.
SSL: AWS-LC compatibility. 2025-09-25T15:28:36+00:00 Sergey Kandaurov pluknet@nginx.com 2025-07-30T12:26:21+00:00 93ff1ee12cd33ea978fbc331988ce265b14fbdab 






QUIC: a new macro to differentiate BoringSSL specific EVP API.
2025-09-25T15:28:36+00:00

Sergey Kandaurov
pluknet@nginx.com

2025-07-30T12:23:43+00:00

af436c58ca388b9926b17f8c3929ae2b343e4019












QUIC: localized OpenSSL headers used for QUIC protection.
2025-09-25T15:28:36+00:00

Sergey Kandaurov
pluknet@nginx.com

2025-07-30T12:09:21+00:00

4c9ae11dff0da5ae76c0e4b6571ce30f7f8024bc












SNI: support for early ClientHello callback with BoringSSL.
2025-09-25T15:25:08+00:00

Sergey Kandaurov
pluknet@nginx.com

2025-09-22T15:55:16+00:00

7f9ced0ce0d70ae60f46ef3ed759efa75e711db4

This brings feature parity with OpenSSL after the previous change,
making it possible to set SSL protocols per virtual server.





This brings feature parity with OpenSSL after the previous change,
making it possible to set SSL protocols per virtual server.







SNI: using the ClientHello callback.
2025-09-25T15:25:08+00:00

Sergey Kandaurov
pluknet@nginx.com

2025-01-27T20:53:15+00:00

0373fe5d98c1515640e74fa6f4d32fac1f1d3ab2

The change introduces an SNI based virtual server selection during
early ClientHello processing.  The callback is available since
OpenSSL 1.1.1; for older OpenSSL versions, the previous behaviour
is kept.

Using the ClientHello callback sets a reasonable processing order
for the "server_name" TLS extension.  Notably, session resumption
decision now happens after applying server configuration chosen by
SNI, useful with enabled verification of client certificates, which
brings consistency with BoringSSL behaviour.  The change supersedes
and reverts a fix made in 46b9f5d38 for TLSv1.3 resumed sessions.

In addition, since the callback is invoked prior to the protocol
version negotiation, this makes it possible to set "ssl_protocols"
on a per-virtual server basis.

To keep the $ssl_server_name variable working with TLSv1.2 resumed
sessions, as previously fixed in fd97b2a80, a limited server name
callback is preserved in order to acknowledge the extension.

Note that to allow third-party modules to properly chain the call to
ngx_ssl_client_hello_callback(), the servername callback function is
passed through exdata.





The change introduces an SNI based virtual server selection during
early ClientHello processing.  The callback is available since
OpenSSL 1.1.1; for older OpenSSL versions, the previous behaviour
is kept.

Using the ClientHello callback sets a reasonable processing order
for the "server_name" TLS extension.  Notably, session resumption
decision now happens after applying server configuration chosen by
SNI, useful with enabled verification of client certificates, which
brings consistency with BoringSSL behaviour.  The change supersedes
and reverts a fix made in 46b9f5d38 for TLSv1.3 resumed sessions.

In addition, since the callback is invoked prior to the protocol
version negotiation, this makes it possible to set "ssl_protocols"
on a per-virtual server basis.

To keep the $ssl_server_name variable working with TLSv1.2 resumed
sessions, as previously fixed in fd97b2a80, a limited server name
callback is preserved in order to acknowledge the extension.

Note that to allow third-party modules to properly chain the call to
ngx_ssl_client_hello_callback(), the servername callback function is
passed through exdata.







QUIC: fixed ssl_reject_handshake error handling.
2025-09-12T13:57:48+00:00

Sergey Kandaurov
pluknet@nginx.com

2025-09-10T13:25:36+00:00

eb5ebbbed74c8ce72465bb079bde0ad29966d170

This was broken in 7468a10b6 (1.29.0), resulting in a missing diagnostics
and SSL error queue not cleared for SSL handshakes rejected by SNI, seen
as "ignoring stale global SSL error" alerts, for instance, when doing SSL
shutdown of a long standing connection after rejecting another one by SNI.

The fix is to move the qc->error check after c->ssl->handshake_rejected is
handled first, to make the error queue cleared.  Although not practicably
visible as needed, this is accompanied by clearing the error queue under
the qc->error case as well, to be on the safe side.

As an implementation note, due to the way of handling invalid transport
parameters for OpenSSL 3.5 and above, which leaves a passed pointer not
advanced on error, SSL_get_error() may return either SSL_ERROR_WANT_READ
or SSL_ERROR_WANT_WRITE depending on a library.  To cope with that, both
qc->error and c->ssl->handshake_rejected checks were moved out of
"sslerr != SSL_ERROR_WANT_READ".

Also, this reconstructs a missing "SSL_do_handshake() failed" diagnostics
for the qc->error case, replacing using ngx_ssl_connection_error() with
ngx_connection_error().  It is made this way to avoid logging at the crit
log level because qc->error set is expected to have an empty error queue.

Reported and tested by Vladimir Homutov.





This was broken in 7468a10b6 (1.29.0), resulting in a missing diagnostics
and SSL error queue not cleared for SSL handshakes rejected by SNI, seen
as "ignoring stale global SSL error" alerts, for instance, when doing SSL
shutdown of a long standing connection after rejecting another one by SNI.

The fix is to move the qc->error check after c->ssl->handshake_rejected is
handled first, to make the error queue cleared.  Although not practicably
visible as needed, this is accompanied by clearing the error queue under
the qc->error case as well, to be on the safe side.

As an implementation note, due to the way of handling invalid transport
parameters for OpenSSL 3.5 and above, which leaves a passed pointer not
advanced on error, SSL_get_error() may return either SSL_ERROR_WANT_READ
or SSL_ERROR_WANT_WRITE depending on a library.  To cope with that, both
qc->error and c->ssl->handshake_rejected checks were moved out of
"sslerr != SSL_ERROR_WANT_READ".

Also, this reconstructs a missing "SSL_do_handshake() failed" diagnostics
for the qc->error case, replacing using ngx_ssl_connection_error() with
ngx_connection_error().  It is made this way to avoid logging at the crit
log level because qc->error set is expected to have an empty error queue.

Reported and tested by Vladimir Homutov.







SSL: support for compressed server certificates with OpenSSL.
2025-08-03T15:15:16+00:00

Sergey Kandaurov
pluknet@nginx.com

2025-07-09T15:02:09+00:00

251444fcf4434bfddbe3394a568c51d4f7bd857f

The ssl_certificate_compression directive allows to send compressed
server certificates.  In OpenSSL, they are pre-compressed on startup.
To simplify configuration, the SSL_OP_NO_TX_CERTIFICATE_COMPRESSION
option is automatically cleared if certificates were pre-compressed.

SSL_CTX_compress_certs() may return an error in legitimate cases,
e.g., when none of compression algorithms is available or if the
resulting compressed size is larger than the original one, thus it
is silently ignored.

Certificate compression is supported in Chrome with brotli only,
in Safari with zlib only, and in Firefox with all listed algorithms.
It is supported since Ubuntu 24.10, which has OpenSSL with enabled
zlib and zstd support.

The actual list of algorithms supported in OpenSSL depends on how
the library was configured; it can be brotli, zlib, zstd as listed
in RFC 8879.





The ssl_certificate_compression directive allows to send compressed
server certificates.  In OpenSSL, they are pre-compressed on startup.
To simplify configuration, the SSL_OP_NO_TX_CERTIFICATE_COMPRESSION
option is automatically cleared if certificates were pre-compressed.

SSL_CTX_compress_certs() may return an error in legitimate cases,
e.g., when none of compression algorithms is available or if the
resulting compressed size is larger than the original one, thus it
is silently ignored.

Certificate compression is supported in Chrome with brotli only,
in Safari with zlib only, and in Firefox with all listed algorithms.
It is supported since Ubuntu 24.10, which has OpenSSL with enabled
zlib and zstd support.

The actual list of algorithms supported in OpenSSL depends on how
the library was configured; it can be brotli, zlib, zstd as listed
in RFC 8879.