nginx.git/src/event, branch release-1.29.4 nginx QUIC: fixed possible segfault on handshake failures. 2025-12-09T17:25:10+00:00 Jan Svojanovsky jan.svojanovsky@cdn77.com 2025-12-09T11:27:02+00:00 66fde99b1d9113128778125c2f942f1d0f016be5 When using OpenSSL 3.5, the crypto_release_rcd QUIC callback can be called late, after the QUIC connection was already closed on handshake failure, resulting in a segmentation fault. For instance, it happened if a client Finished message didn't align with a record boundary. 
When using OpenSSL 3.5, the crypto_release_rcd QUIC callback can be
called late, after the QUIC connection was already closed on handshake
failure, resulting in a segmentation fault.  For instance, it happened
if a client Finished message didn't align with a record boundary.
SSL: avoid warning when ECH is not configured and not supported. 2025-12-04T17:09:32+00:00 QirunGao 65393158+QirunGao@users.noreply.github.com 2025-12-02T22:32:47+00:00 0427f5335f7abfbb733a72d6bf3561508f5d8a88 






Add basic ECH shared-mode via OpenSSL.
2025-12-01T12:33:40+00:00

sftcd
stephen.farrell@cs.tcd.ie

2025-11-26T14:12:07+00:00

ab4f5b2d32c1f621ebdf5816a34b568015b98c63












SSL: fixed build with BoringSSL, broken by 38a701d88.
2025-11-10T19:27:53+00:00

Sergey Kandaurov
pluknet@nginx.com

2025-11-10T17:36:40+00:00

9d04b6630aa77de45d8946f84edfc6c174f15c70












SSL: ngx_ssl_set_client_hello_callback() error handling.
2025-11-10T16:01:28+00:00

Sergey Kandaurov
pluknet@nginx.com

2025-11-06T13:30:41+00:00

38a701d88b14f0747003c4e893d9fb13f51639ca

The function interface is changed to follow a common approach
to other functions used to setup SSL_CTX, with an exception of
"ngx_conf_t *cf" since it is not bound to nginx configuration.

This is required to report and propagate SSL_CTX_set_ex_data()
errors, as reminded by Coverity (CID 1668589).





The function interface is changed to follow a common approach
to other functions used to setup SSL_CTX, with an exception of
"ngx_conf_t *cf" since it is not bound to nginx configuration.

This is required to report and propagate SSL_CTX_set_ex_data()
errors, as reminded by Coverity (CID 1668589).







SSL: $ssl_sigalg, $ssl_client_sigalg.
2025-10-24T14:22:32+00:00

Sergey Kandaurov
pluknet@nginx.com

2025-10-17T16:38:17+00:00

71f8eb52b7746d6d8ddeb6efab5fc115c187be31

Variables contain the IANA name of the signature scheme[1] used to sign
the TLS handshake.

Variables are only meaningful when using OpenSSL 3.5 and above, with older
versions they are empty.  Moreover, since this data isn't stored in a
serialized session, variables are only available for new sessions.

[1] https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml

Requested by willmafh.





Variables contain the IANA name of the signature scheme[1] used to sign
the TLS handshake.

Variables are only meaningful when using OpenSSL 3.5 and above, with older
versions they are empty.  Moreover, since this data isn't stored in a
serialized session, variables are only available for new sessions.

[1] https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml

Requested by willmafh.







SSL: support for compressed server certificates with BoringSSL.
2025-10-08T15:56:41+00:00

Sergey Kandaurov
pluknet@nginx.com

2025-07-15T18:22:53+00:00

78d1ab5a2c00839a36ff6bac661d9785fce3c1a4

BoringSSL/AWS-LC provide two callbacks for each compression algorithm,
which may be used to compress and decompress certificates in runtime.
This change implements compression support with zlib, as enabled with
the ssl_certificate_compression directive.  Compressed certificates
are stored in certificate exdata and reused in subsequent connections.

Notably, AWS-LC saves an X509 pointer in SSL connection, which allows
to use it from SSL_get_certificate() for caching purpose.  In contrast,
BoringSSL reconstructs X509 on-the-fly, though given that it doesn't
support multiple certificates, always replacing previously configured
certificates, we use the last configured one from ssl->certs, instead.





BoringSSL/AWS-LC provide two callbacks for each compression algorithm,
which may be used to compress and decompress certificates in runtime.
This change implements compression support with zlib, as enabled with
the ssl_certificate_compression directive.  Compressed certificates
are stored in certificate exdata and reused in subsequent connections.

Notably, AWS-LC saves an X509 pointer in SSL connection, which allows
to use it from SSL_get_certificate() for caching purpose.  In contrast,
BoringSSL reconstructs X509 on-the-fly, though given that it doesn't
support multiple certificates, always replacing previously configured
certificates, we use the last configured one from ssl->certs, instead.







SSL: fixed "key values mismatch" with object cache inheritance.
2025-10-06T08:56:42+00:00

Sergey Kandaurov
pluknet@nginx.com

2025-05-29T13:49:48+00:00

a144d828cb70f788e2f8b06e820af95ae2e28f75

In rare cases, it was possible to get into this error state on reload
with improperly updated file timestamps for certificate and key pairs.

The fix is to retry on X509_R_KEY_VALUES_MISMATCH, similar to 5d5d9adcc.
Additionally, loading SSL certificate is updated to avoid certificates
discarded on retry to appear in ssl->certs and in extra chain.





In rare cases, it was possible to get into this error state on reload
with improperly updated file timestamps for certificate and key pairs.

The fix is to retry on X509_R_KEY_VALUES_MISMATCH, similar to 5d5d9adcc.
Additionally, loading SSL certificate is updated to avoid certificates
discarded on retry to appear in ssl->certs and in extra chain.







SSL: AWS-LC compatibility.
2025-09-25T15:28:36+00:00

Sergey Kandaurov
pluknet@nginx.com

2025-07-30T12:26:21+00:00

93ff1ee12cd33ea978fbc331988ce265b14fbdab












QUIC: a new macro to differentiate BoringSSL specific EVP API.
2025-09-25T15:28:36+00:00

Sergey Kandaurov
pluknet@nginx.com

2025-07-30T12:23:43+00:00

af436c58ca388b9926b17f8c3929ae2b343e4019