nginx.git/src/mail, branch release-1.17.0 nginx Multiple addresses in "listen". 2019-03-15T12:45:56+00:00 Roman Arutyunyan arut@nginx.com 2019-03-15T12:45:56+00:00 4e17b93eb6787e99a4023f20f8c391284f86bbf3 Previously only one address was used by the listen directive handler even if host name resolved to multiple addresses. Now a separate listening socket is created for each address. 
Previously only one address was used by the listen directive handler even if
host name resolved to multiple addresses.  Now a separate listening socket is
created for each address.
SSL: fixed potential leak on memory allocation errors. 2019-03-03T13:48:39+00:00 Maxim Dounin mdounin@mdounin.ru 2019-03-03T13:48:39+00:00 fe43346dc3151e80dae0acd751f0a94314dcb91c If ngx_pool_cleanup_add() fails, we have to clean just created SSL context manually, thus appropriate call added. Additionally, ngx_pool_cleanup_add() moved closer to ngx_ssl_create() in the ngx_http_ssl_module, to make sure there are no leaks due to intermediate code. 
If ngx_pool_cleanup_add() fails, we have to clean just created SSL context
manually, thus appropriate call added.

Additionally, ngx_pool_cleanup_add() moved closer to ngx_ssl_create() in
the ngx_http_ssl_module, to make sure there are no leaks due to intermediate
code.
SSL: adjusted session id context with dynamic certificates. 2019-02-25T13:42:54+00:00 Maxim Dounin mdounin@mdounin.ru 2019-02-25T13:42:54+00:00 ecfab06cb20959219c9aadc2ef59507488e4fa99 Dynamic certificates re-introduce problem with incorrect session reuse (AKA "virtual host confusion", CVE-2014-3616), since there are no server certificates to generate session id context from. To prevent this, session id context is now generated from ssl_certificate directives as specified in the configuration. This approach prevents incorrect session reuse in most cases, while still allowing sharing sessions across multiple machines with ssl_session_ticket_key set as long as configurations are identical. 
Dynamic certificates re-introduce problem with incorrect session
reuse (AKA "virtual host confusion", CVE-2014-3616), since there are
no server certificates to generate session id context from.

To prevent this, session id context is now generated from ssl_certificate
directives as specified in the configuration.  This approach prevents
incorrect session reuse in most cases, while still allowing sharing
sessions across multiple machines with ssl_session_ticket_key set as
long as configurations are identical.
SSL: deprecated the "ssl" directive. 2018-04-25T11:57:24+00:00 Ruslan Ermilov ru@nginx.com 2018-04-25T11:57:24+00:00 658a84f4252b65ef060b1d33b2ff0e749902978b 






SSL: detect "listen ... ssl" without certificates (ticket #178).
2018-04-24T12:29:01+00:00

Maxim Dounin
mdounin@mdounin.ru

2018-04-24T12:29:01+00:00

76be1ea9de13c5e8bb0d9523c6a2ad4009a5d7cf

In mail and stream modules, no certificate provided is a fatal condition,
much like with the "ssl" and "starttls" directives.

In http, "listen ... ssl" can be used in a non-default server without
certificates as long as there is a certificate in the default one, so
missing certificate is only fatal for default servers.





In mail and stream modules, no certificate provided is a fatal condition,
much like with the "ssl" and "starttls" directives.

In http, "listen ... ssl" can be used in a non-default server without
certificates as long as there is a certificate in the default one, so
missing certificate is only fatal for default servers.







Mail: fixed error message about missing ssl_certificate_key.
2018-04-24T12:28:58+00:00

Maxim Dounin
mdounin@mdounin.ru

2018-04-24T12:28:58+00:00

5d3a854ebd4f59854ade798b94070ff1ee3eddcf

In 51e1f047d15d, the "ssl" directive name was incorrectly hardcoded
in the error message shown when there are some SSL keys defined, but
not for all certificates.  Right approach is to use the "mode" variable,
which can be either "ssl" or "starttls".





In 51e1f047d15d, the "ssl" directive name was incorrectly hardcoded
in the error message shown when there are some SSL keys defined, but
not for all certificates.  Right approach is to use the "mode" variable,
which can be either "ssl" or "starttls".







SSL: using default server context in session remove (closes #1464).
2018-01-30T14:46:31+00:00

Sergey Kandaurov
pluknet@nginx.com

2018-01-30T14:46:31+00:00

57dde2ab37708423d97333be19830437732b3f4f

This fixes segfault in configurations with multiple virtual servers sharing
the same port, where a non-default virtual server block misses certificate.





This fixes segfault in configurations with multiple virtual servers sharing
the same port, where a non-default virtual server block misses certificate.







Fixed worker_shutdown_timeout in various cases.
2017-11-20T13:31:07+00:00

Maxim Dounin
mdounin@mdounin.ru

2017-11-20T13:31:07+00:00

b32cb6b61079d2eff69c89e0e718a79258507717

The ngx_http_upstream_process_upgraded() did not handle c->close request,
and upgraded connections do not use the write filter.  As a result,
worker_shutdown_timeout did not affect upgraded connections (ticket #1419).
Fix is to handle c->close in the ngx_http_request_handler() function, thus
covering most of the possible cases in http handling.

Additionally, mail proxying did not handle neither c->close nor c->error,
and thus worker_shutdown_timeout did not work for mail connections.  Fix is
to add c->close handling to ngx_mail_proxy_handler().

Also, added explicit handling of c->close to stream proxy,
ngx_stream_proxy_process_connection().  This improves worker_shutdown_timeout
handling in stream, it will no longer wait for some data being transferred
in a connection before closing it, and will also provide appropriate
logging at the "info" level.





The ngx_http_upstream_process_upgraded() did not handle c->close request,
and upgraded connections do not use the write filter.  As a result,
worker_shutdown_timeout did not affect upgraded connections (ticket #1419).
Fix is to handle c->close in the ngx_http_request_handler() function, thus
covering most of the possible cases in http handling.

Additionally, mail proxying did not handle neither c->close nor c->error,
and thus worker_shutdown_timeout did not work for mail connections.  Fix is
to add c->close handling to ngx_mail_proxy_handler().

Also, added explicit handling of c->close to stream proxy,
ngx_stream_proxy_process_connection().  This improves worker_shutdown_timeout
handling in stream, it will no longer wait for some data being transferred
in a connection before closing it, and will also provide appropriate
logging at the "info" level.







Style: changed checks of ngx_ssl_create_connection() to != NGX_OK.
2017-05-29T13:34:35+00:00

Maxim Dounin
mdounin@mdounin.ru

2017-05-29T13:34:35+00:00

0514e14a8bbd8e5977712c892b53aa471a91fcb5

In http these checks were changed in a6d6d762c554, though mail module
was missed at that time.  Since then, the stream module was introduced
based on mail, using "== NGX_ERROR" check.





In http these checks were changed in a6d6d762c554, though mail module
was missed at that time.  Since then, the stream module was introduced
based on mail, using "== NGX_ERROR" check.







SSL: added support for TLSv1.3 in ssl_protocols directive.
2017-04-18T12:12:38+00:00

Sergey Kandaurov
pluknet@nginx.com

2017-04-18T12:12:38+00:00

9a37eb3a62130473596e0e4c2e388d80bdb14956

Support for the TLSv1.3 protocol will be introduced in OpenSSL 1.1.1.





Support for the TLSv1.3 protocol will be introduced in OpenSSL 1.1.1.