nginx.git/src/mail, branch release-1.25.1 nginx SSL: removed the "ssl" directive. 2023-06-08T10:49:27+00:00 Roman Arutyunyan arut@nginx.com 2023-06-08T10:49:27+00:00 d32f66f1e8dc81a0edbadbacf74191684a653d09 It has been deprecated since 7270:46c0c7ef4913 (1.15.0) in favour of the "ssl" parameter of the "listen" directive, which has been available since 2224:109849282793 (0.7.14). 
It has been deprecated since 7270:46c0c7ef4913 (1.15.0) in favour of
the "ssl" parameter of the "listen" directive, which has been available
since 2224:109849282793 (0.7.14).
SSL: enabled TLSv1.3 by default. 2023-03-23T23:57:43+00:00 Maxim Dounin mdounin@mdounin.ru 2023-03-23T23:57:43+00:00 7b24b93d67daa9c16d665129fd5d3e7dbc583e4f 






Mail: fixed handling of blocked client read events in proxy.
2023-03-23T23:53:21+00:00

Maxim Dounin
mdounin@mdounin.ru

2023-03-23T23:53:21+00:00

2ca4355bf02ab454d6f216dab142816a626d7547

When establishing a connection to the backend, nginx blocks reading
from the client with ngx_mail_proxy_block_read().  Previously, such
events were lost, and in some cases this resulted in connection hangs.

Notably, this affected mail_imap_ssl.t on Windows, since the test
closes connections after requesting authentication, but without
waiting for any responses (so the connection close events might be
lost).

Fix is to post an event to read from the client after connecting to
the backend if there were blocked events.





When establishing a connection to the backend, nginx blocks reading
from the client with ngx_mail_proxy_block_read().  Previously, such
events were lost, and in some cases this resulted in connection hangs.

Notably, this affected mail_imap_ssl.t on Windows, since the test
closes connections after requesting authentication, but without
waiting for any responses (so the connection close events might be
lost).

Fix is to post an event to read from the client after connecting to
the backend if there were blocked events.







Fixed port ranges support in the listen directive.
2022-12-18T18:29:02+00:00

Valentin Bartenev
vbart@wbsrv.ru

2022-12-18T18:29:02+00:00

641368249c319a833a7d9c4256cd9fd1b3e29a39

Ports difference must be respected when checking addresses for duplicates,
otherwise configurations like this are broken:

  listen 127.0.0.1:6000-6005

It was broken by 4cc2bfeff46c (nginx 1.23.3).





Ports difference must be respected when checking addresses for duplicates,
otherwise configurations like this are broken:

  listen 127.0.0.1:6000-6005

It was broken by 4cc2bfeff46c (nginx 1.23.3).







Filtering duplicate addresses in listen (ticket #2400).
2022-11-23T14:30:08+00:00

Maxim Dounin
mdounin@mdounin.ru

2022-11-23T14:30:08+00:00

22223c75c9715e568f5710a8eed1fee9e7c2983f

Due to the glibc bug[1], getaddrinfo("localhost") with AI_ADDRCONFIG
on a typical host with glibc and without IPv6 returns two 127.0.0.1
addresses, and therefore "listen localhost:80;" used to result in
"duplicate ... address and port pair" after 4f9b72a229c1.

Fix is to explicitly filter out duplicate addresses returned during
resolution of a name.

[1] https://sourceware.org/bugzilla/show_bug.cgi?id=14969





Due to the glibc bug[1], getaddrinfo("localhost") with AI_ADDRCONFIG
on a typical host with glibc and without IPv6 returns two 127.0.0.1
addresses, and therefore "listen localhost:80;" used to result in
"duplicate ... address and port pair" after 4f9b72a229c1.

Fix is to explicitly filter out duplicate addresses returned during
resolution of a name.

[1] https://sourceware.org/bugzilla/show_bug.cgi?id=14969







Increased maximum read PROXY protocol header size.
2022-11-02T09:46:16+00:00

Roman Arutyunyan
arut@nginx.com

2022-11-02T09:46:16+00:00

7600ca028644d3ecc7e62499d71bbe21fe3bda0d

Maximum size for reading the PROXY protocol header is increased to 4096 to
accommodate a bigger number of TLVs, which are supported since cca4c8a715de.

Maximum size for writing the PROXY protocol header is not changed since only
version 1 is currently supported.





Maximum size for reading the PROXY protocol header is increased to 4096 to
accommodate a bigger number of TLVs, which are supported since cca4c8a715de.

Maximum size for writing the PROXY protocol header is not changed since only
version 1 is currently supported.







SSL: improved validation of ssl_session_cache and ssl_ocsp_cache.
2022-10-17T12:24:53+00:00

Sergey Kandaurov
pluknet@nginx.com

2022-10-17T12:24:53+00:00

35fce42269bf1c84eadef6660021cefa08a960d7

Now it properly detects invalid shared zone configuration with omitted size.
Previously it used to read outside of the buffer boundary.

Found with AddressSanitizer.





Now it properly detects invalid shared zone configuration with omitted size.
Previously it used to read outside of the buffer boundary.

Found with AddressSanitizer.







Mail: connections with wrong ALPN protocols are now rejected.
2021-10-20T06:45:34+00:00

Vladimir Homutov
vl@nginx.com

2021-10-20T06:45:34+00:00

1fecec0cbf1554c0473d5cca0fb55f8dc006e4ba

This is a recommended behavior by RFC 7301 and is useful
for mitigation of protocol confusion attacks [1].

For POP3 and IMAP protocols IANA-assigned ALPN IDs are used [2].
For the SMTP protocol "smtp" is used.

[1] https://alpaca-attack.com/
[2] https://www.iana.org/assignments/tls-extensiontype-values/





This is a recommended behavior by RFC 7301 and is useful
for mitigation of protocol confusion attacks [1].

For POP3 and IMAP protocols IANA-assigned ALPN IDs are used [2].
For the SMTP protocol "smtp" is used.

[1] https://alpaca-attack.com/
[2] https://www.iana.org/assignments/tls-extensiontype-values/







Mail: Auth-SSL-Protocol and Auth-SSL-Cipher headers (ticket #2134).
2021-08-13T07:57:47+00:00

Rob Mueller
robm@fastmail.fm

2021-08-13T07:57:47+00:00

d4dad02e5ecd523f896a87a08a6582853d83a14d

This adds new Auth-SSL-Protocol and Auth-SSL-Cipher headers to
the mail proxy auth protocol when SSL is enabled.

This can be useful for detecting users using older clients that
negotiate old ciphers when you want to upgrade to newer
TLS versions of remove suppport for old and insecure ciphers.
You can use your auth backend to notify these users before the
upgrade that they either need to upgrade their client software
or contact your support team to work out an upgrade path.





This adds new Auth-SSL-Protocol and Auth-SSL-Cipher headers to
the mail proxy auth protocol when SSL is enabled.

This can be useful for detecting users using older clients that
negotiate old ciphers when you want to upgrade to newer
TLS versions of remove suppport for old and insecure ciphers.
You can use your auth backend to notify these users before the
upgrade that they either need to upgrade their client software
or contact your support team to work out an upgrade path.







SSL: ciphers now set before loading certificates (ticket #2035).
2021-08-16T19:40:31+00:00

Maxim Dounin
mdounin@mdounin.ru

2021-08-16T19:40:31+00:00

ce5996cdd1b2e150f645efbc337e5a681dbe241c

To load old/weak server or client certificates it might be needed to adjust
the security level, as introduced in OpenSSL 1.1.0.  This change ensures that
ciphers are set before loading the certificates, so security level changes
via the cipher string apply to certificate loading.





To load old/weak server or client certificates it might be needed to adjust
the security level, as introduced in OpenSSL 1.1.0.  This change ensures that
ciphers are set before loading the certificates, so security level changes
via the cipher string apply to certificate loading.