nginx.git/src/mail, branch release-1.28.0 nginx Mail: handling of LOGIN IMAP command untagged response. 2024-11-26T15:07:17+00:00 Sergey Kandaurov pluknet@nginx.com 2024-10-23T20:52:21+00:00 ce88b171236de50843dba2c427a8b3e42778f2ca In particular, an untagged CAPABILITY response as described in the interim RFC 3501 internet drafts was seen in various IMAP servers. Previously resulted in a broken connection, now an untagged response is proxied to client. 
In particular, an untagged CAPABILITY response as described in the
interim RFC 3501 internet drafts was seen in various IMAP servers.
Previously resulted in a broken connection, now an untagged response
is proxied to client.
SSL: a new macro to set default protocol versions. 2024-11-22T09:47:22+00:00 Sergey Kandaurov pluknet@nginx.com 2024-11-18T09:39:13+00:00 476d6526b2e8297025c608425f4cad07b4f65990 This simplifies merging protocol values after ea15896 and ebd18ec. Further, as outlined in ebd18ec18, for libraries preceeding TLSv1.2+ support, only meaningful versions TLSv1 and TLSv1.1 are set by default. While here, fixed indentation. 
This simplifies merging protocol values after ea15896 and ebd18ec.

Further, as outlined in ebd18ec18, for libraries preceeding TLSv1.2+
support, only meaningful versions TLSv1 and TLSv1.1 are set by default.

While here, fixed indentation.
SSL: fixed MSVC compilation after ebd18ec1812b. 2024-11-11T18:29:55+00:00 蕭澧邦 shou692199@gmail.com 2024-11-03T06:36:17+00:00 ea15896c1a5b0ce504f85c1437bae21a542cf3e6 MSVC generates a compilation error in case #if/#endif is used in a macro parameter. 
MSVC generates a compilation error in case #if/#endif is used in a macro
parameter.
SSL: disabled TLSv1 and TLSv1.1 by default. 2024-10-31T15:49:00+00:00 Sergey Kandaurov pluknet@nginx.com 2024-10-09T16:28:00+00:00 ebd18ec1812bd6f3de54d9f9fc81563a0ec9f264 TLSv1 and TLSv1.1 are formally deprecated and forbidden to negotiate due to insufficient security reasons outlined in RFC 8996. TLSv1 and TLSv1.1 are disabled in BoringSSL e95b0cad9 and LibreSSL 3.8.1 in the way they cannot be enabled in nginx configuration. In OpenSSL 3.0, they are only permitted at security level 0 (disabled by default). The support is dropped in Chrome 84, Firefox 78, and deprecated in Safari. This change disables TLSv1 and TLSv1.1 by default for OpenSSL 1.0.1 and newer, where TLSv1.2 support is available. For older library versions, which do not have alternatives, these protocol versions remain enabled. 
TLSv1 and TLSv1.1 are formally deprecated and forbidden to negotiate due
to insufficient security reasons outlined in RFC 8996.

TLSv1 and TLSv1.1 are disabled in BoringSSL e95b0cad9 and LibreSSL 3.8.1
in the way they cannot be enabled in nginx configuration.  In OpenSSL 3.0,
they are only permitted at security level 0 (disabled by default).

The support is dropped in Chrome 84, Firefox 78, and deprecated in Safari.

This change disables TLSv1 and TLSv1.1 by default for OpenSSL 1.0.1 and
newer, where TLSv1.2 support is available.  For older library versions,
which do not have alternatives, these protocol versions remain enabled.
SSL: optional ssl_client_certificate for ssl_verify_client. 2024-09-20T10:43:00+00:00 Sergey Kandaurov pluknet@nginx.com 2024-09-20T10:08:42+00:00 18afcda938cd2d4712d0d083b57161290a5a2d34 Starting from TLSv1.1 (as seen since draft-ietf-tls-rfc2246-bis-00), the "certificate_authorities" field grammar of the CertificateRequest message was redone to allow no distinguished names. In TLSv1.3, with the restructured CertificateRequest message, this can be similarly done by optionally including the "certificate_authorities" extension. This allows to avoid sending DNs at all. In practice, aside from published TLS specifications, all supported SSL/TLS libraries allow to request client certificates with an empty DN list for any protocol version. For instance, when operating in TLSv1, this results in sending the "certificate_authorities" list as a zero-length vector, which corresponds to the TLSv1.1 specification. Such behaviour goes back to SSLeay. The change relaxes the requirement to specify at least one trusted CA certificate in the ssl_client_certificate directive, which resulted in sending DNs of these certificates (closes #142). Instead, all trusted CA certificates can be specified now using the ssl_trusted_certificate directive if needed. A notable difference that certificates specified in ssl_trusted_certificate are always loaded remains (see 3648ba7db). Co-authored-by: Praveen Chaudhary <praveenc@nvidia.com> 
Starting from TLSv1.1 (as seen since draft-ietf-tls-rfc2246-bis-00),
the "certificate_authorities" field grammar of the CertificateRequest
message was redone to allow no distinguished names.  In TLSv1.3, with
the restructured CertificateRequest message, this can be similarly
done by optionally including the "certificate_authorities" extension.
This allows to avoid sending DNs at all.

In practice, aside from published TLS specifications, all supported
SSL/TLS libraries allow to request client certificates with an empty
DN list for any protocol version.  For instance, when operating in
TLSv1, this results in sending the "certificate_authorities" list as
a zero-length vector, which corresponds to the TLSv1.1 specification.
Such behaviour goes back to SSLeay.

The change relaxes the requirement to specify at least one trusted CA
certificate in the ssl_client_certificate directive, which resulted in
sending DNs of these certificates (closes #142).  Instead, all trusted
CA certificates can be specified now using the ssl_trusted_certificate
directive if needed.  A notable difference that certificates specified
in ssl_trusted_certificate are always loaded remains (see 3648ba7db).

Co-authored-by: Praveen Chaudhary <praveenc@nvidia.com>
Overhauled some diagnostic messages akin to 1b05b9bbcebf. 2024-03-22T10:51:14+00:00 Sergey Kandaurov pluknet@nginx.com 2024-03-22T10:51:14+00:00 ae1948aa40c48a97f2e171acb84eb04bfcbe1307 






SSL: removed the "ssl" directive.
2023-06-08T10:49:27+00:00

Roman Arutyunyan
arut@nginx.com

2023-06-08T10:49:27+00:00

d32f66f1e8dc81a0edbadbacf74191684a653d09

It has been deprecated since 7270:46c0c7ef4913 (1.15.0) in favour of
the "ssl" parameter of the "listen" directive, which has been available
since 2224:109849282793 (0.7.14).





It has been deprecated since 7270:46c0c7ef4913 (1.15.0) in favour of
the "ssl" parameter of the "listen" directive, which has been available
since 2224:109849282793 (0.7.14).







SSL: enabled TLSv1.3 by default.
2023-03-23T23:57:43+00:00

Maxim Dounin
mdounin@mdounin.ru

2023-03-23T23:57:43+00:00

7b24b93d67daa9c16d665129fd5d3e7dbc583e4f












Mail: fixed handling of blocked client read events in proxy.
2023-03-23T23:53:21+00:00

Maxim Dounin
mdounin@mdounin.ru

2023-03-23T23:53:21+00:00

2ca4355bf02ab454d6f216dab142816a626d7547

When establishing a connection to the backend, nginx blocks reading
from the client with ngx_mail_proxy_block_read().  Previously, such
events were lost, and in some cases this resulted in connection hangs.

Notably, this affected mail_imap_ssl.t on Windows, since the test
closes connections after requesting authentication, but without
waiting for any responses (so the connection close events might be
lost).

Fix is to post an event to read from the client after connecting to
the backend if there were blocked events.





When establishing a connection to the backend, nginx blocks reading
from the client with ngx_mail_proxy_block_read().  Previously, such
events were lost, and in some cases this resulted in connection hangs.

Notably, this affected mail_imap_ssl.t on Windows, since the test
closes connections after requesting authentication, but without
waiting for any responses (so the connection close events might be
lost).

Fix is to post an event to read from the client after connecting to
the backend if there were blocked events.







Fixed port ranges support in the listen directive.
2022-12-18T18:29:02+00:00

Valentin Bartenev
vbart@wbsrv.ru

2022-12-18T18:29:02+00:00

641368249c319a833a7d9c4256cd9fd1b3e29a39

Ports difference must be respected when checking addresses for duplicates,
otherwise configurations like this are broken:

  listen 127.0.0.1:6000-6005

It was broken by 4cc2bfeff46c (nginx 1.23.3).





Ports difference must be respected when checking addresses for duplicates,
otherwise configurations like this are broken:

  listen 127.0.0.1:6000-6005

It was broken by 4cc2bfeff46c (nginx 1.23.3).