nginx.git/src/stream/ngx_stream_ssl_module.h, branch release-1.30.0 nginx Add basic ECH shared-mode via OpenSSL. 2025-12-01T12:33:40+00:00 sftcd stephen.farrell@cs.tcd.ie 2025-11-26T14:12:07+00:00 ab4f5b2d32c1f621ebdf5816a34b568015b98c63 






SSL: support for compressed server certificates with OpenSSL.
2025-08-03T15:15:16+00:00

Sergey Kandaurov
pluknet@nginx.com

2025-07-09T15:02:09+00:00

251444fcf4434bfddbe3394a568c51d4f7bd857f

The ssl_certificate_compression directive allows to send compressed
server certificates.  In OpenSSL, they are pre-compressed on startup.
To simplify configuration, the SSL_OP_NO_TX_CERTIFICATE_COMPRESSION
option is automatically cleared if certificates were pre-compressed.

SSL_CTX_compress_certs() may return an error in legitimate cases,
e.g., when none of compression algorithms is available or if the
resulting compressed size is larger than the original one, thus it
is silently ignored.

Certificate compression is supported in Chrome with brotli only,
in Safari with zlib only, and in Firefox with all listed algorithms.
It is supported since Ubuntu 24.10, which has OpenSSL with enabled
zlib and zstd support.

The actual list of algorithms supported in OpenSSL depends on how
the library was configured; it can be brotli, zlib, zstd as listed
in RFC 8879.





The ssl_certificate_compression directive allows to send compressed
server certificates.  In OpenSSL, they are pre-compressed on startup.
To simplify configuration, the SSL_OP_NO_TX_CERTIFICATE_COMPRESSION
option is automatically cleared if certificates were pre-compressed.

SSL_CTX_compress_certs() may return an error in legitimate cases,
e.g., when none of compression algorithms is available or if the
resulting compressed size is larger than the original one, thus it
is silently ignored.

Certificate compression is supported in Chrome with brotli only,
in Safari with zlib only, and in Firefox with all listed algorithms.
It is supported since Ubuntu 24.10, which has OpenSSL with enabled
zlib and zstd support.

The actual list of algorithms supported in OpenSSL depends on how
the library was configured; it can be brotli, zlib, zstd as listed
in RFC 8879.







SSL: caching certificates and certificate keys with variables.
2025-01-17T00:37:46+00:00

Sergey Kandaurov
pluknet@nginx.com

2024-10-29T12:25:11+00:00

0e756d67aa1e42e3b1b360936eb4d6c06bced2c1

A new directive "ssl_certificate_cache max=N [valid=time] [inactive=time]"
enables caching of SSL certificate chain and secret key objects specified
by "ssl_certificate" and "ssl_certificate_key" directives with variables.

Co-authored-by: Aleksei Bavshin <a.bavshin@nginx.com>





A new directive "ssl_certificate_cache max=N [valid=time] [inactive=time]"
enables caching of SSL certificate chain and secret key objects specified
by "ssl_certificate" and "ssl_certificate_key" directives with variables.

Co-authored-by: Aleksei Bavshin <a.bavshin@nginx.com>







Stream: OCSP stapling.
2024-08-22T10:57:46+00:00

Sergey Kandaurov
pluknet@nginx.com

2024-08-22T10:57:46+00:00

fb89d50eeb19d42d83144ff76c80d20e80c41aca












Stream: client certificate validation with OCSP.
2024-08-22T10:57:45+00:00

Sergey Kandaurov
pluknet@nginx.com

2024-08-22T10:57:45+00:00

581cf22673fc63e206693294161ea32e691a432f












Stream: using ngx_stream_ssl_srv_conf_t *sscf naming convention.
2024-03-22T10:18:51+00:00

Sergey Kandaurov
pluknet@nginx.com

2024-03-22T10:18:51+00:00

e4a062b18699c18f570c736e7cbb4245b0659bb6

Originally, the stream module was developed based on the mail module,
following the existing style.  Then it was diverged to closely follow
the http module development.  This change updates style to use sscf
naming convention troughout the stream module, which matches the http
module code style.  No functional changes.





Originally, the stream module was developed based on the mail module,
following the existing style.  Then it was diverged to closely follow
the http module development.  This change updates style to use sscf
naming convention troughout the stream module, which matches the http
module code style.  No functional changes.







Stream: virtual servers.
2023-12-14T17:58:39+00:00

Roman Arutyunyan
arut@nginx.com

2023-12-14T17:58:39+00:00

d21675228a0ba8d4331e05c60660228a5d3326de

Server name is taken either from ngx_stream_ssl_module or
ngx_stream_ssl_preread_module.

The change adds "default_server" parameter to the "listen" directive,
as well as the following directives: "server_names_hash_max_size",
"server_names_hash_bucket_size", "server_name" and "ssl_reject_handshake".





Server name is taken either from ngx_stream_ssl_module or
ngx_stream_ssl_preread_module.

The change adds "default_server" parameter to the "listen" directive,
as well as the following directives: "server_names_hash_max_size",
"server_names_hash_bucket_size", "server_name" and "ssl_reject_handshake".







Stream: the "ssl_alpn" directive.
2021-10-19T09:19:59+00:00

Vladimir Homutov
vl@nginx.com

2021-10-19T09:19:59+00:00

df472eecc043700275ecae2655206163c786f758

The directive sets the server list of supported application protocols
and requires one of this protocols to be negotiated if client is using
ALPN.





The directive sets the server list of supported application protocols
and requires one of this protocols to be negotiated if client is using
ALPN.







SSL: ssl_conf_command directive.
2020-10-22T15:00:22+00:00

Maxim Dounin
mdounin@mdounin.ru

2020-10-22T15:00:22+00:00

ac9c1622822260f81edcf582887a5f0271c2c4c6

With the ssl_conf_command directive it is now possible to set
arbitrary OpenSSL configuration parameters as long as nginx is compiled
with OpenSSL 1.0.2 or later.  Full list of available configuration
commands can be found in the SSL_CONF_cmd manual page
(https://www.openssl.org/docs/man1.1.1/man3/SSL_CONF_cmd.html).

In particular, this allows configuring PrioritizeChaCha option
(ticket #1445):

    ssl_conf_command Options PrioritizeChaCha;

It can be also used to configure TLSv1.3 ciphers in OpenSSL,
which fails to configure them via the SSL_CTX_set_cipher_list()
interface (ticket #1529):

    ssl_conf_command Ciphersuites TLS_CHACHA20_POLY1305_SHA256;

Configuration commands are applied after nginx own configuration
for SSL, so they can be used to override anything set by nginx.
Note though that configuring OpenSSL directly with ssl_conf_command
might result in a behaviour nginx does not expect, and should be
done with care.





With the ssl_conf_command directive it is now possible to set
arbitrary OpenSSL configuration parameters as long as nginx is compiled
with OpenSSL 1.0.2 or later.  Full list of available configuration
commands can be found in the SSL_CONF_cmd manual page
(https://www.openssl.org/docs/man1.1.1/man3/SSL_CONF_cmd.html).

In particular, this allows configuring PrioritizeChaCha option
(ticket #1445):

    ssl_conf_command Options PrioritizeChaCha;

It can be also used to configure TLSv1.3 ciphers in OpenSSL,
which fails to configure them via the SSL_CTX_set_cipher_list()
interface (ticket #1529):

    ssl_conf_command Ciphersuites TLS_CHACHA20_POLY1305_SHA256;

Configuration commands are applied after nginx own configuration
for SSL, so they can be used to override anything set by nginx.
Note though that configuring OpenSSL directly with ssl_conf_command
might result in a behaviour nginx does not expect, and should be
done with care.







SSL: dynamic certificate loading in the stream module.
2019-02-25T13:42:43+00:00

Maxim Dounin
mdounin@mdounin.ru

2019-02-25T13:42:43+00:00

fbcb0c8a33c7168aad3b1474d4cd8cde3486e155