nginx.git/src/stream, branch release-1.11.11 nginx Access log: removed dead ev->timedout check in flush timer handler. 2017-03-07T15:51:12+00:00 Maxim Dounin mdounin@mdounin.ru 2017-03-07T15:51:12+00:00 c1d8318d3112a2752971d76fc15d1fca8557691d The ev->timedout flag is set on first timer expiration, and never reset after it. Due to this the code to stop the timer when the timer was canceled never worked (except in a very specific time frame immediately after start), and the timer was always armed again. This essentially resulted in a buffer flush at the end of an event loop iteration. This behaviour actually seems to be better than just stopping the flush timer for the whole shutdown, so it is preserved as is instead of fixing the code to actually remove the timer. It will be further improved by upcoming changes to preserve cancelable timers if there are other timers blocking shutdown. 
The ev->timedout flag is set on first timer expiration, and never reset
after it.  Due to this the code to stop the timer when the timer was
canceled never worked (except in a very specific time frame immediately
after start), and the timer was always armed again.  This essentially
resulted in a buffer flush at the end of an event loop iteration.

This behaviour actually seems to be better than just stopping the flush
timer for the whole shutdown, so it is preserved as is instead of fixing
the code to actually remove the timer.  It will be further improved by
upcoming changes to preserve cancelable timers if there are other timers
blocking shutdown.
Variables: generic prefix variables. 2017-01-31T18:19:58+00:00 Dmitry Volyntsev xeioex@nginx.com 2017-01-31T18:19:58+00:00 897eaa9215a8f5832fb7bffe5016a22562b90d0a 






Stream: client SSL certificates were not checked in some cases.
2017-01-19T13:20:07+00:00

Vladimir Homutov
vl@nginx.com

2017-01-19T13:20:07+00:00

620c9a4c44087069c0a50be96748b98be7d497a8

If ngx_stream_ssl_init_connection() succeeded immediately, the check was not
done.

The bug had appeared in 1.11.8 (41cb1b64561d).





If ngx_stream_ssl_init_connection() succeeded immediately, the check was not
done.

The bug had appeared in 1.11.8 (41cb1b64561d).







Stream: fixed handling of non-ssl sessions.
2017-01-19T13:17:05+00:00

Vladimir Homutov
vl@nginx.com

2017-01-19T13:17:05+00:00

0ccbe0abe4fc1313689576b21b8649e4ebe524ee

A missing check could cause ngx_stream_ssl_handler() to be applied
to a non-ssl session, which resulted in a null pointer dereference
if ssl_verify_client is enabled.

The bug had appeared in 1.11.8 (41cb1b64561d).





A missing check could cause ngx_stream_ssl_handler() to be applied
to a non-ssl session, which resulted in a null pointer dereference
if ssl_verify_client is enabled.

The bug had appeared in 1.11.8 (41cb1b64561d).







Stream: avoid infinite loop in case of socket read error.
2017-01-11T09:01:56+00:00

Vladimir Homutov
vl@nginx.com

2017-01-11T09:01:56+00:00

b580770f3afaeec48a15cb8c9d2f9cf72b14e4da












Stream: speed up TCP peer recovery.
2016-12-26T11:27:05+00:00

Roman Arutyunyan
arut@nginx.com

2016-12-26T11:27:05+00:00

6dae95a7d499c836f72a585961cb80166ed5fde7

Previously, an unavailable peer was considered recovered after a successful
proxy session to this peer.  Until then, only a single client connection per
fail_timeout was allowed to be proxied to the peer.

Since stream sessions can be long, it may take indefinite time for a peer to
recover, limiting the ability of the peer to receive new connections.

Now, a peer is considered recovered after a successful TCP connection is
established to it.  Balancers are notified of this event via the notify()
callback.





Previously, an unavailable peer was considered recovered after a successful
proxy session to this peer.  Until then, only a single client connection per
fail_timeout was allowed to be proxied to the peer.

Since stream sessions can be long, it may take indefinite time for a peer to
recover, limiting the ability of the peer to receive new connections.

Now, a peer is considered recovered after a successful TCP connection is
established to it.  Balancers are notified of this event via the notify()
callback.







Limited recursion when evaluating variables.
2016-12-21T19:01:24+00:00

Ruslan Ermilov
ru@nginx.com

2016-12-21T19:01:24+00:00

d1f524d0b3e013f23bb9456aa4f2c35916934c27

Unlimited recursion might cause stack exhaustion in some misconfigurations.





Unlimited recursion might cause stack exhaustion in some misconfigurations.







Stream: client SSL certificates verification support.
2016-12-20T09:05:14+00:00

Vladimir Homutov
vl@nginx.com

2016-12-20T09:05:14+00:00

7fab8d046ee170031ad61d4131403e3d5540e98e

New directives: "ssl_verify_client", "ssl_verify_depth",
"ssl_client_certificate", "ssl_trusted_certificate", and
"ssl_crl".

New variables: $ssl_client_cert, $ssl_client_raw_cert,
$ssl_client_s_dn, $ssl_client_i_dn, $ssl_client_serial,
$ssl_client_fingerprint, $ssl_client_verify, $ssl_client_v_start,
$ssl_client_v_end, and $ssl_client_v_remain.





New directives: "ssl_verify_client", "ssl_verify_depth",
"ssl_client_certificate", "ssl_trusted_certificate", and
"ssl_crl".

New variables: $ssl_client_cert, $ssl_client_raw_cert,
$ssl_client_s_dn, $ssl_client_i_dn, $ssl_client_serial,
$ssl_client_fingerprint, $ssl_client_verify, $ssl_client_v_start,
$ssl_client_v_end, and $ssl_client_v_remain.







Stream ssl_preread: relaxed SSL version check.
2016-12-19T11:02:39+00:00

Roman Arutyunyan
arut@nginx.com

2016-12-19T11:02:39+00:00

393636d79c836e360b14ca99f76996935ee02236

SSL version 3.0 can be specified by the client at the record level for
compatibility reasons.  Previously, ssl_preread module rejected such
connections, presuming they don't have SNI.  Now SSL 3.0 is allowed at
the record level.





SSL version 3.0 can be specified by the client at the record level for
compatibility reasons.  Previously, ssl_preread module rejected such
connections, presuming they don't have SNI.  Now SSL 3.0 is allowed at
the record level.







Access log: support for json escaping.
2016-12-15T13:25:42+00:00

Valentin Bartenev
vbart@nginx.com

2016-12-15T13:25:42+00:00

c40d8ddc5d907ebd90f85cf362f501d2cf3e05a2