nginx.git/src/stream, branch release-1.17.0 nginx SSL: removed OpenSSL 0.9.7 compatibility. 2016-04-11T12:46:36+00:00 Sergey Kandaurov pluknet@nginx.com 2016-04-11T12:46:36+00:00 c17bc31d41a0372002115899a2c64e89aeca7e7d 






Variables support in proxy_upload_rate and proxy_download_rate.
2019-04-24T13:38:56+00:00

Ruslan Ermilov
ru@nginx.com

2019-04-24T13:38:56+00:00

27b3d3dcca5fcc82350a823881f3d06161327b59












Added ngx_http_set_complex_value_size_slot().
2019-04-24T13:38:51+00:00

Ruslan Ermilov
ru@nginx.com

2019-04-24T13:38:51+00:00

2ace7fc3e683fcfa44ff9c355face60983db7eae

If a complex value is expected to be of type size_t, and the compiled
value is constant, the constant size_t value is remembered at compile
time.

The value is accessed through ngx_http_complex_value_size() which
either returns the remembered constant or evaluates the expression
and parses it as size_t.





If a complex value is expected to be of type size_t, and the compiled
value is constant, the constant size_t value is remembered at compile
time.

The value is accessed through ngx_http_complex_value_size() which
either returns the remembered constant or evaluates the expression
and parses it as size_t.







Multiple addresses in "listen".
2019-03-15T12:45:56+00:00

Roman Arutyunyan
arut@nginx.com

2019-03-15T12:45:56+00:00

4e17b93eb6787e99a4023f20f8c391284f86bbf3

Previously only one address was used by the listen directive handler even if
host name resolved to multiple addresses.  Now a separate listening socket is
created for each address.





Previously only one address was used by the listen directive handler even if
host name resolved to multiple addresses.  Now a separate listening socket is
created for each address.







SSL: fixed potential leak on memory allocation errors.
2019-03-03T13:48:39+00:00

Maxim Dounin
mdounin@mdounin.ru

2019-03-03T13:48:39+00:00

fe43346dc3151e80dae0acd751f0a94314dcb91c

If ngx_pool_cleanup_add() fails, we have to clean just created SSL context
manually, thus appropriate call added.

Additionally, ngx_pool_cleanup_add() moved closer to ngx_ssl_create() in
the ngx_http_ssl_module, to make sure there are no leaks due to intermediate
code.





If ngx_pool_cleanup_add() fails, we have to clean just created SSL context
manually, thus appropriate call added.

Additionally, ngx_pool_cleanup_add() moved closer to ngx_ssl_create() in
the ngx_http_ssl_module, to make sure there are no leaks due to intermediate
code.







SSL: server name callback changed to return SSL_TLSEXT_ERR_OK.
2019-03-03T13:47:44+00:00

Maxim Dounin
mdounin@mdounin.ru

2019-03-03T13:47:44+00:00

fd97b2a80f678b9bf372d9a6537e5d4db51188ae

OpenSSL 1.1.1 does not save server name to the session if server name
callback returns anything but SSL_TLSEXT_ERR_OK, thus breaking
the $ssl_server_name variable in resumed sessions.

Since $ssl_server_name can be used even if we've selected the default
server and there are no other servers, it looks like the only viable
solution is to always return SSL_TLSEXT_ERR_OK regardless of the actual
result.

To fix things in the stream module as well, added a dummy server name
callback which always returns SSL_TLSEXT_ERR_OK.





OpenSSL 1.1.1 does not save server name to the session if server name
callback returns anything but SSL_TLSEXT_ERR_OK, thus breaking
the $ssl_server_name variable in resumed sessions.

Since $ssl_server_name can be used even if we've selected the default
server and there are no other servers, it looks like the only viable
solution is to always return SSL_TLSEXT_ERR_OK regardless of the actual
result.

To fix things in the stream module as well, added a dummy server name
callback which always returns SSL_TLSEXT_ERR_OK.







SSL: fixed possible segfault with dynamic certificates.
2019-02-25T18:16:26+00:00

Maxim Dounin
mdounin@mdounin.ru

2019-02-25T18:16:26+00:00

1a30d79c429cb1d4438d592db62cbe701e3b4360

A virtual server may have no SSL context if it does not have certificates
defined, so we have to use config of the ngx_http_ssl_module from the
SSL context in the certificate callback.  To do so, it is now passed as
the argument of the callback.

The stream module doesn't really need any changes, but was modified as
well to match http code.





A virtual server may have no SSL context if it does not have certificates
defined, so we have to use config of the ngx_http_ssl_module from the
SSL context in the certificate callback.  To do so, it is now passed as
the argument of the callback.

The stream module doesn't really need any changes, but was modified as
well to match http code.







SSL: adjusted session id context with dynamic certificates.
2019-02-25T13:42:54+00:00

Maxim Dounin
mdounin@mdounin.ru

2019-02-25T13:42:54+00:00

ecfab06cb20959219c9aadc2ef59507488e4fa99

Dynamic certificates re-introduce problem with incorrect session
reuse (AKA "virtual host confusion", CVE-2014-3616), since there are
no server certificates to generate session id context from.

To prevent this, session id context is now generated from ssl_certificate
directives as specified in the configuration.  This approach prevents
incorrect session reuse in most cases, while still allowing sharing
sessions across multiple machines with ssl_session_ticket_key set as
long as configurations are identical.





Dynamic certificates re-introduce problem with incorrect session
reuse (AKA "virtual host confusion", CVE-2014-3616), since there are
no server certificates to generate session id context from.

To prevent this, session id context is now generated from ssl_certificate
directives as specified in the configuration.  This approach prevents
incorrect session reuse in most cases, while still allowing sharing
sessions across multiple machines with ssl_session_ticket_key set as
long as configurations are identical.







SSL: dynamic certificate loading in the stream module.
2019-02-25T13:42:43+00:00

Maxim Dounin
mdounin@mdounin.ru

2019-02-25T13:42:43+00:00

fbcb0c8a33c7168aad3b1474d4cd8cde3486e155












Stream: do not split datagrams when limiting proxy rate.
2018-12-27T16:37:34+00:00

Roman Arutyunyan
arut@nginx.com

2018-12-27T16:37:34+00:00

12645b46e96426719ce96426239e45cfd93ed90c

Previously, when using proxy_upload_rate and proxy_download_rate, the buffer
size for reading from a socket could be reduced as a result of rate limiting.
For connection-oriented protocols this behavior is normal since unread data will
normally be read at the next iteration.  But for datagram-oriented protocols
this is not the case, and unread part of the datagram is lost.

Now buffer size is not limited for datagrams.  Rate limiting still works in this
case by delaying the next reading event.





Previously, when using proxy_upload_rate and proxy_download_rate, the buffer
size for reading from a socket could be reduced as a result of rate limiting.
For connection-oriented protocols this behavior is normal since unread data will
normally be read at the next iteration.  But for datagram-oriented protocols
this is not the case, and unread part of the datagram is lost.

Now buffer size is not limited for datagrams.  Rate limiting still works in this
case by delaying the next reading event.