nginx.git/src/stream, branch release-1.27.4 nginx SNI: added restriction for TLSv1.3 cross-SNI session resumption. 2025-02-05T16:11:42+00:00 Sergey Kandaurov pluknet@nginx.com 2025-01-22T14:55:44+00:00 46b9f5d389447b3b822ea71f5ac86ebc316c2975 In OpenSSL, session resumption always happens in the default SSL context, prior to invoking the SNI callback. Further, unlike in TLSv1.2 and older protocols, SSL_get_servername() returns values received in the resumption handshake, which may be different from the value in the initial handshake. Notably, this makes the restriction added in b720f650b insufficient for sessions resumed with different SNI server name. Considering the example from b720f650b, previously, a client was able to request example.org by presenting a certificate for example.org, then to resume and request example.com. The fix is to reject handshakes resumed with a different server name, if verification of client certificates is enabled in a corresponding server configuration. 
In OpenSSL, session resumption always happens in the default SSL context,
prior to invoking the SNI callback.  Further, unlike in TLSv1.2 and older
protocols, SSL_get_servername() returns values received in the resumption
handshake, which may be different from the value in the initial handshake.
Notably, this makes the restriction added in b720f650b insufficient for
sessions resumed with different SNI server name.

Considering the example from b720f650b, previously, a client was able to
request example.org by presenting a certificate for example.org, then to
resume and request example.com.

The fix is to reject handshakes resumed with a different server name, if
verification of client certificates is enabled in a corresponding server
configuration.
Upstream: caching certificates and certificate keys with variables. 2025-01-17T00:37:46+00:00 Sergey Kandaurov pluknet@nginx.com 2024-10-29T14:20:53+00:00 454ad0ef33a347eba1a62d18c8fc0498f4dcfd64 Caching is enabled with proxy_ssl_certificate_cache and friends. Co-authored-by: Aleksei Bavshin <a.bavshin@nginx.com> 
Caching is enabled with proxy_ssl_certificate_cache and friends.

Co-authored-by: Aleksei Bavshin <a.bavshin@nginx.com>
SSL: caching certificates and certificate keys with variables. 2025-01-17T00:37:46+00:00 Sergey Kandaurov pluknet@nginx.com 2024-10-29T12:25:11+00:00 0e756d67aa1e42e3b1b360936eb4d6c06bced2c1 A new directive "ssl_certificate_cache max=N [valid=time] [inactive=time]" enables caching of SSL certificate chain and secret key objects specified by "ssl_certificate" and "ssl_certificate_key" directives with variables. Co-authored-by: Aleksei Bavshin <a.bavshin@nginx.com> 
A new directive "ssl_certificate_cache max=N [valid=time] [inactive=time]"
enables caching of SSL certificate chain and secret key objects specified
by "ssl_certificate" and "ssl_certificate_key" directives with variables.

Co-authored-by: Aleksei Bavshin <a.bavshin@nginx.com>
SSL: a new macro to set default protocol versions. 2024-11-22T09:47:22+00:00 Sergey Kandaurov pluknet@nginx.com 2024-11-18T09:39:13+00:00 476d6526b2e8297025c608425f4cad07b4f65990 This simplifies merging protocol values after ea15896 and ebd18ec. Further, as outlined in ebd18ec18, for libraries preceeding TLSv1.2+ support, only meaningful versions TLSv1 and TLSv1.1 are set by default. While here, fixed indentation. 
This simplifies merging protocol values after ea15896 and ebd18ec.

Further, as outlined in ebd18ec18, for libraries preceeding TLSv1.2+
support, only meaningful versions TLSv1 and TLSv1.1 are set by default.

While here, fixed indentation.
SSL: fixed MSVC compilation after ebd18ec1812b. 2024-11-11T18:29:55+00:00 蕭澧邦 shou692199@gmail.com 2024-11-03T06:36:17+00:00 ea15896c1a5b0ce504f85c1437bae21a542cf3e6 MSVC generates a compilation error in case #if/#endif is used in a macro parameter. 
MSVC generates a compilation error in case #if/#endif is used in a macro
parameter.
Upstream: copy upstream zone DNS valid time during config reload. 2024-11-07T15:57:42+00:00 Mini Hawthorne mini@f5.com 2023-07-12T19:20:45+00:00 29aec5720fdfc74dca8d99d5cf6dc0fcb4e4ce2f Previously, all upstream DNS entries would be immediately re-resolved on config reload. With a large number of upstreams, this creates a spike of DNS resolution requests. These spikes can overwhelm the DNS server or cause drops on the network. This patch retains the TTL of previous resolutions across reloads by copying each upstream's name's expiry time across configuration cycles. As a result, no additional resolutions are needed. 
Previously, all upstream DNS entries would be immediately re-resolved
on config reload.  With a large number of upstreams, this creates
a spike of DNS resolution requests.  These spikes can overwhelm the
DNS server or cause drops on the network.

This patch retains the TTL of previous resolutions across reloads
by copying each upstream's name's expiry time across configuration
cycles.  As a result, no additional resolutions are needed.
 Upstream: per-upstream resolver. 2024-11-07T15:57:42+00:00 Vladimir Homutov vl@nginx.com 2019-10-18T13:33:15+00:00 ea4654550ab021b5576c03b708079e3ce3e5d9ed The "resolver" and "resolver_timeout" directives can now be specified directly in the "upstream" block. 
The "resolver" and "resolver_timeout" directives can now be specified
directly in the "upstream" block.
 Upstream: pre-resolve servers on reload. 2024-11-07T15:57:42+00:00 Ruslan Ermilov ru@nginx.com 2017-11-03T19:22:23+00:00 5ebe7a4122c9653ed6b06e6577fc68904ad061c4 After configuration is reloaded, it may take some time for the re-resolvable upstream servers to resolve and become available as peers. During this time, client requests might get dropped. Such servers are now pre-resolved using the "cache" of already resolved peers from the old shared memory zone. 
After configuration is reloaded, it may take some time for the
re-resolvable upstream servers to resolve and become available
as peers.  During this time, client requests might get dropped.

Such servers are now pre-resolved using the "cache" of already
resolved peers from the old shared memory zone.
 Upstream: construct upstream peers from DNS SRV records. 2024-11-07T15:57:42+00:00 Dmitry Volyntsev xeioex@nginx.com 2016-03-17T15:42:31+00:00 9fe119b431c957824d7bed75fce47dfbda74ca33 






Upstream: re-resolvable servers.
2024-11-07T15:57:42+00:00

Ruslan Ermilov
ru@nginx.com

2014-02-15T11:12:34+00:00

db6870e06dde7ab249e9a41a0e0a76219f82dd8c

Specifying the upstream server by a hostname together with the
"resolve" parameter will make the hostname to be periodically
resolved, and upstream servers added/removed as necessary.

This requires a "resolver" at the "http" configuration block.

The "resolver_timeout" parameter also affects when the failed
DNS requests will be attempted again.  Responses with NXDOMAIN
will be attempted again in 10 seconds.

Upstream has a configuration generation number that is incremented each
time servers are added/removed to the primary/backup list.  This number
is remembered by the peer.init method, and if peer.get detects a change
in configuration, it returns NGX_BUSY.

Each server has a reference counter.  It is incremented by peer.get and
decremented by peer.free.  When a server is removed, it is removed from
the list of servers and is marked as "zombie".  The memory allocated by
a zombie peer is freed only when its reference count becomes zero.

Co-authored-by: Roman Arutyunyan <arut@nginx.com>
Co-authored-by: Sergey Kandaurov <pluknet@nginx.com>
Co-authored-by: Vladimir Homutov <vl@nginx.com>




Specifying the upstream server by a hostname together with the
"resolve" parameter will make the hostname to be periodically
resolved, and upstream servers added/removed as necessary.

This requires a "resolver" at the "http" configuration block.

The "resolver_timeout" parameter also affects when the failed
DNS requests will be attempted again.  Responses with NXDOMAIN
will be attempted again in 10 seconds.

Upstream has a configuration generation number that is incremented each
time servers are added/removed to the primary/backup list.  This number
is remembered by the peer.init method, and if peer.get detects a change
in configuration, it returns NGX_BUSY.

Each server has a reference counter.  It is incremented by peer.get and
decremented by peer.free.  When a server is removed, it is removed from
the list of servers and is marked as "zombie".  The memory allocated by
a zombie peer is freed only when its reference count becomes zero.

Co-authored-by: Roman Arutyunyan <arut@nginx.com>
Co-authored-by: Sergey Kandaurov <pluknet@nginx.com>
Co-authored-by: Vladimir Homutov <vl@nginx.com>