nginx.git/src/stream, branch release-1.29.7 nginx Stream: fixed client certificate validation with OCSP. 2026-03-24T15:28:20+00:00 Sergey Kandaurov pluknet@nginx.com 2026-03-17T15:20:03+00:00 18711f7754401dd4ce26faa721e0f0bce41d4c1e Check for OCSP status was missed in 581cf2267, resulting in a broken validation. Reported by Mufeed VH of Winfunc Research. 
Check for OCSP status was missed in 581cf2267, resulting
in a broken validation.

Reported by Mufeed VH of Winfunc Research.
The "multipath" parameter of the "listen" directive. 2026-03-18T21:13:51+00:00 Sergey Kandaurov pluknet@nginx.com 2025-10-16T15:22:56+00:00 920dc099c130e0ea23eb36becd157a95901aa5a2 When configured, it enables Multipath TCP support on a listen socket. As of now it works on Linux starting with Linux 5.6 and glibc 2.32, where it is enabled with an IPPROTO_MPTCP socket(2) protocol. To avoid EADDRINUSE errors in bind() and listen() when transitioning between sockets with different protocols, SO_REUSEPORT is set on both sockets. See f7f1607bf for potential implications. Based on previous work by Maxime Dourov and Anthony Doeraene. 
When configured, it enables Multipath TCP support on a listen socket.
As of now it works on Linux starting with Linux 5.6 and glibc 2.32,
where it is enabled with an IPPROTO_MPTCP socket(2) protocol.

To avoid EADDRINUSE errors in bind() and listen() when transitioning
between sockets with different protocols, SO_REUSEPORT is set on both
sockets.  See f7f1607bf for potential implications.

Based on previous work by Maxime Dourov and Anthony Doeraene.
Upstream: introduced a new macro for down value. 2026-03-09T17:08:30+00:00 Aleksei Bavshin a.bavshin@nginx.com 2026-03-04T19:35:41+00:00 c5036ad30cfafb233494fa81c0b328aac3eb0e9b 






Add basic ECH shared-mode via OpenSSL.
2025-12-01T12:33:40+00:00

sftcd
stephen.farrell@cs.tcd.ie

2025-11-26T14:12:07+00:00

ab4f5b2d32c1f621ebdf5816a34b568015b98c63












Improved host header validation.
2025-11-26T15:51:40+00:00

Sergey Kandaurov
pluknet@nginx.com

2025-11-04T12:34:32+00:00

511abb19e1e1b127f6d0943ccac346211a490a35

Validation is rewritten to follow RFC 3986 host syntax, based on
ngx_http_parse_request_line().  The following is now rejected:
- the rest of gen-delims "#", "?", "@", "[", "]"
- other unwise delims <">, "<", ">", "\", "^", "`', "{", "|", "}"
- IP literals with a trailing dot, missing closing bracket, or pct-encoded
- a port subcomponent with invalid values
- characters in upper half





Validation is rewritten to follow RFC 3986 host syntax, based on
ngx_http_parse_request_line().  The following is now rejected:
- the rest of gen-delims "#", "?", "@", "[", "]"
- other unwise delims <">, "<", ">", "\", "^", "`', "{", "|", "}"
- IP literals with a trailing dot, missing closing bracket, or pct-encoded
- a port subcomponent with invalid values
- characters in upper half







SSL: ngx_ssl_set_client_hello_callback() error handling.
2025-11-10T16:01:28+00:00

Sergey Kandaurov
pluknet@nginx.com

2025-11-06T13:30:41+00:00

38a701d88b14f0747003c4e893d9fb13f51639ca

The function interface is changed to follow a common approach
to other functions used to setup SSL_CTX, with an exception of
"ngx_conf_t *cf" since it is not bound to nginx configuration.

This is required to report and propagate SSL_CTX_set_ex_data()
errors, as reminded by Coverity (CID 1668589).





The function interface is changed to follow a common approach
to other functions used to setup SSL_CTX, with an exception of
"ngx_conf_t *cf" since it is not bound to nginx configuration.

This is required to report and propagate SSL_CTX_set_ex_data()
errors, as reminded by Coverity (CID 1668589).







OCSP: fixed invalid type for the 'ssl_ocsp' directive.
2025-10-27T11:05:36+00:00

Roman Semenov
r.semenov@f5.com

2025-10-22T18:24:27+00:00

ce30a1cb0ddce88027e760dc91145af6c6e8eef1












Geo: the "volatile" parameter.
2025-10-24T22:06:54+00:00

Dmitry Plotnikov
d.plotnikov@f5.com

2025-10-21T19:48:36+00:00

ac72ca60c773a9ab6f3c6344ac1f2c03ca2b3201

Similar to map's volatile parameter, creates a non-cacheable geo variable.





Similar to map's volatile parameter, creates a non-cacheable geo variable.







SSL: $ssl_sigalg, $ssl_client_sigalg.
2025-10-24T14:22:32+00:00

Sergey Kandaurov
pluknet@nginx.com

2025-10-17T16:38:17+00:00

71f8eb52b7746d6d8ddeb6efab5fc115c187be31

Variables contain the IANA name of the signature scheme[1] used to sign
the TLS handshake.

Variables are only meaningful when using OpenSSL 3.5 and above, with older
versions they are empty.  Moreover, since this data isn't stored in a
serialized session, variables are only available for new sessions.

[1] https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml

Requested by willmafh.





Variables contain the IANA name of the signature scheme[1] used to sign
the TLS handshake.

Variables are only meaningful when using OpenSSL 3.5 and above, with older
versions they are empty.  Moreover, since this data isn't stored in a
serialized session, variables are only available for new sessions.

[1] https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml

Requested by willmafh.







Upstream: reset local address in case of error.
2025-10-24T13:49:04+00:00

Roman Arutyunyan
arut@nginx.com

2025-10-23T14:21:57+00:00

364a94ecec13037126f28f91cf8f290979ffc229

After f10bc5a763bb the address was set to NULL only when local address was
not specified at all.  In case complex value evaluated to an empty or
invalid string, local address remained unchanged.  Currenrly this is not
a problem since the value is only set once.  This change is a preparation
for being able to change the local address after initial setting.





After f10bc5a763bb the address was set to NULL only when local address was
not specified at all.  In case complex value evaluated to an empty or
invalid string, local address remained unchanged.  Currenrly this is not
a problem since the value is only set once.  This change is a preparation
for being able to change the local address after initial setting.