nginx.git/src, branch release-1.10.2 nginx SSL: default DH parameters compatible with OpenSSL 1.1.0. 2016-10-18T14:25:38+00:00 Maxim Dounin mdounin@mdounin.ru 2016-10-18T14:25:38+00:00 789abf2b8cfd184555a09f7001b59e82c003c43c This is a direct commit to stable as there is no corresponding code in mainline, default DH parameters were removed in 1aa9650a8154. 
This is a direct commit to stable as there is no corresponding code
in mainline, default DH parameters were removed in 1aa9650a8154.
Event pipe: do not set file's thread_handler if not needed. 2016-09-01T17:05:23+00:00 Maxim Dounin mdounin@mdounin.ru 2016-09-01T17:05:23+00:00 09453e10d03571ecb32fe8bc77d4bcc7e10fcf3a This fixes a problem with aio threads and sendfile with aio_write switched off, as observed with range requests after fc72784b1f52 (1.9.13). Potential problems with sendfile in threads were previously described in 9fd738b85fad, and this seems to be one of them. The problem occurred as file's thread_handler was set to NULL by event pipe code after a sendfile thread task was scheduled. As a result, no sendfile completion code was executed, and the same buffer was additionally sent using non-threaded sendfile. Fix is to avoid modifying file's thread_handler if aio_write is switched off. Note that with "aio_write on" it is still possible that sendfile will use thread_handler as set by event pipe. This is believed to be safe though, as handlers used are compatible. 
This fixes a problem with aio threads and sendfile with aio_write switched
off, as observed with range requests after fc72784b1f52 (1.9.13).  Potential
problems with sendfile in threads were previously described in 9fd738b85fad,
and this seems to be one of them.

The problem occurred as file's thread_handler was set to NULL by event pipe
code after a sendfile thread task was scheduled.  As a result, no sendfile
completion code was executed, and the same buffer was additionally sent
using non-threaded sendfile.  Fix is to avoid modifying file's thread_handler
if aio_write is switched off.

Note that with "aio_write on" it is still possible that sendfile will use
thread_handler as set by event pipe.  This is believed to be safe though,
as handlers used are compatible.
SSL: adopted session ticket handling for OpenSSL 1.1.0. 2016-08-22T15:53:21+00:00 Sergey Kandaurov pluknet@nginx.com 2016-08-22T15:53:21+00:00 63260a6842e1b9c4dbe28c669ff2c74a63f8df5c Return 1 in the SSL_CTX_set_tlsext_ticket_key_cb() callback function to indicate that a new session ticket is created, as per documentation. Until 1.1.0, OpenSSL didn't make a distinction between non-negative return values. See https://git.openssl.org/?p=openssl.git;a=commitdiff;h=5c753de for details. 
Return 1 in the SSL_CTX_set_tlsext_ticket_key_cb() callback function
to indicate that a new session ticket is created, as per documentation.
Until 1.1.0, OpenSSL didn't make a distinction between non-negative
return values.

See https://git.openssl.org/?p=openssl.git;a=commitdiff;h=5c753de for details.
SSL: guarded SSL_R_NO_CIPHERS_PASSED not present in OpenSSL 1.1.0. 2016-08-08T10:44:49+00:00 Sergey Kandaurov pluknet@nginx.com 2016-08-08T10:44:49+00:00 f3dfbb5d1fd00659e886a1cdb56cc07a68340e6d It was removed in OpenSSL 1.1.0 Beta 3 (pre-release 6). It was not used since OpenSSL 1.0.1n and 1.0.2b. 
It was removed in OpenSSL 1.1.0 Beta 3 (pre-release 6).  It was
not used since OpenSSL 1.0.1n and 1.0.2b.
HTTP/2: flushing of the SSL buffer in transition to the idle state. 2016-07-19T17:34:17+00:00 Valentin Bartenev vbart@nginx.com 2016-07-19T17:34:17+00:00 73d5e87a2b0dc4b8ea138fbee7917f9f1deaa0f9 It fixes potential connection leak if some unsent data was left in the SSL buffer. Particularly, that could happen when a client canceled the stream after the HEADERS frame has already been created. In this case no other frames might be produced and the HEADERS frame alone didn't flush the buffer. 
It fixes potential connection leak if some unsent data was left in the SSL
buffer.  Particularly, that could happen when a client canceled the stream
after the HEADERS frame has already been created.  In this case no other
frames might be produced and the HEADERS frame alone didn't flush the buffer.
HTTP/2: refactored ngx_http_v2_send_output_queue(). 2016-07-19T17:34:02+00:00 Valentin Bartenev vbart@nginx.com 2016-07-19T17:34:02+00:00 010321e6054fea211659e8f2b7bf7e08d2bb48bf Now it returns NGX_AGAIN if there's still data to be sent. 
Now it returns NGX_AGAIN if there's still data to be sent.
HTTP/2: fixed send timer handling. 2016-07-19T17:31:09+00:00 Valentin Bartenev vbart@nginx.com 2016-07-19T17:31:09+00:00 c64c12cae5c907ef90afffd6611cea4a752338b3 Checking for return value of c->send_chain() isn't sufficient since there are data can be left in the SSL buffer. Now the wew->ready flag is used instead. In particular, this fixed a connection leak in cases when all streams were closed, but there's still some data to be sent in the SSL buffer and the client forgot about the connection. 
Checking for return value of c->send_chain() isn't sufficient since there
are data can be left in the SSL buffer.  Now the wew->ready flag is used
instead.

In particular, this fixed a connection leak in cases when all streams were
closed, but there's still some data to be sent in the SSL buffer and the
client forgot about the connection.
HTTP/2: avoid sending output queue if there's nothing to send. 2016-07-19T17:30:21+00:00 Valentin Bartenev vbart@nginx.com 2016-07-19T17:30:21+00:00 6ebe94522a07e294121c8bbbe68e6215345aeba5 Particularly this fixes alerts on OS X and NetBSD systems when HTTP/2 is configured over plain TCP sockets. On these systems calling writev() with no data leads to EINVAL errors being logged as "writev() failed (22: Invalid argument) while processing HTTP/2 connection". 
Particularly this fixes alerts on OS X and NetBSD systems when HTTP/2 is
configured over plain TCP sockets.

On these systems calling writev() with no data leads to EINVAL errors
being logged as "writev() failed (22: Invalid argument) while processing
HTTP/2 connection".
HTTP/2: always handle streams in error state. 2016-07-19T17:22:44+00:00 Valentin Bartenev vbart@nginx.com 2016-07-19T17:22:44+00:00 b034effaf5bdc28a0fff25fd2f24eb3fb84a3b56 Previously, a stream could be closed by timeout if it was canceled while its send window was exhausted. 
Previously, a stream could be closed by timeout if it was canceled
while its send window was exhausted.
HTTP/2: prevented output of the HEADERS frame for canceled streams. 2016-07-19T17:22:44+00:00 Valentin Bartenev vbart@nginx.com 2016-07-19T17:22:44+00:00 8c1a6ae2ad4612f8e2365b0c2568223ae49dbf33 It's useless to generate HEADERS if the stream has been canceled already. 
It's useless to generate HEADERS if the stream has been canceled already.