nginx.git/src, branch release-1.15.11 nginx OCSP stapling: open ssl_stapling_file in binary-mode. 2019-04-03T12:35:39+00:00 Sergey Kandaurov pluknet@nginx.com 2019-04-03T12:35:39+00:00 db5c30728004045d0830922dd8ffeec030a6d726 OCSP response uses the DER format and as such needs to be opened in binary-mode. This only has any effect under Win32. 
OCSP response uses the DER format and as such needs to be opened in binary-mode.
This only has any effect under Win32.
SSL: missing free calls in $ssl_client_s_dn and $ssl_client_i_dn. 2019-03-26T06:33:57+00:00 Nikolay Morozov n.morozov@securitycode.ru 2019-03-26T06:33:57+00:00 52d9da8790a272a43ac1907c8ba55063bd9a38fe If X509_get_issuer_name() or X509_get_subject_name() returned NULL, this could lead to a certificate reference leak. It cannot happen in practice though, since each function returns an internal pointer to a mandatory subfield of the certificate successfully decoded by d2i_X509() during certificate message processing (closes #1751). 
If X509_get_issuer_name() or X509_get_subject_name() returned NULL,
this could lead to a certificate reference leak.  It cannot happen
in practice though, since each function returns an internal pointer
to a mandatory subfield of the certificate successfully decoded by
d2i_X509() during certificate message processing (closes #1751).
Version bump. 2019-03-26T15:25:08+00:00 Sergey Kandaurov pluknet@nginx.com 2019-03-26T15:25:08+00:00 1c906828aee64d8ac7eb4df57f9134e27e709a3d 






Listen port ranges.
2019-03-06T17:46:09+00:00

Roman Arutyunyan
arut@nginx.com

2019-03-06T17:46:09+00:00

912fb44e25c6ab2598e36b4544c709b871251b2e

A range is specified with a dash.  For each port in a range a separate listen
socket is created.

Examples:

    listen 8080-9000;
    listen example.com:80-88;





A range is specified with a dash.  For each port in a range a separate listen
socket is created.

Examples:

    listen 8080-9000;
    listen example.com:80-88;







Removed sorting of getaddrinfo() results.
2019-03-20T17:31:59+00:00

Roman Arutyunyan
arut@nginx.com

2019-03-20T17:31:59+00:00

b92e8ffa130366b0181c34f95376a56245cf6414

Previously the ngx_inet_resolve_host() function sorted addresses in a way that
IPv4 addresses came before IPv6 addresses.  This was implemented in eaf95350d75c
(1.3.10) along with the introduction of getaddrinfo() which could resolve host
names to IPv6 addresses.  Since the "listen" directive only used the first
address, sorting allowed to preserve "listen" compatibility with the previous
behavior and with the behavior of nginx built without IPv6 support.  Now
"listen" uses all resolved addresses which makes sorting pointless.





Previously the ngx_inet_resolve_host() function sorted addresses in a way that
IPv4 addresses came before IPv6 addresses.  This was implemented in eaf95350d75c
(1.3.10) along with the introduction of getaddrinfo() which could resolve host
names to IPv6 addresses.  Since the "listen" directive only used the first
address, sorting allowed to preserve "listen" compatibility with the previous
behavior and with the behavior of nginx built without IPv6 support.  Now
"listen" uses all resolved addresses which makes sorting pointless.







Multiple addresses in "listen".
2019-03-15T12:45:56+00:00

Roman Arutyunyan
arut@nginx.com

2019-03-15T12:45:56+00:00

4e17b93eb6787e99a4023f20f8c391284f86bbf3

Previously only one address was used by the listen directive handler even if
host name resolved to multiple addresses.  Now a separate listening socket is
created for each address.





Previously only one address was used by the listen directive handler even if
host name resolved to multiple addresses.  Now a separate listening socket is
created for each address.







SSL: support for parsing PEM certificates from memory.
2019-03-09T00:03:56+00:00

Maxim Dounin
mdounin@mdounin.ru

2019-03-09T00:03:56+00:00

59c34b67952c2ebee6760ca3115ba19e65060b58

This makes it possible to provide certificates directly via variables
in ssl_certificate / ssl_certificate_key directives, without using
intermediate files.





This makes it possible to provide certificates directly via variables
in ssl_certificate / ssl_certificate_key directives, without using
intermediate files.







SSL: removed redundant "pkey" variable.
2019-03-08T23:55:43+00:00

Maxim Dounin
mdounin@mdounin.ru

2019-03-08T23:55:43+00:00

762d98abedd89c834713451cd1ba3d33777c63d9

It was accidentally introduced in 77436d9951a1 (1.15.9).  In MSVC 2015
and more recent MSVC versions it triggers warning C4456 (declaration of
'pkey' hides previous local declaration).  Previously, all such warnings
were resolved in 2a621245f4cf.

Reported by Steve Stevenson.





It was accidentally introduced in 77436d9951a1 (1.15.9).  In MSVC 2015
and more recent MSVC versions it triggers warning C4456 (declaration of
'pkey' hides previous local declaration).  Previously, all such warnings
were resolved in 2a621245f4cf.

Reported by Steve Stevenson.







SSL: moved c->ssl->handshaked check in server name callback.
2019-03-05T13:34:19+00:00

Maxim Dounin
mdounin@mdounin.ru

2019-03-05T13:34:19+00:00

0ad4393e30c119d250415cb769e3d8bc8dce5186

Server name callback is always called by OpenSSL, even
if server_name extension is not present in ClientHello.  As such,
checking c->ssl->handshaked before the SSL_get_servername() result
should help to more effectively prevent renegotiation in
OpenSSL 1.1.0 - 1.1.0g, where neither SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS
nor SSL_OP_NO_RENEGOTIATION is available.





Server name callback is always called by OpenSSL, even
if server_name extension is not present in ClientHello.  As such,
checking c->ssl->handshaked before the SSL_get_servername() result
should help to more effectively prevent renegotiation in
OpenSSL 1.1.0 - 1.1.0g, where neither SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS
nor SSL_OP_NO_RENEGOTIATION is available.







SSL: use of the SSL_OP_NO_CLIENT_RENEGOTIATION option.
2019-03-03T13:49:02+00:00

Maxim Dounin
mdounin@mdounin.ru

2019-03-03T13:49:02+00:00

0808b04c4690354aab43e0cdfe49588abb942e8c

The SSL_OP_NO_CLIENT_RENEGOTIATION option was introduced in LibreSSL 2.5.1.
Unlike OpenSSL's SSL_OP_NO_RENEGOTIATION, it only disables client-initiated
renegotiation, and hence can be safely used on all SSL contexts.





The SSL_OP_NO_CLIENT_RENEGOTIATION option was introduced in LibreSSL 2.5.1.
Unlike OpenSSL's SSL_OP_NO_RENEGOTIATION, it only disables client-initiated
renegotiation, and hence can be safely used on all SSL contexts.