nginx.git/src, branch release-1.15.2 nginx Fixed NGX_TID_T_FMT format specification for uint64_t. 2018-07-22T01:03:40+00:00 Maxim Dounin mdounin@mdounin.ru 2018-07-22T01:03:40+00:00 5a19c034f3f1870de7c4254d2e1e32749a596112 Previously, "%uA" was used, which corresponds to ngx_atomic_uint_t. Size of ngx_atomic_uint_t can be easily different from uint64_t, leading to undefined results. 
Previously, "%uA" was used, which corresponds to ngx_atomic_uint_t.
Size of ngx_atomic_uint_t can be easily different from uint64_t,
leading to undefined results.
Stream ssl_preread: added SSLv2 Client Hello support. 2018-07-18T15:51:25+00:00 Sergey Kandaurov pluknet@nginx.com 2018-07-18T15:51:25+00:00 b93931ae8292a485e045c36f963d843a74507d1e In particular, it was not possible to obtain SSLv2 protocol version. 
In particular, it was not possible to obtain SSLv2 protocol version.
Fixed invalid access to location defined as an empty string. 2018-07-17T12:30:43+00:00 Ruslan Ermilov ru@nginx.com 2018-07-17T12:30:43+00:00 372b624627b3f943ffd1227ff8aacbae7b42880f 






SSL: save sessions for upstream peers using a callback function.
2018-07-17T09:53:23+00:00

Sergey Kandaurov
pluknet@nginx.com

2018-07-17T09:53:23+00:00

d5a27006e03174aa518f6c849d377a130a7c705c

In TLSv1.3, NewSessionTicket messages arrive after the handshake and
can come at any time.  Therefore we use a callback to save the session
when we know about it.  This approach works for < TLSv1.3 as well.
The callback function is set once per location on merge phase.

Since SSL_get_session() in BoringSSL returns an unresumable session for
TLSv1.3, peer save_session() methods have been updated as well to use a
session supplied within the callback.  To preserve API, the session is
cached in c->ssl->session.  It is preferably accessed in save_session()
methods by ngx_ssl_get_session() and ngx_ssl_get0_session() wrappers.





In TLSv1.3, NewSessionTicket messages arrive after the handshake and
can come at any time.  Therefore we use a callback to save the session
when we know about it.  This approach works for < TLSv1.3 as well.
The callback function is set once per location on merge phase.

Since SSL_get_session() in BoringSSL returns an unresumable session for
TLSv1.3, peer save_session() methods have been updated as well to use a
session supplied within the callback.  To preserve API, the session is
cached in c->ssl->session.  It is preferably accessed in save_session()
methods by ngx_ssl_get_session() and ngx_ssl_get0_session() wrappers.







SSL: use of the SSL_OP_NO_RENEGOTIATION option (ticket #1376).
2018-07-16T14:47:48+00:00

Maxim Dounin
mdounin@mdounin.ru

2018-07-16T14:47:48+00:00

e1bebd05cb75fa6e8be5f4f942028501c9b22821

The SSL_OP_NO_RENEGOTIATION option is available in OpenSSL 1.1.0h+ and can
save some CPU cycles on renegotiation attempts.





The SSL_OP_NO_RENEGOTIATION option is available in OpenSSL 1.1.0h+ and can
save some CPU cycles on renegotiation attempts.







SSL: fixed SSL_clear_options() usage with OpenSSL 1.1.0+.
2018-07-16T14:47:20+00:00

Maxim Dounin
mdounin@mdounin.ru

2018-07-16T14:47:20+00:00

14561299025b1a85dc7e7d9b5d793a0fa95fd393

In OpenSSL 1.1.0 the SSL_CTRL_CLEAR_OPTIONS macro was removed, so
conditional compilation test on it results in SSL_clear_options()
and SSL_CTX_clear_options() not being used.  Notably, this caused
"ssl_prefer_server_ciphers off" to not work in SNI-based virtual
servers if server preference was switched on in the default server.

It looks like the only possible fix is to test OPENSSL_VERSION_NUMBER
explicitly.





In OpenSSL 1.1.0 the SSL_CTRL_CLEAR_OPTIONS macro was removed, so
conditional compilation test on it results in SSL_clear_options()
and SSL_CTX_clear_options() not being used.  Notably, this caused
"ssl_prefer_server_ciphers off" to not work in SNI-based virtual
servers if server preference was switched on in the default server.

It looks like the only possible fix is to test OPENSSL_VERSION_NUMBER
explicitly.







SSL: logging levels of "unsupported protocol", "version too low".
2018-07-16T14:47:18+00:00

Maxim Dounin
mdounin@mdounin.ru

2018-07-16T14:47:18+00:00

b1734fd800ec612f539f9c1699665d0685c2f9e8

Starting with OpenSSL 1.1.0, SSL_R_UNSUPPORTED_PROTOCOL instead of
SSL_R_UNKNOWN_PROTOCOL is reported when a protocol is disabled via
an SSL_OP_NO_* option.

Additionally, SSL_R_VERSION_TOO_LOW is reported when using MinProtocol
or when seclevel checks (as set by @SECLEVEL=n in the cipher string)
rejects a protocol, and this is what happens with SSLv3 and @SECLEVEL=1,
which is the default.

There is also the SSL_R_VERSION_TOO_HIGH error code, but it looks like
it is not possible to trigger it.





Starting with OpenSSL 1.1.0, SSL_R_UNSUPPORTED_PROTOCOL instead of
SSL_R_UNKNOWN_PROTOCOL is reported when a protocol is disabled via
an SSL_OP_NO_* option.

Additionally, SSL_R_VERSION_TOO_LOW is reported when using MinProtocol
or when seclevel checks (as set by @SECLEVEL=n in the cipher string)
rejects a protocol, and this is what happens with SSLv3 and @SECLEVEL=1,
which is the default.

There is also the SSL_R_VERSION_TOO_HIGH error code, but it looks like
it is not possible to trigger it.







Events: added configuration check on the number of connections.
2018-07-12T16:50:07+00:00

Maxim Dounin
mdounin@mdounin.ru

2018-07-12T16:50:07+00:00

85b44b46fb851fc933e3c053ab2c45e5b92f85c9

There should be at least one worker connection for each listening socket,
plus an additional connection for channel between worker and master,
or starting worker processes will fail.





There should be at least one worker connection for each listening socket,
plus an additional connection for channel between worker and master,
or starting worker processes will fail.







Events: moved sockets cloning to ngx_event_init_conf().
2018-07-12T16:50:02+00:00

Maxim Dounin
mdounin@mdounin.ru

2018-07-12T16:50:02+00:00

751bdd3bb2b6ff54be09c37ff328f258fed520fb

Previously, listenings sockets were not cloned if the worker_processes
directive was specified after "listen ... reuseport".

This also simplifies upcoming configuration check on the number
of worker connections, as it needs to know the number of listening
sockets before cloning.





Previously, listenings sockets were not cloned if the worker_processes
directive was specified after "listen ... reuseport".

This also simplifies upcoming configuration check on the number
of worker connections, as it needs to know the number of listening
sockets before cloning.







Stream ssl_preread: $ssl_preread_protocol variable.
2018-07-11T14:56:51+00:00

Roman Arutyunyan
arut@nginx.com

2018-07-11T14:56:51+00:00

a8e38e2a9c1c9f3afb22fdb196e85fb2f28c192c

The variable keeps the latest SSL protocol version supported by the client.
The variable has the same format as $ssl_protocol.

The version is read from the client_version field of ClientHello.  If the
supported_versions extension is present in the ClientHello, then the version
is set to TLSv1.3.





The variable keeps the latest SSL protocol version supported by the client.
The variable has the same format as $ssl_protocol.

The version is read from the client_version field of ClientHello.  If the
supported_versions extension is present in the ClientHello, then the version
is set to TLSv1.3.