nginx.git/src, branch release-1.15.3 nginx Upstream: fixed request chain traversal (ticket #1618). 2018-08-24T09:19:37+00:00 Vladimir Homutov vl@nginx.com 2018-08-24T09:19:37+00:00 62821f1c99f3bdb79ddbef2386060a6deb192605 The problem does not manifest itself currently, because in case of non-buffered reading, chain link created by u->create_request method consists of a single element. Found by PVS-Studio. 
The problem does not manifest itself currently, because in case of
non-buffered reading, chain link created by u->create_request method
consists of a single element.

Found by PVS-Studio.
Upstream keepalive: keepalive_requests directive. 2018-08-10T18:54:46+00:00 Maxim Dounin mdounin@mdounin.ru 2018-08-10T18:54:46+00:00 d817ceae729914e7423c4c206165fc244513f021 The directive configures maximum number of requests allowed on a connection kept in the cache. Once a connection reaches the number of requests configured, it is no longer saved to the cache. The default is 100. Much like keepalive_requests for client connections, this is mostly a safeguard to make sure connections are closed periodically and the memory allocated from the connection pool is freed. 
The directive configures maximum number of requests allowed on
a connection kept in the cache.  Once a connection reaches the number
of requests configured, it is no longer saved to the cache.
The default is 100.

Much like keepalive_requests for client connections, this is mostly
a safeguard to make sure connections are closed periodically and the
memory allocated from the connection pool is freed.
Upstream keepalive: keepalive_timeout directive. 2018-08-10T18:54:23+00:00 Maxim Dounin mdounin@mdounin.ru 2018-08-10T18:54:23+00:00 7de808990b8e49e2e18c2a013e4cca82a092fdbc The directive configures maximum time a connection can be kept in the cache. By configuring a time which is smaller than the corresponding timeout on the backend side one can avoid the race between closing a connection by the backend and nginx trying to use the same connection to send a request at the same time. 
The directive configures maximum time a connection can be kept in the
cache.  By configuring a time which is smaller than the corresponding
timeout on the backend side one can avoid the race between closing
a connection by the backend and nginx trying to use the same connection
to send a request at the same time.
Upstream keepalive: comment added. 2018-08-10T18:54:17+00:00 Maxim Dounin mdounin@mdounin.ru 2018-08-10T18:54:17+00:00 f3d1a925b5e27d8d78fc6da408ccc2f75994939c 






SSL: fixed build with LibreSSL 2.8.0 (ticket #1605).
2018-08-10T17:49:06+00:00

Maxim Dounin
mdounin@mdounin.ru

2018-08-10T17:49:06+00:00

1b1b632eed84197863b7cc6a00579968362a700b

LibreSSL 2.8.0 "added const annotations to many existing APIs from OpenSSL,
making interoperability easier for downstream applications".  This includes
the const change in the SSL_CTX_sess_set_get_cb() callback function (see
9dd43f4ef67e), which breaks compilation.

To fix this, added a condition on how we redefine OPENSSL_VERSION_NUMBER
when working with LibreSSL (see 382fc7069e3a).  With LibreSSL 2.8.0,
we now set OPENSSL_VERSION_NUMBER to 0x1010000fL (OpenSSL 1.1.0), so the
appropriate conditions in the code will use "const" as it happens with
OpenSSL 1.1.0 and later versions.





LibreSSL 2.8.0 "added const annotations to many existing APIs from OpenSSL,
making interoperability easier for downstream applications".  This includes
the const change in the SSL_CTX_sess_set_get_cb() callback function (see
9dd43f4ef67e), which breaks compilation.

To fix this, added a condition on how we redefine OPENSSL_VERSION_NUMBER
when working with LibreSSL (see 382fc7069e3a).  With LibreSSL 2.8.0,
we now set OPENSSL_VERSION_NUMBER to 0x1010000fL (OpenSSL 1.1.0), so the
appropriate conditions in the code will use "const" as it happens with
OpenSSL 1.1.0 and later versions.







HTTP/2: workaround for clients which fail on table size updates.
2018-08-09T17:12:17+00:00

Maxim Dounin
mdounin@mdounin.ru

2018-08-09T17:12:17+00:00

0d224602e966c431674958dabcaa451c99539352

There are clients which cannot handle HPACK's dynamic table size updates
as added in 12cadc4669a7 (1.13.6).  Notably, old versions of OkHttp library
are known to fail on it (ticket #1397).

This change makes it possible to work with such clients by only sending
dynamic table size updates in response to SETTINGS_HEADER_TABLE_SIZE.  As
a downside, clients which do not use SETTINGS_HEADER_TABLE_SIZE will
continue to maintain default 4k table.





There are clients which cannot handle HPACK's dynamic table size updates
as added in 12cadc4669a7 (1.13.6).  Notably, old versions of OkHttp library
are known to fail on it (ticket #1397).

This change makes it possible to work with such clients by only sending
dynamic table size updates in response to SETTINGS_HEADER_TABLE_SIZE.  As
a downside, clients which do not use SETTINGS_HEADER_TABLE_SIZE will
continue to maintain default 4k table.







Skipping spaces in configuration files (ticket #1557).
2018-08-09T09:15:42+00:00

Maxim Dounin
mdounin@mdounin.ru

2018-08-09T09:15:42+00:00

dd8e1e178c1a47d51ce85604a169f9179c15c220

Previously, a chunk of spaces larger than NGX_CONF_BUFFER (4096 bytes)
resulted in the "too long parameter" error during parsing such a
configuration.  This was because the code only set start and start_line
on non-whitespace characters, and hence adjacent whitespace characters
were preserved when reading additional data from the configuration file.
Fix is to always move start and start_line if the last character was
a space.





Previously, a chunk of spaces larger than NGX_CONF_BUFFER (4096 bytes)
resulted in the "too long parameter" error during parsing such a
configuration.  This was because the code only set start and start_line
on non-whitespace characters, and hence adjacent whitespace characters
were preserved when reading additional data from the configuration file.
Fix is to always move start and start_line if the last character was
a space.







SSL: support for TLSv1.3 early data with BoringSSL.
2018-08-06T23:16:07+00:00

Maxim Dounin
mdounin@mdounin.ru

2018-08-06T23:16:07+00:00

3b1589173f28fccb5816669f3ff4c9ac1e9b573c

Early data AKA 0-RTT mode is enabled as long as "ssl_early_data on" is
specified in the configuration (default is off).

The $ssl_early_data variable evaluates to "1" if the SSL handshake
isn't yet completed, and can be used to set the Early-Data header as
per draft-ietf-httpbis-replay-04.





Early data AKA 0-RTT mode is enabled as long as "ssl_early_data on" is
specified in the configuration (default is off).

The $ssl_early_data variable evaluates to "1" if the SSL handshake
isn't yet completed, and can be used to set the Early-Data header as
per draft-ietf-httpbis-replay-04.







SSL: enabled TLSv1.3 with BoringSSL.
2018-08-06T23:15:28+00:00

Maxim Dounin
mdounin@mdounin.ru

2018-08-06T23:15:28+00:00

9f30fda1c2e24058e91a8c637c0717b32be399da

BoringSSL currently requires SSL_CTX_set_max_proto_version(TLS1_3_VERSION)
to be able to enable TLS 1.3.  This is because by default max protocol
version is set to TLS 1.2, and the SSL_OP_NO_* options are merely used
as a blacklist within the version range specified using the
SSL_CTX_set_min_proto_version() and SSL_CTX_set_max_proto_version()
functions.

With this change, we now call SSL_CTX_set_max_proto_version() with an
explicit maximum version set.  This enables TLS 1.3 with BoringSSL.
As a side effect, this change also limits maximum protocol version to
the newest protocol we know about, TLS 1.3.  This seems to be a good
change, as enabling unknown protocols might have unexpected results.

Additionally, we now explicitly call SSL_CTX_set_min_proto_version()
with 0.  This is expected to help with Debian system-wide default
of MinProtocol set to TLSv1.2, see
http://mailman.nginx.org/pipermail/nginx-ru/2017-October/060411.html.

Note that there is no SSL_CTX_set_min_proto_version macro in BoringSSL,
so we call SSL_CTX_set_min_proto_version() and SSL_CTX_set_max_proto_version()
as long as the TLS1_3_VERSION macro is defined.





BoringSSL currently requires SSL_CTX_set_max_proto_version(TLS1_3_VERSION)
to be able to enable TLS 1.3.  This is because by default max protocol
version is set to TLS 1.2, and the SSL_OP_NO_* options are merely used
as a blacklist within the version range specified using the
SSL_CTX_set_min_proto_version() and SSL_CTX_set_max_proto_version()
functions.

With this change, we now call SSL_CTX_set_max_proto_version() with an
explicit maximum version set.  This enables TLS 1.3 with BoringSSL.
As a side effect, this change also limits maximum protocol version to
the newest protocol we know about, TLS 1.3.  This seems to be a good
change, as enabling unknown protocols might have unexpected results.

Additionally, we now explicitly call SSL_CTX_set_min_proto_version()
with 0.  This is expected to help with Debian system-wide default
of MinProtocol set to TLSv1.2, see
http://mailman.nginx.org/pipermail/nginx-ru/2017-October/060411.html.

Note that there is no SSL_CTX_set_min_proto_version macro in BoringSSL,
so we call SSL_CTX_set_min_proto_version() and SSL_CTX_set_max_proto_version()
as long as the TLS1_3_VERSION macro is defined.







Dav: removed dead store after 8e7a5de61664.
2018-08-02T10:19:48+00:00

Sergey Kandaurov
pluknet@nginx.com

2018-08-02T10:19:48+00:00

a6baf5e508cad9d3561ed71a637127deb1e3f40d

Found by Clang Static Analyzer.





Found by Clang Static Analyzer.