nginx.git/src, branch release-1.19.0 nginx HTTP/2: invalid connection preface logging (ticket #1981). 2020-05-25T15:33:42+00:00 Maxim Dounin mdounin@mdounin.ru 2020-05-25T15:33:42+00:00 4056ce4f4ee4d80d41c56af8c1b4fd41b76144c8 Previously, invalid connection preface errors were only logged at debug level, providing no visible feedback, in particular, when a plain text HTTP/2 listening socket is erroneously used for HTTP/1.x connections. Now these are explicitly logged at the info level, much like other client-related errors. 
Previously, invalid connection preface errors were only logged at debug
level, providing no visible feedback, in particular, when a plain text
HTTP/2 listening socket is erroneously used for HTTP/1.x connections.
Now these are explicitly logged at the info level, much like other
client-related errors.
Fixed format specifiers. 2020-05-23T12:53:08+00:00 Sergey Kandaurov pluknet@nginx.com 2020-05-23T12:53:08+00:00 9b87626b0bdd0e6c87d76f1a50302ca9e3df2fc1 






OCSP: certificate status cache.
2020-05-22T14:25:27+00:00

Roman Arutyunyan
arut@nginx.com

2020-05-22T14:25:27+00:00

5727f9a1e0cca082eb1f3e599e0453a7a9cfe319

When enabled, certificate status is stored in cache and is used to validate
the certificate in future requests.

New directive ssl_ocsp_cache is added to configure the cache.





When enabled, certificate status is stored in cache and is used to validate
the certificate in future requests.

New directive ssl_ocsp_cache is added to configure the cache.







SSL: client certificate validation with OCSP (ticket #1534).
2020-05-22T14:30:12+00:00

Roman Arutyunyan
arut@nginx.com

2020-05-22T14:30:12+00:00

60438ae395d83b0f8b21bf667a1e260d60c3f46a

OCSP validation for client certificates is enabled by the "ssl_ocsp" directive.
OCSP responder can be optionally specified by "ssl_ocsp_responder".

When session is reused, peer chain is not available for validation.
If the verified chain contains certificates from the peer chain not available
at the server, validation will fail.





OCSP validation for client certificates is enabled by the "ssl_ocsp" directive.
OCSP responder can be optionally specified by "ssl_ocsp_responder".

When session is reused, peer chain is not available for validation.
If the verified chain contains certificates from the peer chain not available
at the server, validation will fail.







OCSP stapling: iterate over all responder addresses.
2020-05-22T17:35:05+00:00

Roman Arutyunyan
arut@nginx.com

2020-05-22T17:35:05+00:00

aa94ee82f6040c8e2cbde3ae4de931c23fade3f3

Previously only the first responder address was used per each stapling update.
Now, in case of a network or parsing error, next address is used.

This also fixes the issue with unsupported responder address families
(ticket #1330).





Previously only the first responder address was used per each stapling update.
Now, in case of a network or parsing error, next address is used.

This also fixes the issue with unsupported responder address families
(ticket #1330).







OCSP stapling: keep extra chain in the staple object.
2020-05-17T11:24:35+00:00

Roman Arutyunyan
arut@nginx.com

2020-05-17T11:24:35+00:00

abdb9aebc6fa165cc2a77a555f309a4eec6947dd












OCSP stapling: moved response verification to a separate function.
2020-05-06T18:44:14+00:00

Roman Arutyunyan
arut@nginx.com

2020-05-06T18:44:14+00:00

3f2ac979eb3600fe285f184bfd30673e7c8de85a












Upstream: jump out of loop after matching the status code.
2020-05-13T14:02:47+00:00

Jinhua Tan
312841925@qq.com

2020-05-13T14:02:47+00:00

b47c1f35e2e421bc0e5be67afb897276324c57a4












Variables: fixed buffer over-read when evaluating "$arg_".
2020-05-08T16:19:16+00:00

Sergey Kandaurov
pluknet@nginx.com

2020-05-08T16:19:16+00:00

41ecd45a5bb78b2214c4515768a51aff0c57eead












gRPC: WINDOW_UPDATE after END_STREAM handling (ticket #1797).
2020-04-23T12:10:26+00:00

Ruslan Ermilov
ru@nginx.com

2020-04-23T12:10:26+00:00

ee9c61b89bcb891575c809e388affd2bb04e9e60

As per https://tools.ietf.org/html/rfc7540#section-6.9,
WINDOW_UPDATE received after a frame with the END_STREAM flag
should be handled and not treated as an error.





As per https://tools.ietf.org/html/rfc7540#section-6.9,
WINDOW_UPDATE received after a frame with the END_STREAM flag
should be handled and not treated as an error.