nginx.git/src, branch release-1.22.1 nginx Mp4: disabled duplicate atoms. 2022-10-19T07:53:17+00:00 Roman Arutyunyan arut@nginx.com 2022-10-19T07:53:17+00:00 6b022a5556af22b6e18532e547a6ae46b0d8c6ea Most atoms should not appear more than once in a container. Previously, this was not enforced by the module, which could result in worker process crash, memory corruption and disclosure. 
Most atoms should not appear more than once in a container.  Previously,
this was not enforced by the module, which could result in worker process
crash, memory corruption and disclosure.
Version bump. 2022-10-19T07:59:37+00:00 Maxim Dounin mdounin@mdounin.ru 2022-10-19T07:59:37+00:00 093b594e92b47513d390c8f0c098b5d63d83c712 






Stable branch.
2022-05-23T23:55:29+00:00

Maxim Dounin
mdounin@mdounin.ru

2022-05-23T23:55:29+00:00

81ef8fb34093b67552d15e0a8d7da5df2b44886b












SSL: always renewing tickets with TLSv1.3 (ticket #1892).
2022-01-24T14:18:50+00:00

Maxim Dounin
mdounin@mdounin.ru

2022-01-24T14:18:50+00:00

0a407d7df825689a47ecdea4ae4cd6b2a894cb53

Chrome only uses TLS session tickets once with TLS 1.3, likely following
RFC 8446 Appendix C.4 recommendation.  With OpenSSL, this works fine with
built-in session tickets, since these are explicitly renewed in case of
TLS 1.3 on each session reuse, but results in only two connections being
reused after an initial handshake when using ssl_session_ticket_key.

Fix is to always renew TLS session tickets in case of TLS 1.3 when using
ssl_session_ticket_key, similarly to how it is done by OpenSSL internally.





Chrome only uses TLS session tickets once with TLS 1.3, likely following
RFC 8446 Appendix C.4 recommendation.  With OpenSSL, this works fine with
built-in session tickets, since these are explicitly renewed in case of
TLS 1.3 on each session reuse, but results in only two connections being
reused after an initial handshake when using ssl_session_ticket_key.

Fix is to always renew TLS session tickets in case of TLS 1.3 when using
ssl_session_ticket_key, similarly to how it is done by OpenSSL internally.







Core: simplify reader lock release.
2022-01-20T01:37:34+00:00

Pavel Pautov
p.pautov@f5.com

2022-01-20T01:37:34+00:00

950390108cbb8431845635176c36466653b05487












SSL: free pkey on SSL_CTX_set0_tmp_dh_pkey() failure.
2022-01-17T14:05:12+00:00

Sergey Kandaurov
pluknet@nginx.com

2022-01-17T14:05:12+00:00

429150c1fa78317bdb19de380ce709651dbc042c

The behaviour was changed in OpenSSL 3.0.1:
https://git.openssl.org/?p=openssl.git;a=commitdiff;h=bf17b7b





The behaviour was changed in OpenSSL 3.0.1:
https://git.openssl.org/?p=openssl.git;a=commitdiff;h=bf17b7b







Avoid sending "Connection: keep-alive" when shutting down.
2022-01-10T23:23:49+00:00

Maxim Dounin
mdounin@mdounin.ru

2022-01-10T23:23:49+00:00

22d4ff08bbe764997d157690e422d1077f543908

When a worker process is shutting down, keepalive is not used: this is checked
before the ngx_http_set_keepalive() call in ngx_http_finalize_connection().
Yet the "Connection: keep-alive" header was still sent, even if we know that
the worker process is shutting down, potentially resulting in additional
requests being sent to the connection which is going to be closed anyway.
While clients are expected to be able to handle asynchronous close events
(see ticket #1022), it is certainly possible to send the "Connection: close"
header instead, informing the client that the connection is going to be closed
and potentially saving some unneeded work.

With this change, we additionally check for worker process shutdown just
before sending response headers, and disable keepalive accordingly.





When a worker process is shutting down, keepalive is not used: this is checked
before the ngx_http_set_keepalive() call in ngx_http_finalize_connection().
Yet the "Connection: keep-alive" header was still sent, even if we know that
the worker process is shutting down, potentially resulting in additional
requests being sent to the connection which is going to be closed anyway.
While clients are expected to be able to handle asynchronous close events
(see ticket #1022), it is certainly possible to send the "Connection: close"
header instead, informing the client that the connection is going to be closed
and potentially saving some unneeded work.

With this change, we additionally check for worker process shutdown just
before sending response headers, and disable keepalive accordingly.







Events: fixed balancing between workers with EPOLLEXCLUSIVE.
2021-12-29T22:08:46+00:00

Maxim Dounin
mdounin@mdounin.ru

2021-12-29T22:08:46+00:00

96c342e56035a9676180d03b4659d5b05b9c6b07

Linux with EPOLLEXCLUSIVE usually notifies only the process which was first
to add the listening socket to the epoll instance.  As a result most of the
connections are handled by the first worker process (ticket #2285).  To fix
this, we re-add the socket periodically, so other workers will get a chance
to accept connections.





Linux with EPOLLEXCLUSIVE usually notifies only the process which was first
to add the listening socket to the epoll instance.  As a result most of the
connections are handled by the first worker process (ticket #2285).  To fix
this, we re-add the socket periodically, so other workers will get a chance
to accept connections.







Version bump.
2021-12-29T19:59:53+00:00

Maxim Dounin
mdounin@mdounin.ru

2021-12-29T19:59:53+00:00

614726621797f1267c41f8a8e488eeefff8bdf7f












Support for sendfile(SF_NOCACHE).
2021-12-27T16:49:26+00:00

Maxim Dounin
mdounin@mdounin.ru

2021-12-27T16:49:26+00:00

1f01183b9e6658749934313fd72f7f16c1918b54

The SF_NOCACHE flag, introduced in FreeBSD 11 along with the new non-blocking
sendfile() implementation by glebius@, makes it possible to use sendfile()
along with the "directio" directive.





The SF_NOCACHE flag, introduced in FreeBSD 11 along with the new non-blocking
sendfile() implementation by glebius@, makes it possible to use sendfile()
along with the "directio" directive.