nginx.git/src, branch release-1.27.2 nginx SSL: caching CA certificates. 2024-10-01T13:59:24+00:00 Sergey Kandaurov pluknet@nginx.com 2024-09-09T15:05:58+00:00 5917e9de5a45bb7288c1c433db840d1a4c6290f3 This can potentially provide a large amount of savings, because CA certificates can be quite large. Based on previous work by Mini Hawthorne. 
This can potentially provide a large amount of savings,
because CA certificates can be quite large.

Based on previous work by Mini Hawthorne.
SSL: caching CRLs. 2024-10-01T13:59:24+00:00 Sergey Kandaurov pluknet@nginx.com 2024-09-09T15:05:31+00:00 61314518de74fcb3af954ea6e6cb2820307676d0 Based on previous work by Mini Hawthorne. 
Based on previous work by Mini Hawthorne.
SSL: caching certificate keys. 2024-10-01T13:59:24+00:00 Sergey Kandaurov pluknet@nginx.com 2024-09-09T15:04:18+00:00 7ea2fb6cb197925c7c0e35def9ece12d11b09bb9 EVP_KEY objects are a reference-counted container for key material, shallow copies and OpenSSL stack management aren't needed as with certificates. Based on previous work by Mini Hawthorne. 
EVP_KEY objects are a reference-counted container for key material, shallow
copies and OpenSSL stack management aren't needed as with certificates.

Based on previous work by Mini Hawthorne.
SSL: caching certificates. 2024-10-01T13:59:24+00:00 Sergey Kandaurov pluknet@nginx.com 2024-09-09T15:03:52+00:00 78ed123e71aab17ffecfa0b2b27a349cfb4b2502 Certificate chains are now loaded once. The certificate cache provides each chain as a unique stack of reference counted elements. This shallow copy is required because OpenSSL stacks aren't reference counted. Based on previous work by Mini Hawthorne. 
Certificate chains are now loaded once.

The certificate cache provides each chain as a unique stack of reference
counted elements.  This shallow copy is required because OpenSSL stacks
aren't reference counted.

Based on previous work by Mini Hawthorne.
SSL: object caching. 2024-10-01T13:59:24+00:00 Sergey Kandaurov pluknet@nginx.com 2024-09-09T15:03:20+00:00 7d7e8d2cb8d16e409e0d4c777b30f1d8d7838c7b Added ngx_openssl_cache_module, which indexes a type-aware object cache. It maps an id to a unique instance, and provides references to it, which are dropped when the cycle's pool is destroyed. The cache will be used in subsequent patches. Based on previous work by Mini Hawthorne. 
Added ngx_openssl_cache_module, which indexes a type-aware object cache.
It maps an id to a unique instance, and provides references to it, which
are dropped when the cycle's pool is destroyed.

The cache will be used in subsequent patches.

Based on previous work by Mini Hawthorne.
SSL: moved certificate storage out of exdata. 2024-10-01T13:59:24+00:00 Sergey Kandaurov pluknet@nginx.com 2024-09-09T15:02:27+00:00 f36ff3550a7271a618edb119f064dddd086cc380 Instead of cross-linking the objects using exdata, pointers to configured certificates are now stored in ngx_ssl_t, and OCSP staples are now accessed with rbtree in it. This allows sharing these objects between SSL contexts. Based on previous work by Mini Hawthorne. 
Instead of cross-linking the objects using exdata, pointers to configured
certificates are now stored in ngx_ssl_t, and OCSP staples are now accessed
with rbtree in it.  This allows sharing these objects between SSL contexts.

Based on previous work by Mini Hawthorne.
Fixed a typo of bpf makefile debug option. 2024-09-24T14:58:30+00:00 tzssangglass tzssangglass@gmail.com 2024-09-09T15:22:34+00:00 51857ce40400b48bc8900b9e3930cf7474fa0c41 






SSL: optional ssl_client_certificate for ssl_verify_client.
2024-09-20T10:43:00+00:00

Sergey Kandaurov
pluknet@nginx.com

2024-09-20T10:08:42+00:00

18afcda938cd2d4712d0d083b57161290a5a2d34

Starting from TLSv1.1 (as seen since draft-ietf-tls-rfc2246-bis-00),
the "certificate_authorities" field grammar of the CertificateRequest
message was redone to allow no distinguished names.  In TLSv1.3, with
the restructured CertificateRequest message, this can be similarly
done by optionally including the "certificate_authorities" extension.
This allows to avoid sending DNs at all.

In practice, aside from published TLS specifications, all supported
SSL/TLS libraries allow to request client certificates with an empty
DN list for any protocol version.  For instance, when operating in
TLSv1, this results in sending the "certificate_authorities" list as
a zero-length vector, which corresponds to the TLSv1.1 specification.
Such behaviour goes back to SSLeay.

The change relaxes the requirement to specify at least one trusted CA
certificate in the ssl_client_certificate directive, which resulted in
sending DNs of these certificates (closes #142).  Instead, all trusted
CA certificates can be specified now using the ssl_trusted_certificate
directive if needed.  A notable difference that certificates specified
in ssl_trusted_certificate are always loaded remains (see 3648ba7db).

Co-authored-by: Praveen Chaudhary <praveenc@nvidia.com>





Starting from TLSv1.1 (as seen since draft-ietf-tls-rfc2246-bis-00),
the "certificate_authorities" field grammar of the CertificateRequest
message was redone to allow no distinguished names.  In TLSv1.3, with
the restructured CertificateRequest message, this can be similarly
done by optionally including the "certificate_authorities" extension.
This allows to avoid sending DNs at all.

In practice, aside from published TLS specifications, all supported
SSL/TLS libraries allow to request client certificates with an empty
DN list for any protocol version.  For instance, when operating in
TLSv1, this results in sending the "certificate_authorities" list as
a zero-length vector, which corresponds to the TLSv1.1 specification.
Such behaviour goes back to SSLeay.

The change relaxes the requirement to specify at least one trusted CA
certificate in the ssl_client_certificate directive, which resulted in
sending DNs of these certificates (closes #142).  Instead, all trusted
CA certificates can be specified now using the ssl_trusted_certificate
directive if needed.  A notable difference that certificates specified
in ssl_trusted_certificate are always loaded remains (see 3648ba7db).

Co-authored-by: Praveen Chaudhary <praveenc@nvidia.com>







Proxy: proxy_pass_trailers directive.
2024-09-13T12:47:56+00:00

Sergey Kandaurov
pluknet@nginx.com

2024-09-10T12:48:11+00:00

1a64c196a7d43f83a14fec20ce8936e599c92865

The directive allows to pass upstream response trailers to client.





The directive allows to pass upstream response trailers to client.







Stream: OCSP stapling.
2024-08-22T10:57:46+00:00

Sergey Kandaurov
pluknet@nginx.com

2024-08-22T10:57:46+00:00

fb89d50eeb19d42d83144ff76c80d20e80c41aca