History log of /unit/src/nxt_openssl.c (Results 1 – 25 of 30)
Revision (<<< Hide revision tags) (Show revision tags >>>) Date Author Comments
# 2090:e6102bb58d1d 11-May-2022 Sergey Kandaurov

Using SSL_OP_IGNORE_UNEXPECTED_EOF.

A new behaviour was introduced in OpenSSL 1.1.1e, when a peer does not send
close_notify before closing the connection. Previously, it was to return
SSL_ERROR_SY

Using SSL_OP_IGNORE_UNEXPECTED_EOF.

A new behaviour was introduced in OpenSSL 1.1.1e, when a peer does not send
close_notify before closing the connection. Previously, it was to return
SSL_ERROR_SYSCALL with errno 0, known since at least OpenSSL 0.9.7, and is
handled gracefully in unitd. Now it returns SSL_ERROR_SSL with a distinct
reason SSL_R_UNEXPECTED_EOF_WHILE_READING ("unexpected eof while reading").
This leads to critical errors seen in nginx within various routines such as
SSL_do_handshake(), SSL_read(), SSL_shutdown(). The behaviour was restored
in OpenSSL 1.1.1f, but presents in OpenSSL 3.0 by default.

Use of the SSL_OP_IGNORE_UNEXPECTED_EOF option added in OpenSSL 3.0 allows
setting a compatible behaviour to return SSL_ERROR_ZERO_RETURN:
https://git.openssl.org/?p=openssl.git;a=commitdiff;h=09b90e0

See for additional details: https://github.com/openssl/openssl/issues/11381

show more ...


# 2089:dcec02b45917 11-May-2022 Sergey Kandaurov

Using OPENSSL_SUPPRESS_DEPRECATED.

The macro is used to suppress deprecation warnings with OpenSSL 3.0.

Unlike OPENSSL_API_COMPAT, it works well with OpenSSL built with no-deprecated.
In particular

Using OPENSSL_SUPPRESS_DEPRECATED.

The macro is used to suppress deprecation warnings with OpenSSL 3.0.

Unlike OPENSSL_API_COMPAT, it works well with OpenSSL built with no-deprecated.
In particular, it doesn't unhide various macros in OpenSSL includes, which are
meant to be hidden under OPENSSL_NO_DEPRECATED.

show more ...


# 2077:624e51cfe97a 18-Dec-2021 Alejandro Colomar

Removed special cases for non-NXT_CONF_VALUE_ARRAY.

The previous commit added more generic APIs for handling
NXT_CONF_VALUE_ARRAY and non-NXT_CONF_VALUE_ARRAY together.
Modify calling code to remove

Removed special cases for non-NXT_CONF_VALUE_ARRAY.

The previous commit added more generic APIs for handling
NXT_CONF_VALUE_ARRAY and non-NXT_CONF_VALUE_ARRAY together.
Modify calling code to remove special cases for arrays and
non-arrays, taking special care that the path for non arrays is
logically equivalent to the previous special cased code.
Use the now-generic array code only.

show more ...


Revision tags: 1.26.1-1, 1.26.1, 1.26.0-1, 1.26.0
# 1975:6a47cab8f271 26-Oct-2021 Valentin Bartenev

Custom implementation of Base64 decoding function.

Compared to the previous implementation based on OpenSSL, the new implementation
has these advantages:

1. Strict and reliable detection of invali

Custom implementation of Base64 decoding function.

Compared to the previous implementation based on OpenSSL, the new implementation
has these advantages:

1. Strict and reliable detection of invalid strings, including strings with
less than 4 bytes of garbage at the end;

2. Allows to use Base64 strings without '=' padding.

show more ...


# 1967:98e518a1c90e 08-Oct-2021 Artem Konev

Fixed invalid call sequence in nxt_tls_ticket_key_callback().

The bug has been introduced in 0bca988e9541.


# 1952:0bca988e9541 25-Aug-2021 Valentin Bartenev

TLS: refactored nxt_tls_ticket_key_callback().

Deduplicated code and improved style.
No functional changes.


Revision tags: 1.25.0-1, 1.25.0
# 1942:296628096d6c 17-Aug-2021 Andrey Suvorov

Added TLS session tickets support.


# 1921:b0deb6fa9219 22-Jul-2021 Andrey Suvorov

Changing SNI callback return code if a client sends no SNI.

When a client sends no SNI is a common situation. But currently the server
processes it as an error and returns SSL_TLSEXT_ERR_ALERT_FATA

Changing SNI callback return code if a client sends no SNI.

When a client sends no SNI is a common situation. But currently the server
processes it as an error and returns SSL_TLSEXT_ERR_ALERT_FATAL causing
termination of a current TLS session. The problem occurs if configuration has
more than one certificate bundle in a listener.

This fix changes the return code to SSL_TLSEXT_ERR_OK and the log level of a
message.

show more ...


# 1920:7c19530e2502 21-Jul-2021 Andrey Suvorov

Enabling configure TLS sessions.

To support TLS sessions, Unit uses the OpenSSL built-in session cache; the
cache_size option defines the number sessions to store. To disable the feather,
the optio

Enabling configure TLS sessions.

To support TLS sessions, Unit uses the OpenSSL built-in session cache; the
cache_size option defines the number sessions to store. To disable the feather,
the option must be zero.

show more ...


Revision tags: 1.24.0-1, 1.24.0
# 1885:09b857a2cca9 26-May-2021 Andrey Suvorov

Enabling SSL_CTX configuration by using SSL_CONF_cmd().

To perform various configuration operations on SSL_CTX, OpenSSL provides
SSL_CONF_cmd(). Specifically, to configure ciphers for a listener,
"

Enabling SSL_CTX configuration by using SSL_CONF_cmd().

To perform various configuration operations on SSL_CTX, OpenSSL provides
SSL_CONF_cmd(). Specifically, to configure ciphers for a listener,
"CipherString" and "Ciphersuites" file commands are used:
https://www.openssl.org/docs/man1.1.1/man3/SSL_CONF_cmd.html


This feature can be configured in the "tls/conf_commands" section.

show more ...


# 1884:4645a43bc248 26-May-2021 Andrey Suvorov

Fixing crash during TLS connection shutdown.

A crash was caused by an incorrect timer handler nxt_h1p_idle_timeout() if
SSL_shutdown() returned SSL_ERROR_WANT_READ/SSL_ERROR_WANT_WRITE.

The flag SS

Fixing crash during TLS connection shutdown.

A crash was caused by an incorrect timer handler nxt_h1p_idle_timeout() if
SSL_shutdown() returned SSL_ERROR_WANT_READ/SSL_ERROR_WANT_WRITE.

The flag SSL_RECEIVED_SHUTDOWN is used to avoid getting SSL_ERROR_WANT_READ, so
the server won't wait for a close notification from a client.

For SSL_ERROR_WANT_WRITE, a correct timer handler is set up.

show more ...


Revision tags: 1.23.0-1, 1.23.0
# 1828:c548e46fe516 24-Mar-2021 Andrey Suvorov

Added ability to configure multiple certificates on a listener.

The certificate is selected by matching the arriving SNI to the common name and
the alternatives names. If no certificate matches the

Added ability to configure multiple certificates on a listener.

The certificate is selected by matching the arriving SNI to the common name and
the alternatives names. If no certificate matches the name, the first bundle in
the array is chosen.

show more ...


# 1818:fa6569d00fe4 24-Mar-2021 Max Romanov

Workaround for an OpenSSL bug about not closing /dev/*random.

This is a workaround for an issue in OpenSSL 1.1.1, where the /dev/random and
/dev/urandom files remain open after all listening sockets

Workaround for an OpenSSL bug about not closing /dev/*random.

This is a workaround for an issue in OpenSSL 1.1.1, where the /dev/random and
/dev/urandom files remain open after all listening sockets were removed:

- https://github.com/openssl/openssl/issues/7419

show more ...


# 1812:71adb995a9af 15-Mar-2021 Valentin Bartenev

Fixed TLS connection shutdown on errors.

An immediate return statement on connection errors was mistakenly added to the
beginning of nxt_openssl_conn_io_shutdown() in ecd3c5bbf7d8, breaking the TLS

Fixed TLS connection shutdown on errors.

An immediate return statement on connection errors was mistakenly added to the
beginning of nxt_openssl_conn_io_shutdown() in ecd3c5bbf7d8, breaking the TLS
connection finalization procedure. As a result, a TLS connection was left
unfinalized if it had been closed prematurely or a fatal protocol error had
occurred, which caused memory and socket descriptor leakage.

Moreover, in some cases (notably, on handshake errors in tests with kqueue on
macOS) the read event was triggered later and nxt_h1p_conn_error() was called
the second time; after the change in af93c866b4f0, the latter call crashed the
router process in an attempt to remove a connection from the idle queue twice.

show more ...


Revision tags: 1.22.0-1, 1.22.0, 1.21.0-1, 1.21.0, 1.20.0-1, 1.20.0, 1.19.0-1, 1.19.0, 1.18.0-1, 1.18.0, 1.17.0-1, 1.17.0, 1.16.0-1, 1.16.0, 1.15.0-1, 1.15.0
# 1354:28b20548f5ae 05-Feb-2020 Tiago Natel de Moura

Kept the value of c->socket.read_handler while data is available.

This closes #370 in GitHub.


Revision tags: 1.14.0-1, 1.14.0, 1.13.0-1, 1.13.0, 1.12.0-1, 1.12.0
# 1212:bfd7a1ce1c07 30-Sep-2019 Igor Sysoev

Fixed error processing in SSL operations.

Before this fix EWOULDBLOCK error was fatal for SSL write operation.

This closes #325 issue on GitHub.


Revision tags: 1.11.0-2, 1.11.0-1, 1.11.0, 1.10.0-2, 1.10.0-1, 1.10.0, 1.9.0-1, 1.9.0, 1.8.0-1, 1.8.0
# 990:4c469dbeee4a 01-Mar-2019 Igor Sysoev

Fixed TLS connections hanging.

After event is delivered from the kernel its further processing is blocked.
Non-ready TSL I/O operation should mark connection I/O state as not ready
to unblock events

Fixed TLS connections hanging.

After event is delivered from the kernel its further processing is blocked.
Non-ready TSL I/O operation should mark connection I/O state as not ready
to unblock events and to allow their further processing. Otherwise
the connection hangs.

show more ...


Revision tags: 1.7.1-1, 1.7.1, 1.7-1, 1.7, 1.6-1, 1.6
# 836:ecd3c5bbf7d8 13-Nov-2018 Igor Sysoev

Checking error states in I/O handlers.


# 833:9258a64a8bf9 13-Nov-2018 Valentin Bartenev

Fixed nxt_openssl_chain_file() return type.

This closes #182 issue on GitHub.
Thanks to 洪志道 (Hong Zhi Dao).


Revision tags: 1.5-1, 1.5
# 808:a148b7d3942c 22-Oct-2018 Sergey Kandaurov

Compatibility with LibreSSL.

LibreSSL uses high OPENSSL_VERSION_NUMBER, but has no SSL_CTX_add0_chain_cert().


Revision tags: 1.4-2, 1.4
# 774:b21709350c49 20-Sep-2018 Valentin Bartenev

Controller: certificates storage interface.


# 771:f349b2d68e75 20-Sep-2018 Igor Sysoev

Added SSL/TLS support on connection level.


Revision tags: 1.3, 1.2, 1.1, 1.0, 0.7
# 564:762f8c976ead 05-Mar-2018 Valentin Bartenev

Reduced number of critical log levels.


Revision tags: 0.6, 0.5, 0.4, 0.3, 0.2, 0.1
# 65:10688b89aa16 20-Jun-2017 Igor Sysoev

Using new memory pool implementation.


# 62:5e1efcc7b740 14-Jun-2017 Igor Sysoev

nxt_event_conn_... functions and structures have been renamed
to nxt_conn_...


12