Revision tags: 1.32.0-1, 1.32.0 |
|
#
2617:18a10bb7346d |
| 16-Jan-2024 |
Andrei Zeliankou |
White space formatting fixes
Closes: <https://github.com/nginx/unit/pull/1062>
|
Revision tags: 1.31.1-1, 1.31.1, 1.31.0-1, 1.31.0, 1.30.0-1, 1.30.0, 1.29.1-1, 1.29.1, 1.29.0-1, 1.29.0 |
|
#
2231:5b3a69fd47a7 |
| 02-Nov-2022 |
Alejandro Colomar |
Removed the unsafe nxt_memcmp() wrapper for memcmp(3).
The casts are unnecessary, since memcmp(3)'s arguments are 'void *'. It might have been necessary in the times of K&R, where 'void *' didn't ex
Removed the unsafe nxt_memcmp() wrapper for memcmp(3).
The casts are unnecessary, since memcmp(3)'s arguments are 'void *'. It might have been necessary in the times of K&R, where 'void *' didn't exist. Nowadays, it's unnecessary, and _very_ unsafe, since casts can hide all classes of bugs by silencing most compiler warnings.
The changes from nxt_memcmp() to memcmp(3) were scripted:
$ find src/ -type f \ | grep '\.[ch]$' \ | xargs sed -i 's/nxt_memcmp/memcmp/'
Reviewed-by: Andrew Clayton <a.clayton@nginx.com> Signed-off-by: Alejandro Colomar <alx@nginx.com>
show more ...
|
#
2224:478701bc6706 |
| 18-Nov-2021 |
Remi Collet |
TLS: Using ERR_get_error_all() with OpenSSL 3.
Link: <https://www.openssl.org/docs/man3.0/man7/migration_guide.html> Cc: Andy Postnikov <apostnikov@gmail.com> Cc: Andrew Clayton <a.clayton@nginx.com
TLS: Using ERR_get_error_all() with OpenSSL 3.
Link: <https://www.openssl.org/docs/man3.0/man7/migration_guide.html> Cc: Andy Postnikov <apostnikov@gmail.com> Cc: Andrew Clayton <a.clayton@nginx.com> Signed-off-by: Remi Collet <remi@remirepo.net> Signed-off-by: Alejandro Colomar <alx@nginx.com>
show more ...
|
#
2223:1019031754fe |
| 16-Jan-2019 |
Remi Collet |
Preferring system crypto policy.
If we don't call SSL_CTX_set_cipher_list(), then it uses the system's default.
Link: <https://fedoraproject.org/wiki/Changes/CryptoPolicy> Link: <https://docs.fedor
Preferring system crypto policy.
If we don't call SSL_CTX_set_cipher_list(), then it uses the system's default.
Link: <https://fedoraproject.org/wiki/Changes/CryptoPolicy> Link: <https://docs.fedoraproject.org/en-US/packaging-guidelines/CryptoPolicies/> Link: <https://www.redhat.com/en/blog/consistent-security-crypto-policies-red-hat-enterprise-linux-8> Signed-off-by: Remi Collet <remi@remirepo.net> Acked-by: Andrei Belov <defan@nginx.com> [ alx: add changelog and tweak commit message ] Signed-off-by: Alejandro Colomar <alx@nginx.com>
show more ...
|
Revision tags: 1.28.0-1, 1.28.0, 1.27.0-1, 1.27.0 |
|
#
2090:e6102bb58d1d |
| 11-May-2022 |
Sergey Kandaurov |
Using SSL_OP_IGNORE_UNEXPECTED_EOF.
A new behaviour was introduced in OpenSSL 1.1.1e, when a peer does not send close_notify before closing the connection. Previously, it was to return SSL_ERROR_SY
Using SSL_OP_IGNORE_UNEXPECTED_EOF.
A new behaviour was introduced in OpenSSL 1.1.1e, when a peer does not send close_notify before closing the connection. Previously, it was to return SSL_ERROR_SYSCALL with errno 0, known since at least OpenSSL 0.9.7, and is handled gracefully in unitd. Now it returns SSL_ERROR_SSL with a distinct reason SSL_R_UNEXPECTED_EOF_WHILE_READING ("unexpected eof while reading"). This leads to critical errors seen in nginx within various routines such as SSL_do_handshake(), SSL_read(), SSL_shutdown(). The behaviour was restored in OpenSSL 1.1.1f, but presents in OpenSSL 3.0 by default.
Use of the SSL_OP_IGNORE_UNEXPECTED_EOF option added in OpenSSL 3.0 allows setting a compatible behaviour to return SSL_ERROR_ZERO_RETURN: https://git.openssl.org/?p=openssl.git;a=commitdiff;h=09b90e0
See for additional details: https://github.com/openssl/openssl/issues/11381
show more ...
|
#
2089:dcec02b45917 |
| 11-May-2022 |
Sergey Kandaurov |
Using OPENSSL_SUPPRESS_DEPRECATED.
The macro is used to suppress deprecation warnings with OpenSSL 3.0.
Unlike OPENSSL_API_COMPAT, it works well with OpenSSL built with no-deprecated. In particular
Using OPENSSL_SUPPRESS_DEPRECATED.
The macro is used to suppress deprecation warnings with OpenSSL 3.0.
Unlike OPENSSL_API_COMPAT, it works well with OpenSSL built with no-deprecated. In particular, it doesn't unhide various macros in OpenSSL includes, which are meant to be hidden under OPENSSL_NO_DEPRECATED.
show more ...
|
#
2077:624e51cfe97a |
| 18-Dec-2021 |
Alejandro Colomar |
Removed special cases for non-NXT_CONF_VALUE_ARRAY.
The previous commit added more generic APIs for handling NXT_CONF_VALUE_ARRAY and non-NXT_CONF_VALUE_ARRAY together. Modify calling code to remove
Removed special cases for non-NXT_CONF_VALUE_ARRAY.
The previous commit added more generic APIs for handling NXT_CONF_VALUE_ARRAY and non-NXT_CONF_VALUE_ARRAY together. Modify calling code to remove special cases for arrays and non-arrays, taking special care that the path for non arrays is logically equivalent to the previous special cased code. Use the now-generic array code only.
show more ...
|
Revision tags: 1.26.1-1, 1.26.1, 1.26.0-1, 1.26.0 |
|
#
1975:6a47cab8f271 |
| 26-Oct-2021 |
Valentin Bartenev |
Custom implementation of Base64 decoding function.
Compared to the previous implementation based on OpenSSL, the new implementation has these advantages:
1. Strict and reliable detection of invali
Custom implementation of Base64 decoding function.
Compared to the previous implementation based on OpenSSL, the new implementation has these advantages:
1. Strict and reliable detection of invalid strings, including strings with less than 4 bytes of garbage at the end;
2. Allows to use Base64 strings without '=' padding.
show more ...
|
#
1967:98e518a1c90e |
| 08-Oct-2021 |
Artem Konev |
Fixed invalid call sequence in nxt_tls_ticket_key_callback().
The bug has been introduced in 0bca988e9541.
|
#
1952:0bca988e9541 |
| 25-Aug-2021 |
Valentin Bartenev |
TLS: refactored nxt_tls_ticket_key_callback().
Deduplicated code and improved style. No functional changes.
|
Revision tags: 1.25.0-1, 1.25.0 |
|
#
1942:296628096d6c |
| 17-Aug-2021 |
Andrey Suvorov |
Added TLS session tickets support.
|
#
1921:b0deb6fa9219 |
| 22-Jul-2021 |
Andrey Suvorov |
Changing SNI callback return code if a client sends no SNI.
When a client sends no SNI is a common situation. But currently the server processes it as an error and returns SSL_TLSEXT_ERR_ALERT_FATA
Changing SNI callback return code if a client sends no SNI.
When a client sends no SNI is a common situation. But currently the server processes it as an error and returns SSL_TLSEXT_ERR_ALERT_FATAL causing termination of a current TLS session. The problem occurs if configuration has more than one certificate bundle in a listener.
This fix changes the return code to SSL_TLSEXT_ERR_OK and the log level of a message.
show more ...
|
#
1920:7c19530e2502 |
| 21-Jul-2021 |
Andrey Suvorov |
Enabling configure TLS sessions.
To support TLS sessions, Unit uses the OpenSSL built-in session cache; the cache_size option defines the number sessions to store. To disable the feather, the optio
Enabling configure TLS sessions.
To support TLS sessions, Unit uses the OpenSSL built-in session cache; the cache_size option defines the number sessions to store. To disable the feather, the option must be zero.
show more ...
|
Revision tags: 1.24.0-1, 1.24.0 |
|
#
1885:09b857a2cca9 |
| 26-May-2021 |
Andrey Suvorov |
Enabling SSL_CTX configuration by using SSL_CONF_cmd().
To perform various configuration operations on SSL_CTX, OpenSSL provides SSL_CONF_cmd(). Specifically, to configure ciphers for a listener, "
Enabling SSL_CTX configuration by using SSL_CONF_cmd().
To perform various configuration operations on SSL_CTX, OpenSSL provides SSL_CONF_cmd(). Specifically, to configure ciphers for a listener, "CipherString" and "Ciphersuites" file commands are used: https://www.openssl.org/docs/man1.1.1/man3/SSL_CONF_cmd.html
This feature can be configured in the "tls/conf_commands" section.
show more ...
|
#
1884:4645a43bc248 |
| 26-May-2021 |
Andrey Suvorov |
Fixing crash during TLS connection shutdown.
A crash was caused by an incorrect timer handler nxt_h1p_idle_timeout() if SSL_shutdown() returned SSL_ERROR_WANT_READ/SSL_ERROR_WANT_WRITE.
The flag SS
Fixing crash during TLS connection shutdown.
A crash was caused by an incorrect timer handler nxt_h1p_idle_timeout() if SSL_shutdown() returned SSL_ERROR_WANT_READ/SSL_ERROR_WANT_WRITE.
The flag SSL_RECEIVED_SHUTDOWN is used to avoid getting SSL_ERROR_WANT_READ, so the server won't wait for a close notification from a client.
For SSL_ERROR_WANT_WRITE, a correct timer handler is set up.
show more ...
|
Revision tags: 1.23.0-1, 1.23.0 |
|
#
1828:c548e46fe516 |
| 24-Mar-2021 |
Andrey Suvorov |
Added ability to configure multiple certificates on a listener.
The certificate is selected by matching the arriving SNI to the common name and the alternatives names. If no certificate matches the
Added ability to configure multiple certificates on a listener.
The certificate is selected by matching the arriving SNI to the common name and the alternatives names. If no certificate matches the name, the first bundle in the array is chosen.
show more ...
|
#
1818:fa6569d00fe4 |
| 24-Mar-2021 |
Max Romanov |
Workaround for an OpenSSL bug about not closing /dev/*random.
This is a workaround for an issue in OpenSSL 1.1.1, where the /dev/random and /dev/urandom files remain open after all listening sockets
Workaround for an OpenSSL bug about not closing /dev/*random.
This is a workaround for an issue in OpenSSL 1.1.1, where the /dev/random and /dev/urandom files remain open after all listening sockets were removed:
- https://github.com/openssl/openssl/issues/7419
show more ...
|
#
1812:71adb995a9af |
| 15-Mar-2021 |
Valentin Bartenev |
Fixed TLS connection shutdown on errors.
An immediate return statement on connection errors was mistakenly added to the beginning of nxt_openssl_conn_io_shutdown() in ecd3c5bbf7d8, breaking the TLS
Fixed TLS connection shutdown on errors.
An immediate return statement on connection errors was mistakenly added to the beginning of nxt_openssl_conn_io_shutdown() in ecd3c5bbf7d8, breaking the TLS connection finalization procedure. As a result, a TLS connection was left unfinalized if it had been closed prematurely or a fatal protocol error had occurred, which caused memory and socket descriptor leakage.
Moreover, in some cases (notably, on handshake errors in tests with kqueue on macOS) the read event was triggered later and nxt_h1p_conn_error() was called the second time; after the change in af93c866b4f0, the latter call crashed the router process in an attempt to remove a connection from the idle queue twice.
show more ...
|
Revision tags: 1.22.0-1, 1.22.0, 1.21.0-1, 1.21.0, 1.20.0-1, 1.20.0, 1.19.0-1, 1.19.0, 1.18.0-1, 1.18.0, 1.17.0-1, 1.17.0, 1.16.0-1, 1.16.0, 1.15.0-1, 1.15.0 |
|
#
1354:28b20548f5ae |
| 05-Feb-2020 |
Tiago Natel de Moura |
Kept the value of c->socket.read_handler while data is available.
This closes #370 in GitHub.
|
Revision tags: 1.14.0-1, 1.14.0, 1.13.0-1, 1.13.0, 1.12.0-1, 1.12.0 |
|
#
1212:bfd7a1ce1c07 |
| 30-Sep-2019 |
Igor Sysoev |
Fixed error processing in SSL operations.
Before this fix EWOULDBLOCK error was fatal for SSL write operation.
This closes #325 issue on GitHub.
|
Revision tags: 1.11.0-2, 1.11.0-1, 1.11.0, 1.10.0-2, 1.10.0-1, 1.10.0, 1.9.0-1, 1.9.0, 1.8.0-1, 1.8.0 |
|
#
990:4c469dbeee4a |
| 01-Mar-2019 |
Igor Sysoev |
Fixed TLS connections hanging.
After event is delivered from the kernel its further processing is blocked. Non-ready TSL I/O operation should mark connection I/O state as not ready to unblock events
Fixed TLS connections hanging.
After event is delivered from the kernel its further processing is blocked. Non-ready TSL I/O operation should mark connection I/O state as not ready to unblock events and to allow their further processing. Otherwise the connection hangs.
show more ...
|
Revision tags: 1.7.1-1, 1.7.1, 1.7-1, 1.7, 1.6-1, 1.6 |
|
#
836:ecd3c5bbf7d8 |
| 13-Nov-2018 |
Igor Sysoev |
Checking error states in I/O handlers.
|
#
833:9258a64a8bf9 |
| 13-Nov-2018 |
Valentin Bartenev |
Fixed nxt_openssl_chain_file() return type.
This closes #182 issue on GitHub. Thanks to 洪志道 (Hong Zhi Dao).
|
Revision tags: 1.5-1, 1.5 |
|
#
808:a148b7d3942c |
| 22-Oct-2018 |
Sergey Kandaurov |
Compatibility with LibreSSL.
LibreSSL uses high OPENSSL_VERSION_NUMBER, but has no SSL_CTX_add0_chain_cert().
|
Revision tags: 1.4-2, 1.4 |
|
#
774:b21709350c49 |
| 20-Sep-2018 |
Valentin Bartenev |
Controller: certificates storage interface.
|