From mdounin at mdounin.ru Sun Feb 2 23:50:41 2014 From: mdounin at mdounin.ru (Maxim Dounin) Date: Mon, 3 Feb 2014 03:50:41 +0400 Subject: $request_time is 0.000 with gzip/chunked? In-Reply-To: References: <52EA24BE.6070702@citrin.ru> <20140131024028.GI1835@mdounin.ru> <20140131135504.GQ1835@mdounin.ru> Message-ID: <20140202235041.GB1835@mdounin.ru> Hello! On Sat, Feb 01, 2014 at 08:43:19AM +1300, Robert Coup wrote: > Hi Maxim, > > On Saturday, 1 February 2014, Maxim Dounin wrote: > > > > > If you just care about precision of a time measured, on Linux you may try > > using timer_resolution with some reasonable value like 10ms. On > > Linux time is updated using signals in this case, and time logged > > will be more accurate regardless of how long event loop iteration > > takes. > > > Aha, so timer_resolution will "fix" it on Linux? (Our production boxes are > Linux, my current testing was OSX). On OSX it looked like timer-resolution > never ran while the gzipping was happening, I just assumed it would be > similar cross-platform (though I did test I could replicate the original issue > on both). The timer_resolution directive documentation contains various details on how it works. Source code may help, too - you are writing to nginx-devel@ list after all. > > The really bad thing is actually that this can easily introduce > > potentially huge latency spikes. If this is often happens in > > practice, it might be a good idea to introduce something similar > > to sendfile_max_chunk we already have to resolve similar problems > > with sendfile(), see http://nginx.org/r/sendfile_max_chunk. > > > So where could/would the max chunk limit sit? At the socket-write end of > the process? Likely in ngx_output_chain(). -- Maxim Dounin http://nginx.org/ From mdounin at mdounin.ru Mon Feb 3 13:04:44 2014 From: mdounin at mdounin.ru (Maxim Dounin) Date: Mon, 3 Feb 2014 17:04:44 +0400 Subject: [PATCH] Use ngx_socket_errno where appropriate. In-Reply-To: References: <20140131043525.GF31221@lo0.su> <20140131113844.GJ1835@mdounin.ru> Message-ID: <20140203130444.GJ1835@mdounin.ru> Hello! On Fri, Jan 31, 2014 at 12:52:05PM -0800, Piotr Sikora wrote: > Hey, > I agree with Maxim, there is no reason to limit the use of > ngx_socket_errno only to the cross-platform code. Note that I still agree with Ruslan's comments to your patch, use of ngx_socket_errno to check errors from ioctl() / fcntl() in unix-specific code looks unneeded. And in case of eventfd - it looks certainly wrong, as eventfd isn't a socket. I would rather drop most of the src/os/unix changes, probably with the exception of ngx_tcp_nopush() checks. -- Maxim Dounin http://nginx.org/ From piotr at cloudflare.com Mon Feb 3 22:22:39 2014 From: piotr at cloudflare.com (Piotr Sikora) Date: Mon, 3 Feb 2014 14:22:39 -0800 Subject: [PATCH] Use ngx_socket_errno where appropriate. In-Reply-To: <20140203130444.GJ1835@mdounin.ru> References: <20140131043525.GF31221@lo0.su> <20140131113844.GJ1835@mdounin.ru> <20140203130444.GJ1835@mdounin.ru> Message-ID: Hey, > Note that I still agree with Ruslan's comments to your patch, use > of ngx_socket_errno to check errors from ioctl() / fcntl() in > unix-specific code looks unneeded. And in case of eventfd - it > looks certainly wrong, as eventfd isn't a socket. > > I would rather drop most of the src/os/unix changes, probably with > the exception of ngx_tcp_nopush() checks. Done. Best regards, Piotr Sikora # HG changeset patch # User Piotr Sikora # Date 1391465837 28800 # Mon Feb 03 14:17:17 2014 -0800 # Node ID 810f410714ed6985a5350a294bc38a3c29f30eb3 # Parent 3c5ddf0575d850dca5d0ee645394c1c734f2b75f Use ngx_socket_errno where appropriate. Signed-off-by: Piotr Sikora diff -r 3c5ddf0575d8 -r 810f410714ed src/core/ngx_connection.c --- a/src/core/ngx_connection.c Thu Jan 30 14:58:21 2014 -0800 +++ b/src/core/ngx_connection.c Mon Feb 03 14:17:17 2014 -0800 @@ -244,7 +244,7 @@ ngx_set_inherited_sockets(ngx_cycle_t *c if (getsockopt(ls[i].fd, SOL_SOCKET, SO_ACCEPTFILTER, &af, &olen) == -1) { - err = ngx_errno; + err = ngx_socket_errno; if (err == NGX_EINVAL) { continue; @@ -277,7 +277,7 @@ ngx_set_inherited_sockets(ngx_cycle_t *c if (getsockopt(ls[i].fd, IPPROTO_TCP, TCP_DEFER_ACCEPT, &timeout, &olen) == -1) { - err = ngx_errno; + err = ngx_socket_errno; if (err == NGX_EOPNOTSUPP) { continue; @@ -661,7 +661,7 @@ ngx_configure_listening_sockets(ngx_cycl if (setsockopt(ls[i].fd, SOL_SOCKET, SO_ACCEPTFILTER, NULL, 0) == -1) { - ngx_log_error(NGX_LOG_ALERT, cycle->log, ngx_errno, + ngx_log_error(NGX_LOG_ALERT, cycle->log, ngx_socket_errno, "setsockopt(SO_ACCEPTFILTER, NULL) " "for %V failed, ignored", &ls[i].addr_text); @@ -688,7 +688,7 @@ ngx_configure_listening_sockets(ngx_cycl &af, sizeof(struct accept_filter_arg)) == -1) { - ngx_log_error(NGX_LOG_ALERT, cycle->log, ngx_errno, + ngx_log_error(NGX_LOG_ALERT, cycle->log, ngx_socket_errno, "setsockopt(SO_ACCEPTFILTER, \"%s\") " "for %V failed, ignored", ls[i].accept_filter, &ls[i].addr_text); @@ -721,7 +721,7 @@ ngx_configure_listening_sockets(ngx_cycl &value, sizeof(int)) == -1) { - ngx_log_error(NGX_LOG_ALERT, cycle->log, ngx_errno, + ngx_log_error(NGX_LOG_ALERT, cycle->log, ngx_socket_errno, "setsockopt(TCP_DEFER_ACCEPT, %d) for %V failed, " "ignored", value, &ls[i].addr_text); diff -r 3c5ddf0575d8 -r 810f410714ed src/http/ngx_http_request.c --- a/src/http/ngx_http_request.c Thu Jan 30 14:58:21 2014 -0800 +++ b/src/http/ngx_http_request.c Mon Feb 03 14:17:17 2014 -0800 @@ -2707,7 +2707,7 @@ ngx_http_test_reading(ngx_http_request_t if (getsockopt(c->fd, SOL_SOCKET, SO_ERROR, (void *) &err, &len) == -1) { - err = ngx_errno; + err = ngx_socket_errno; } goto closed; diff -r 3c5ddf0575d8 -r 810f410714ed src/http/ngx_http_upstream.c --- a/src/http/ngx_http_upstream.c Thu Jan 30 14:58:21 2014 -0800 +++ b/src/http/ngx_http_upstream.c Mon Feb 03 14:17:17 2014 -0800 @@ -1096,7 +1096,7 @@ ngx_http_upstream_check_broken_connectio if (getsockopt(c->fd, SOL_SOCKET, SO_ERROR, (void *) &err, &len) == -1) { - err = ngx_errno; + err = ngx_socket_errno; } if (err) { @@ -1977,7 +1977,7 @@ ngx_http_upstream_test_connect(ngx_conne if (getsockopt(c->fd, SOL_SOCKET, SO_ERROR, (void *) &err, &len) == -1) { - err = ngx_errno; + err = ngx_socket_errno; } if (err) { diff -r 3c5ddf0575d8 -r 810f410714ed src/os/unix/ngx_freebsd_sendfile_chain.c --- a/src/os/unix/ngx_freebsd_sendfile_chain.c Thu Jan 30 14:58:21 2014 -0800 +++ b/src/os/unix/ngx_freebsd_sendfile_chain.c Mon Feb 03 14:17:17 2014 -0800 @@ -231,7 +231,7 @@ ngx_freebsd_sendfile_chain(ngx_connectio && c->tcp_nopush == NGX_TCP_NOPUSH_UNSET) { if (ngx_tcp_nopush(c->fd) == NGX_ERROR) { - err = ngx_errno; + err = ngx_socket_errno; /* * there is a tiny chance to be interrupted, however, diff -r 3c5ddf0575d8 -r 810f410714ed src/os/unix/ngx_linux_sendfile_chain.c --- a/src/os/unix/ngx_linux_sendfile_chain.c Thu Jan 30 14:58:21 2014 -0800 +++ b/src/os/unix/ngx_linux_sendfile_chain.c Mon Feb 03 14:17:17 2014 -0800 @@ -163,7 +163,7 @@ ngx_linux_sendfile_chain(ngx_connection_ if (setsockopt(c->fd, IPPROTO_TCP, TCP_NODELAY, (const void *) &tcp_nodelay, sizeof(int)) == -1) { - err = ngx_errno; + err = ngx_socket_errno; /* * there is a tiny chance to be interrupted, however, @@ -189,7 +189,7 @@ ngx_linux_sendfile_chain(ngx_connection_ if (c->tcp_nodelay == NGX_TCP_NODELAY_UNSET) { if (ngx_tcp_nopush(c->fd) == NGX_ERROR) { - err = ngx_errno; + err = ngx_socket_errno; /* * there is a tiny chance to be interrupted, however, -------------- next part -------------- A non-text attachment was scrubbed... Name: nginx__ngx_socket_errno.patch Type: application/octet-stream Size: 5419 bytes Desc: not available URL: From mdounin at mdounin.ru Tue Feb 4 01:05:33 2014 From: mdounin at mdounin.ru (Maxim Dounin) Date: Tue, 04 Feb 2014 01:05:33 +0000 Subject: [nginx] Core: added ngx_encode_base64url(). Message-ID: details: http://hg.nginx.org/nginx/rev/a602e1006579 branches: changeset: 5551:a602e1006579 user: Maxim Dounin date: Tue Feb 04 04:59:21 2014 +0400 description: Core: added ngx_encode_base64url(). diffstat: src/core/ngx_string.c | 49 +++++++++++++++++++++++++++++++++++++------------ src/core/ngx_string.h | 1 + 2 files changed, 38 insertions(+), 12 deletions(-) diffs (97 lines): diff --git a/src/core/ngx_string.c b/src/core/ngx_string.c --- a/src/core/ngx_string.c +++ b/src/core/ngx_string.c @@ -11,6 +11,8 @@ static u_char *ngx_sprintf_num(u_char *buf, u_char *last, uint64_t ui64, u_char zero, ngx_uint_t hexadecimal, ngx_uint_t width); +static void ngx_encode_base64_internal(ngx_str_t *dst, ngx_str_t *src, + const u_char *basis, ngx_uint_t padding); static ngx_int_t ngx_decode_base64_internal(ngx_str_t *dst, ngx_str_t *src, const u_char *basis); @@ -1100,38 +1102,61 @@ ngx_hex_dump(u_char *dst, u_char *src, s void ngx_encode_base64(ngx_str_t *dst, ngx_str_t *src) { + static u_char basis64[] = + "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"; + + ngx_encode_base64_internal(dst, src, basis64, 1); +} + + +void +ngx_encode_base64url(ngx_str_t *dst, ngx_str_t *src) +{ + static u_char basis64[] = + "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_"; + + ngx_encode_base64_internal(dst, src, basis64, 0); +} + + +static void +ngx_encode_base64_internal(ngx_str_t *dst, ngx_str_t *src, const u_char *basis, + ngx_uint_t padding) +{ u_char *d, *s; size_t len; - static u_char basis64[] = - "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"; len = src->len; s = src->data; d = dst->data; while (len > 2) { - *d++ = basis64[(s[0] >> 2) & 0x3f]; - *d++ = basis64[((s[0] & 3) << 4) | (s[1] >> 4)]; - *d++ = basis64[((s[1] & 0x0f) << 2) | (s[2] >> 6)]; - *d++ = basis64[s[2] & 0x3f]; + *d++ = basis[(s[0] >> 2) & 0x3f]; + *d++ = basis[((s[0] & 3) << 4) | (s[1] >> 4)]; + *d++ = basis[((s[1] & 0x0f) << 2) | (s[2] >> 6)]; + *d++ = basis[s[2] & 0x3f]; s += 3; len -= 3; } if (len) { - *d++ = basis64[(s[0] >> 2) & 0x3f]; + *d++ = basis[(s[0] >> 2) & 0x3f]; if (len == 1) { - *d++ = basis64[(s[0] & 3) << 4]; - *d++ = '='; + *d++ = basis[(s[0] & 3) << 4]; + if (padding) { + *d++ = '='; + } } else { - *d++ = basis64[((s[0] & 3) << 4) | (s[1] >> 4)]; - *d++ = basis64[(s[1] & 0x0f) << 2]; + *d++ = basis[((s[0] & 3) << 4) | (s[1] >> 4)]; + *d++ = basis[(s[1] & 0x0f) << 2]; } - *d++ = '='; + if (padding) { + *d++ = '='; + } } dst->len = d - dst->data; diff --git a/src/core/ngx_string.h b/src/core/ngx_string.h --- a/src/core/ngx_string.h +++ b/src/core/ngx_string.h @@ -183,6 +183,7 @@ u_char *ngx_hex_dump(u_char *dst, u_char #define ngx_base64_decoded_length(len) (((len + 3) / 4) * 3) void ngx_encode_base64(ngx_str_t *dst, ngx_str_t *src); +void ngx_encode_base64url(ngx_str_t *dst, ngx_str_t *src); ngx_int_t ngx_decode_base64(ngx_str_t *dst, ngx_str_t *src); ngx_int_t ngx_decode_base64url(ngx_str_t *dst, ngx_str_t *src); From mdounin at mdounin.ru Tue Feb 4 03:47:32 2014 From: mdounin at mdounin.ru (Maxim Dounin) Date: Tue, 04 Feb 2014 03:47:32 +0000 Subject: [nginx] Updated PCRE used for win32 builds. Message-ID: details: http://hg.nginx.org/nginx/rev/02ec169f683f branches: changeset: 5552:02ec169f683f user: Maxim Dounin date: Tue Feb 04 07:45:33 2014 +0400 description: Updated PCRE used for win32 builds. diffstat: misc/GNUmakefile | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diffs (12 lines): diff --git a/misc/GNUmakefile b/misc/GNUmakefile --- a/misc/GNUmakefile +++ b/misc/GNUmakefile @@ -7,7 +7,7 @@ TEMP = tmp OBJS = objs.msvc8 OPENSSL = openssl-1.0.1f ZLIB = zlib-1.2.8 -PCRE = pcre-8.33 +PCRE = pcre-8.34 release: export From ohtsu at iij.ad.jp Tue Feb 4 05:29:12 2014 From: ohtsu at iij.ad.jp (Shigeki Ohtsu) Date: Tue, 04 Feb 2014 14:29:12 +0900 Subject: [PATCH] SPDY: fixed shift length of priority Message-ID: <52F07AA8.5090304@iij.ad.jp> Hi, I've just found a bug in priority of spdy/3.1 as below. This is the first time for me to submit a patch to nginx, so please let me know if it is wrong to do it. # HG changeset patch # User Shigeki Ohtsu # Date 1391490383 -32400 # Tue Feb 04 14:06:23 2014 +0900 # Node ID 431ac513def9f6d51442222269ec17e90ddd8473 # Parent 02ec169f683f090902eef1df95903ef3b8558c12 SPDY: fixed shift length of priority A priority field of 3-bit length is followed by an unused field of 5-bit length in SYN_STREAM. diff -r 02ec169f683f -r 431ac513def9 src/http/ngx_http_spdy.c --- a/src/http/ngx_http_spdy.c Tue Feb 04 07:45:33 2014 +0400 +++ b/src/http/ngx_http_spdy.c Tue Feb 04 14:06:23 2014 +0900 @@ -902,7 +902,7 @@ sc->length -= NGX_SPDY_SYN_STREAM_SIZE; sid = ngx_spdy_frame_parse_sid(pos); - prio = pos[8] >> 6; + prio = pos[8] >> 5; pos += NGX_SPDY_SYN_STREAM_SIZE; From vbart at nginx.com Tue Feb 4 10:53:06 2014 From: vbart at nginx.com (Valentin Bartenev) Date: Tue, 04 Feb 2014 10:53:06 +0000 Subject: [nginx] SPDY: fixed parsing of the priority field. Message-ID: details: http://hg.nginx.org/nginx/rev/60c4179f76ad branches: changeset: 5553:60c4179f76ad user: Shigeki Ohtsu date: Tue Feb 04 14:06:23 2014 +0900 description: SPDY: fixed parsing of the priority field. The size of the priority field is increased by one bit in spdy/3, and now it's a 3-bit field followed by 5 bits of unused space. But a shift of these bits hasn't been adjusted in 39d7eef2e332 accordingly. diffstat: src/http/ngx_http_spdy.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diffs (12 lines): diff -r 02ec169f683f -r 60c4179f76ad src/http/ngx_http_spdy.c --- a/src/http/ngx_http_spdy.c Tue Feb 04 07:45:33 2014 +0400 +++ b/src/http/ngx_http_spdy.c Tue Feb 04 14:06:23 2014 +0900 @@ -902,7 +902,7 @@ ngx_http_spdy_state_syn_stream(ngx_http_ sc->length -= NGX_SPDY_SYN_STREAM_SIZE; sid = ngx_spdy_frame_parse_sid(pos); - prio = pos[8] >> 6; + prio = pos[8] >> 5; pos += NGX_SPDY_SYN_STREAM_SIZE; From vbart at nginx.com Tue Feb 4 11:02:43 2014 From: vbart at nginx.com (Valentin V. Bartenev) Date: Tue, 04 Feb 2014 15:02:43 +0400 Subject: [PATCH] SPDY: fixed shift length of priority In-Reply-To: <52F07AA8.5090304@iij.ad.jp> References: <52F07AA8.5090304@iij.ad.jp> Message-ID: <2881199.LERSVeM0Cu@vbart-laptop> On Tuesday 04 February 2014 14:29:12 Shigeki Ohtsu wrote: > Hi, I've just found a bug in priority of spdy/3.1 as below. Nice catch, thank you. It is committed with a modified commit message: http://hg.nginx.org/nginx/rev/60c4179f76ad See also some notes below. > > This is the first time for me to submit a patch to nginx, so > please let me know if it is wrong to do it. > > # HG changeset patch > # User Shigeki Ohtsu > # Date 1391490383 -32400 > # Tue Feb 04 14:06:23 2014 +0900 > # Node ID 431ac513def9f6d51442222269ec17e90ddd8473 > # Parent 02ec169f683f090902eef1df95903ef3b8558c12 > SPDY: fixed shift length of priority Summary line must be ended with a dot. See also: http://nginx.org/en/docs/contributing_changes.html > > A priority field of 3-bit length is followed by an unused field of > 5-bit length in SYN_STREAM. I would rather mention that it is introduced by switching to spdy/3.1. > > diff -r 02ec169f683f -r 431ac513def9 src/http/ngx_http_spdy.c > --- a/src/http/ngx_http_spdy.c Tue Feb 04 07:45:33 2014 +0400 > +++ b/src/http/ngx_http_spdy.c Tue Feb 04 14:06:23 2014 +0900 > @@ -902,7 +902,7 @@ > sc->length -= NGX_SPDY_SYN_STREAM_SIZE; > > sid = ngx_spdy_frame_parse_sid(pos); > - prio = pos[8] >> 6; > + prio = pos[8] >> 5; > > pos += NGX_SPDY_SYN_STREAM_SIZE; > Your email client broke the patch. It's recommended to use mercurial patchbomb extension: http://mercurial.selenic.com/wiki/PatchbombExtension wbr, Valentin V. Bartenev From mdounin at mdounin.ru Tue Feb 4 12:35:23 2014 From: mdounin at mdounin.ru (Maxim Dounin) Date: Tue, 04 Feb 2014 12:35:23 +0000 Subject: [nginx] nginx-1.5.10-RELEASE Message-ID: details: http://hg.nginx.org/nginx/rev/b798fc020e3a branches: changeset: 5554:b798fc020e3a user: Maxim Dounin date: Tue Feb 04 16:26:46 2014 +0400 description: nginx-1.5.10-RELEASE diffstat: docs/xml/nginx/changes.xml | 79 ++++++++++++++++++++++++++++++++++++++++++++++ 1 files changed, 79 insertions(+), 0 deletions(-) diffs (89 lines): diff --git a/docs/xml/nginx/changes.xml b/docs/xml/nginx/changes.xml --- a/docs/xml/nginx/changes.xml +++ b/docs/xml/nginx/changes.xml @@ -5,6 +5,85 @@ + + + + +?????? ngx_http_spdy_module ?????? ?????????? ???????? SPDY 3.1.
+??????? Automattic ? MaxCDN ?? ????????????? ??????????. +
+ +the ngx_http_spdy_module now uses SPDY 3.1 protocol.
+Thanks to Automattic and MaxCDN for sponsoring this work. +
+
+ + + +?????? ngx_http_mp4_module ?????? ?????????? ???????, +??????? ??????? ?????, ??? ??????????? ?????????. + + +the ngx_http_mp4_module now skips tracks +too short for a seek requested. + + + + + +? ??????? ???????? ??? ????????? segmentation fault, +???? ?????????? $ssl_session_id ?????????????? ??? ????????????; +?????? ????????? ? 1.5.9. + + +a segmentation fault might occur in a worker process +if the $ssl_session_id variable was used in logs; +the bug had appeared in 1.5.9. + + + + + +?????????? $date_local ? $date_gmt ???????????? ???????? ?????? +??? ?????? ngx_http_ssi_filter_module. + + +the $date_local and $date_gmt variables used wrong format +outside of the ngx_http_ssi_filter_module. + + + + + +?????????? ?????????? ????? ????? ???????????, +???? ????????????? ?????????? accept; +?????? ????????? ? 1.3.15. + + +client connections might be immediately closed +if deferred accept was used; +the bug had appeared in 1.3.15. + + + + + +????????? "getsockopt(TCP_FASTOPEN) ... failed" ???????????? ? ??? +? ???????? ?????????? ???????????? ????? ?? Linux; +?????? ????????? ? 1.5.8.
+??????? Piotr Sikora. +
+ +alerts "getsockopt(TCP_FASTOPEN) ... failed" appeared in logs +during binary upgrade on Linux; +the bug had appeared in 1.5.8.
+Thanks to Piotr Sikora. +
+
+ +
+ + From mdounin at mdounin.ru Tue Feb 4 12:35:24 2014 From: mdounin at mdounin.ru (Maxim Dounin) Date: Tue, 04 Feb 2014 12:35:24 +0000 Subject: [nginx] release-1.5.10 tag Message-ID: details: http://hg.nginx.org/nginx/rev/3abb7076b3ec branches: changeset: 5555:3abb7076b3ec user: Maxim Dounin date: Tue Feb 04 16:26:46 2014 +0400 description: release-1.5.10 tag diffstat: .hgtags | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) diffs (8 lines): diff --git a/.hgtags b/.hgtags --- a/.hgtags +++ b/.hgtags @@ -365,3 +365,4 @@ 70c5cd3a61cb476c2afb3a61826e59c7cda0b7a7 9ba2542d75bf62a3972278c63561fc2ef5ec573a release-1.5.7 eaa76f24975948b0ce8be01838d949122d44ed67 release-1.5.8 5a1759f33b7fa6270e1617c08d7e655b7b127f26 release-1.5.9 +b798fc020e3a84ef68e6c9f47865a319c826d33c release-1.5.10 From ohtsu at iij.ad.jp Tue Feb 4 14:54:41 2014 From: ohtsu at iij.ad.jp (Shigeki Ohtsu) Date: Tue, 04 Feb 2014 23:54:41 +0900 Subject: [PATCH] SPDY: fixed shift length of priority In-Reply-To: <2881199.LERSVeM0Cu@vbart-laptop> References: <52F07AA8.5090304@iij.ad.jp> <2881199.LERSVeM0Cu@vbart-laptop> Message-ID: <52F0FF31.606@iij.ad.jp> Hi, > Summary line must be ended with a dot. > > See also: http://nginx.org/en/docs/contributing_changes.html Sorry, I missed it though I read it before submitting. > Your email client broke the patch. > It's recommended to use mercurial patchbomb extension: > http://mercurial.selenic.com/wiki/PatchbombExtension I'll do it at next time. Thanks for merging my patch. Anyway, congrats on releasing of new nginx. Regards, From piotr at cloudflare.com Wed Feb 5 02:30:15 2014 From: piotr at cloudflare.com (Piotr Sikora) Date: Tue, 04 Feb 2014 18:30:15 -0800 Subject: [PATCH] SSL: add "{proxy,uwsgi}_ssl_server_name" directives Message-ID: <92b99bb6851da6c2c72b.1391567415@piotrs-macbook-pro.local> # HG changeset patch # User Piotr Sikora # Date 1391566491 28800 # Tue Feb 04 18:14:51 2014 -0800 # Node ID 92b99bb6851da6c2c72bb7b3e14bae059b6d5db0 # Parent 3abb7076b3ecc27d970183c4d0238cefaa7a7c78 SSL: add "{proxy,uwsgi}_ssl_server_name" directives. Send TLS Server Name Indication (SNI) when connecting to an SSL upstream and provided value isn't an empty string. Signed-off-by: Piotr Sikora diff -r 3abb7076b3ec -r 92b99bb6851d src/event/ngx_event_connect.h --- a/src/event/ngx_event_connect.h Tue Feb 04 16:26:46 2014 +0400 +++ b/src/event/ngx_event_connect.h Tue Feb 04 18:14:51 2014 -0800 @@ -50,6 +50,8 @@ struct ngx_peer_connection_s { #if (NGX_SSL) ngx_event_set_peer_session_pt set_session; ngx_event_save_peer_session_pt save_session; + + ngx_str_t server_name; #endif #if (NGX_THREADS) diff -r 3abb7076b3ec -r 92b99bb6851d src/http/modules/ngx_http_proxy_module.c --- a/src/http/modules/ngx_http_proxy_module.c Tue Feb 04 16:26:46 2014 +0400 +++ b/src/http/modules/ngx_http_proxy_module.c Tue Feb 04 18:14:51 2014 -0800 @@ -553,6 +553,13 @@ static ngx_command_t ngx_http_proxy_com offsetof(ngx_http_proxy_loc_conf_t, ssl_ciphers), NULL }, + { ngx_string("proxy_ssl_server_name"), + NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1, + ngx_http_set_complex_value_slot, + NGX_HTTP_LOC_CONF_OFFSET, + offsetof(ngx_http_proxy_loc_conf_t, upstream.ssl_server_name), + NULL }, + #endif ngx_null_command @@ -2390,6 +2397,7 @@ ngx_http_proxy_create_loc_conf(ngx_conf_ * conf->upstream.location = NULL; * conf->upstream.store_lengths = NULL; * conf->upstream.store_values = NULL; + * conf->upstream.ssl_server_name = NULL; * * conf->method = { 0, NULL }; * conf->headers_source = NULL; @@ -2725,6 +2733,10 @@ ngx_http_proxy_merge_loc_conf(ngx_conf_t ngx_conf_merge_str_value(conf->ssl_ciphers, prev->ssl_ciphers, "DEFAULT"); + if (conf->upstream.ssl_server_name == NULL) { + conf->upstream.ssl_server_name = prev->upstream.ssl_server_name; + } + if (conf->ssl && ngx_http_proxy_set_ssl(cf, conf) != NGX_OK) { return NGX_CONF_ERROR; } diff -r 3abb7076b3ec -r 92b99bb6851d src/http/modules/ngx_http_upstream_keepalive_module.c --- a/src/http/modules/ngx_http_upstream_keepalive_module.c Tue Feb 04 16:26:46 2014 +0400 +++ b/src/http/modules/ngx_http_upstream_keepalive_module.c Tue Feb 04 18:14:51 2014 -0800 @@ -49,6 +49,10 @@ typedef struct { socklen_t socklen; u_char sockaddr[NGX_SOCKADDRLEN]; +#if (NGX_HTTP_SSL) + ngx_str_t server_name; +#endif + } ngx_http_upstream_keepalive_cache_t; @@ -237,9 +241,17 @@ ngx_http_upstream_get_keepalive_peer(ngx item = ngx_queue_data(q, ngx_http_upstream_keepalive_cache_t, queue); c = item->connection; - if (ngx_memn2cmp((u_char *) &item->sockaddr, (u_char *) pc->sockaddr, - item->socklen, pc->socklen) - == 0) + if ((ngx_memn2cmp((u_char *) &item->sockaddr, (u_char *) pc->sockaddr, + item->socklen, pc->socklen) + == 0) +#if (NGX_HTTP_SSL) + && (pc->server_name.len == item->server_name.len) + && (pc->server_name.len == 0 + || ngx_strncmp(pc->server_name.data, item->server_name.data, + pc->server_name.len) + == 0) +#endif + ) { ngx_queue_remove(q); ngx_queue_insert_head(&kp->conf->free, q); @@ -346,6 +358,24 @@ ngx_http_upstream_free_keepalive_peer(ng item->socklen = pc->socklen; ngx_memcpy(&item->sockaddr, pc->sockaddr, pc->socklen); +#if (NGX_HTTP_SSL) + + item->server_name.len = pc->server_name.len; + + if (item->server_name.len) { + + item->server_name.data = ngx_pnalloc(c->pool, pc->server_name.len + 1); + if (item->server_name.data == NULL) { + goto invalid; + } + + ngx_memcpy(item->server_name.data, pc->server_name.data, + pc->server_name.len); + item->server_name.data[pc->server_name.len] = '\0'; + } + +#endif + if (c->read->ready) { ngx_http_upstream_keepalive_close_handler(c->read); } diff -r 3abb7076b3ec -r 92b99bb6851d src/http/modules/ngx_http_uwsgi_module.c --- a/src/http/modules/ngx_http_uwsgi_module.c Tue Feb 04 16:26:46 2014 +0400 +++ b/src/http/modules/ngx_http_uwsgi_module.c Tue Feb 04 18:14:51 2014 -0800 @@ -409,6 +409,13 @@ static ngx_command_t ngx_http_uwsgi_comm offsetof(ngx_http_uwsgi_loc_conf_t, ssl_ciphers), NULL }, + { ngx_string("uwsgi_ssl_server_name"), + NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1, + ngx_http_set_complex_value_slot, + NGX_HTTP_LOC_CONF_OFFSET, + offsetof(ngx_http_uwsgi_loc_conf_t, upstream.ssl_server_name), + NULL }, + #endif ngx_null_command @@ -1505,6 +1512,10 @@ ngx_http_uwsgi_merge_loc_conf(ngx_conf_t ngx_conf_merge_str_value(conf->ssl_ciphers, prev->ssl_ciphers, "DEFAULT"); + if (conf->upstream.ssl_server_name == NULL) { + conf->upstream.ssl_server_name = prev->upstream.ssl_server_name; + } + if (conf->ssl && ngx_http_uwsgi_set_ssl(cf, conf) != NGX_OK) { return NGX_CONF_ERROR; } diff -r 3abb7076b3ec -r 92b99bb6851d src/http/ngx_http_upstream.c --- a/src/http/ngx_http_upstream.c Tue Feb 04 16:26:46 2014 +0400 +++ b/src/http/ngx_http_upstream.c Tue Feb 04 18:14:51 2014 -0800 @@ -478,6 +478,9 @@ static void ngx_http_upstream_init_request(ngx_http_request_t *r) { ngx_str_t *host; +#if (NGX_HTTP_SSL) + ngx_str_t name; +#endif ngx_uint_t i; ngx_resolver_ctx_t *ctx, temp; ngx_http_cleanup_t *cln; @@ -536,6 +539,31 @@ ngx_http_upstream_init_request(ngx_http_ u->peer.local = ngx_http_upstream_get_local(r, u->conf->local); +#if (NGX_HTTP_SSL) + + if (u->ssl && u->conf->ssl_server_name) { + + if (ngx_http_complex_value(r, u->conf->ssl_server_name, &name) + != NGX_OK) + { + ngx_http_finalize_request(r, NGX_HTTP_INTERNAL_SERVER_ERROR); + return; + } + + u->peer.server_name.data = ngx_pnalloc(r->pool, name.len + 1); + if (u->peer.server_name.data == NULL) { + ngx_http_finalize_request(r, NGX_HTTP_INTERNAL_SERVER_ERROR); + return; + } + + u->peer.server_name.len = name.len; + + ngx_memcpy(u->peer.server_name.data, name.data, name.len); + u->peer.server_name.data[name.len] = '\0'; + } + +#endif + clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module); u->output.alignment = clcf->directio_alignment; @@ -1363,6 +1391,18 @@ ngx_http_upstream_ssl_init_connection(ng } } + if (u->peer.server_name.len) { + + if (SSL_set_tlsext_host_name(c->ssl->connection, + u->peer.server_name.data) + == 0) + { + ngx_http_upstream_finalize_request(r, u, + NGX_HTTP_INTERNAL_SERVER_ERROR); + return; + } + } + r->connection->log->action = "SSL handshaking to upstream"; rc = ngx_ssl_handshake(c); diff -r 3abb7076b3ec -r 92b99bb6851d src/http/ngx_http_upstream.h --- a/src/http/ngx_http_upstream.h Tue Feb 04 16:26:46 2014 +0400 +++ b/src/http/ngx_http_upstream.h Tue Feb 04 18:14:51 2014 -0800 @@ -195,6 +195,7 @@ typedef struct { #if (NGX_HTTP_SSL) ngx_ssl_t *ssl; ngx_flag_t ssl_session_reuse; + ngx_http_complex_value_t *ssl_server_name; #endif ngx_str_t module; From piotr at cloudflare.com Wed Feb 5 02:30:26 2014 From: piotr at cloudflare.com (Piotr Sikora) Date: Tue, 04 Feb 2014 18:30:26 -0800 Subject: [PATCH] SSL: add "{proxy, uwsgi}_ssl_verify" and supporting directives Message-ID: # HG changeset patch # User Piotr Sikora # Date 1391566504 28800 # Tue Feb 04 18:15:04 2014 -0800 # Node ID c05c0b2fec8f1c02e92261603c999f24c9d73426 # Parent 92b99bb6851da6c2c72bb7b3e14bae059b6d5db0 SSL: add "{proxy,uwsgi}_ssl_verify" and supporting directives. Verify SSL certificate when connecting to an SSL upstream. "{proxy,uwsgi}_ssl_verify" directives support 3 modes: - off - don't verify upstream's SSL certificate (default), - on - verify validity and trust of upstream's SSL certificate, - server_name - same as above, but when SNI is used, also verify that it matches one of the hostnames in the certificate. This mode requires OpenSSL-1.0.2+. Supporting directives: - "{proxy,uwsgi}_ssl_verify_depth", - "{proxy,uwsgi}_ssl_trusted_certificate", - "{proxy,uwsgi}_ssl_crl". Signed-off-by: Piotr Sikora diff -r 92b99bb6851d -r c05c0b2fec8f src/event/ngx_event_connect.h --- a/src/event/ngx_event_connect.h Tue Feb 04 18:14:51 2014 -0800 +++ b/src/event/ngx_event_connect.h Tue Feb 04 18:15:04 2014 -0800 @@ -68,6 +68,10 @@ struct ngx_peer_connection_s { /* ngx_connection_log_error_e */ unsigned log_error:2; + +#if (NGX_SSL) + unsigned verify:2; +#endif }; diff -r 92b99bb6851d -r c05c0b2fec8f src/http/modules/ngx_http_proxy_module.c --- a/src/http/modules/ngx_http_proxy_module.c Tue Feb 04 18:14:51 2014 -0800 +++ b/src/http/modules/ngx_http_proxy_module.c Tue Feb 04 18:15:04 2014 -0800 @@ -81,6 +81,9 @@ typedef struct { ngx_uint_t ssl; ngx_uint_t ssl_protocols; ngx_str_t ssl_ciphers; + ngx_uint_t ssl_verify_depth; + ngx_str_t ssl_trusted_certificate; + ngx_str_t ssl_crl; #endif } ngx_http_proxy_loc_conf_t; @@ -203,6 +206,16 @@ static ngx_conf_bitmask_t ngx_http_prox { ngx_null_string, 0 } }; + +static ngx_conf_enum_t ngx_http_proxy_ssl_verify[] = { + { ngx_string("off"), 0 }, + { ngx_string("on"), 1 }, +#if OPENSSL_VERSION_NUMBER >= 0x10002000L + { ngx_string("server_name"), 2 }, +#endif + { ngx_null_string, 0 } +}; + #endif @@ -560,6 +573,34 @@ static ngx_command_t ngx_http_proxy_com offsetof(ngx_http_proxy_loc_conf_t, upstream.ssl_server_name), NULL }, + { ngx_string("proxy_ssl_verify"), + NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1, + ngx_conf_set_enum_slot, + NGX_HTTP_LOC_CONF_OFFSET, + offsetof(ngx_http_proxy_loc_conf_t, upstream.ssl_verify), + &ngx_http_proxy_ssl_verify }, + + { ngx_string("proxy_ssl_verify_depth"), + NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1, + ngx_conf_set_num_slot, + NGX_HTTP_LOC_CONF_OFFSET, + offsetof(ngx_http_proxy_loc_conf_t, ssl_verify_depth), + NULL }, + + { ngx_string("proxy_ssl_trusted_certificate"), + NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1, + ngx_conf_set_str_slot, + NGX_HTTP_LOC_CONF_OFFSET, + offsetof(ngx_http_proxy_loc_conf_t, ssl_trusted_certificate), + NULL }, + + { ngx_string("proxy_ssl_crl"), + NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1, + ngx_conf_set_str_slot, + NGX_HTTP_LOC_CONF_OFFSET, + offsetof(ngx_http_proxy_loc_conf_t, ssl_crl), + NULL }, + #endif ngx_null_command @@ -2411,6 +2452,8 @@ ngx_http_proxy_create_loc_conf(ngx_conf_ * conf->ssl = 0; * conf->ssl_protocols = 0; * conf->ssl_ciphers = { 0, NULL }; + * conf->ssl_trusted_certificate = { 0, NULL }; + * conf->ssl_crl = { 0, NULL }; */ conf->upstream.store = NGX_CONF_UNSET; @@ -2449,8 +2492,10 @@ ngx_http_proxy_create_loc_conf(ngx_conf_ conf->upstream.pass_headers = NGX_CONF_UNSET_PTR; conf->upstream.intercept_errors = NGX_CONF_UNSET; + #if (NGX_HTTP_SSL) conf->upstream.ssl_session_reuse = NGX_CONF_UNSET; + conf->upstream.ssl_verify = NGX_CONF_UNSET_UINT; #endif /* "proxy_cyclic_temp_file" is disabled */ @@ -2467,6 +2512,10 @@ ngx_http_proxy_create_loc_conf(ngx_conf_ conf->headers_hash_max_size = NGX_CONF_UNSET_UINT; conf->headers_hash_bucket_size = NGX_CONF_UNSET_UINT; +#if (NGX_HTTP_SSL) + conf->ssl_verify_depth = NGX_CONF_UNSET_UINT; +#endif + ngx_str_set(&conf->upstream.module, "proxy"); return conf; @@ -2737,8 +2786,50 @@ ngx_http_proxy_merge_loc_conf(ngx_conf_t conf->upstream.ssl_server_name = prev->upstream.ssl_server_name; } - if (conf->ssl && ngx_http_proxy_set_ssl(cf, conf) != NGX_OK) { - return NGX_CONF_ERROR; + ngx_conf_merge_uint_value(conf->upstream.ssl_verify, + prev->upstream.ssl_verify, 0); + + ngx_conf_merge_uint_value(conf->ssl_verify_depth, + prev->ssl_verify_depth, 9); + + ngx_conf_merge_str_value(conf->ssl_trusted_certificate, + prev->ssl_trusted_certificate, ""); + + ngx_conf_merge_str_value(conf->ssl_crl, + prev->ssl_crl, ""); + + if (conf->ssl) { + + if (ngx_http_proxy_set_ssl(cf, conf) != NGX_OK) { + return NGX_CONF_ERROR; + } + + if (conf->upstream.ssl_verify) { + + if (conf->ssl_trusted_certificate.len == 0) { + ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, + "no \"proxy_ssl_trusted_certificate\" " + "is defined for the \"proxy_ssl_verify\" " + "directive"); + return NGX_CONF_ERROR; + } + + if (ngx_ssl_trusted_certificate(cf, conf->upstream.ssl, + &conf->ssl_trusted_certificate, + conf->ssl_verify_depth) + != NGX_OK) + { + return NGX_CONF_ERROR; + } + + if (ngx_ssl_crl(cf, conf->upstream.ssl, &conf->ssl_crl) != NGX_OK) { + return NGX_CONF_ERROR; + } + } + } + + if (conf->upstream.ssl == NULL) { + conf->upstream.ssl = prev->upstream.ssl; } #endif @@ -2797,12 +2888,6 @@ ngx_http_proxy_merge_loc_conf(ngx_conf_t ngx_conf_merge_ptr_value(conf->cookie_paths, prev->cookie_paths, NULL); -#if (NGX_HTTP_SSL) - if (conf->upstream.ssl == NULL) { - conf->upstream.ssl = prev->upstream.ssl; - } -#endif - ngx_conf_merge_uint_value(conf->http_version, prev->http_version, NGX_HTTP_VERSION_10); diff -r 92b99bb6851d -r c05c0b2fec8f src/http/modules/ngx_http_upstream_keepalive_module.c --- a/src/http/modules/ngx_http_upstream_keepalive_module.c Tue Feb 04 18:14:51 2014 -0800 +++ b/src/http/modules/ngx_http_upstream_keepalive_module.c Tue Feb 04 18:15:04 2014 -0800 @@ -51,6 +51,7 @@ typedef struct { #if (NGX_HTTP_SSL) ngx_str_t server_name; + unsigned verify:2; #endif } ngx_http_upstream_keepalive_cache_t; @@ -250,6 +251,7 @@ ngx_http_upstream_get_keepalive_peer(ngx || ngx_strncmp(pc->server_name.data, item->server_name.data, pc->server_name.len) == 0) + && (pc->verify <= item->verify) #endif ) { @@ -374,6 +376,8 @@ ngx_http_upstream_free_keepalive_peer(ng item->server_name.data[pc->server_name.len] = '\0'; } + item->verify = pc->verify; + #endif if (c->read->ready) { diff -r 92b99bb6851d -r c05c0b2fec8f src/http/modules/ngx_http_uwsgi_module.c --- a/src/http/modules/ngx_http_uwsgi_module.c Tue Feb 04 18:14:51 2014 -0800 +++ b/src/http/modules/ngx_http_uwsgi_module.c Tue Feb 04 18:15:04 2014 -0800 @@ -39,6 +39,9 @@ typedef struct { ngx_uint_t ssl; ngx_uint_t ssl_protocols; ngx_str_t ssl_ciphers; + ngx_uint_t ssl_verify_depth; + ngx_str_t ssl_trusted_certificate; + ngx_str_t ssl_crl; #endif } ngx_http_uwsgi_loc_conf_t; @@ -108,6 +111,16 @@ static ngx_conf_bitmask_t ngx_http_uwsg { ngx_null_string, 0 } }; + +static ngx_conf_enum_t ngx_http_uwsgi_ssl_verify[] = { + { ngx_string("off"), 0 }, + { ngx_string("on"), 1 }, +#if OPENSSL_VERSION_NUMBER >= 0x10002000L + { ngx_string("server_name"), 2 }, +#endif + { ngx_null_string, 0 } +}; + #endif @@ -416,6 +429,34 @@ static ngx_command_t ngx_http_uwsgi_comm offsetof(ngx_http_uwsgi_loc_conf_t, upstream.ssl_server_name), NULL }, + { ngx_string("uwsgi_ssl_verify"), + NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1, + ngx_conf_set_enum_slot, + NGX_HTTP_LOC_CONF_OFFSET, + offsetof(ngx_http_uwsgi_loc_conf_t, upstream.ssl_verify), + &ngx_http_uwsgi_ssl_verify }, + + { ngx_string("uwsgi_ssl_verify_depth"), + NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1, + ngx_conf_set_num_slot, + NGX_HTTP_LOC_CONF_OFFSET, + offsetof(ngx_http_uwsgi_loc_conf_t, ssl_verify_depth), + NULL }, + + { ngx_string("uwsgi_ssl_trusted_certificate"), + NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1, + ngx_conf_set_str_slot, + NGX_HTTP_LOC_CONF_OFFSET, + offsetof(ngx_http_uwsgi_loc_conf_t, ssl_trusted_certificate), + NULL }, + + { ngx_string("uwsgi_ssl_crl"), + NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1, + ngx_conf_set_str_slot, + NGX_HTTP_LOC_CONF_OFFSET, + offsetof(ngx_http_uwsgi_loc_conf_t, ssl_crl), + NULL }, + #endif ngx_null_command @@ -1250,8 +1291,10 @@ ngx_http_uwsgi_create_loc_conf(ngx_conf_ conf->upstream.pass_headers = NGX_CONF_UNSET_PTR; conf->upstream.intercept_errors = NGX_CONF_UNSET; + #if (NGX_HTTP_SSL) conf->upstream.ssl_session_reuse = NGX_CONF_UNSET; + conf->upstream.ssl_verify = NGX_CONF_UNSET_UINT; #endif /* "uwsgi_cyclic_temp_file" is disabled */ @@ -1259,6 +1302,10 @@ ngx_http_uwsgi_create_loc_conf(ngx_conf_ conf->upstream.change_buffering = 1; +#if (NGX_HTTP_SSL) + conf->ssl_verify_depth = NGX_CONF_UNSET_UINT; +#endif + ngx_str_set(&conf->upstream.module, "uwsgi"); return conf; @@ -1516,8 +1563,46 @@ ngx_http_uwsgi_merge_loc_conf(ngx_conf_t conf->upstream.ssl_server_name = prev->upstream.ssl_server_name; } - if (conf->ssl && ngx_http_uwsgi_set_ssl(cf, conf) != NGX_OK) { - return NGX_CONF_ERROR; + ngx_conf_merge_uint_value(conf->upstream.ssl_verify, + prev->upstream.ssl_verify, 0); + + ngx_conf_merge_uint_value(conf->ssl_verify_depth, + prev->ssl_verify_depth, 9); + + ngx_conf_merge_str_value(conf->ssl_trusted_certificate, + prev->ssl_trusted_certificate, ""); + + ngx_conf_merge_str_value(conf->ssl_crl, + prev->ssl_crl, ""); + + if (conf->ssl) { + + if (ngx_http_uwsgi_set_ssl(cf, conf) != NGX_OK) { + return NGX_CONF_ERROR; + } + + if (conf->upstream.ssl_verify) { + + if (conf->ssl_trusted_certificate.len == 0) { + ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, + "no \"uwsgi_ssl_trusted_certificate\" " + "is defined for the \"uwsgi_ssl_verify\" " + "directive"); + return NGX_CONF_ERROR; + } + + if (ngx_ssl_trusted_certificate(cf, conf->upstream.ssl, + &conf->ssl_trusted_certificate, + conf->ssl_verify_depth) + != NGX_OK) + { + return NGX_CONF_ERROR; + } + + if (ngx_ssl_crl(cf, conf->upstream.ssl, &conf->ssl_crl) != NGX_OK) { + return NGX_CONF_ERROR; + } + } } if (conf->upstream.ssl == NULL) { diff -r 92b99bb6851d -r c05c0b2fec8f src/http/ngx_http_upstream.c --- a/src/http/ngx_http_upstream.c Tue Feb 04 18:14:51 2014 -0800 +++ b/src/http/ngx_http_upstream.c Tue Feb 04 18:15:04 2014 -0800 @@ -541,25 +541,30 @@ ngx_http_upstream_init_request(ngx_http_ #if (NGX_HTTP_SSL) - if (u->ssl && u->conf->ssl_server_name) { - - if (ngx_http_complex_value(r, u->conf->ssl_server_name, &name) - != NGX_OK) - { - ngx_http_finalize_request(r, NGX_HTTP_INTERNAL_SERVER_ERROR); - return; + if (u->ssl) { + + if (u->conf->ssl_server_name) { + + if (ngx_http_complex_value(r, u->conf->ssl_server_name, &name) + != NGX_OK) + { + ngx_http_finalize_request(r, NGX_HTTP_INTERNAL_SERVER_ERROR); + return; + } + + u->peer.server_name.data = ngx_pnalloc(r->pool, name.len + 1); + if (u->peer.server_name.data == NULL) { + ngx_http_finalize_request(r, NGX_HTTP_INTERNAL_SERVER_ERROR); + return; + } + + u->peer.server_name.len = name.len; + + ngx_memcpy(u->peer.server_name.data, name.data, name.len); + u->peer.server_name.data[name.len] = '\0'; } - u->peer.server_name.data = ngx_pnalloc(r->pool, name.len + 1); - if (u->peer.server_name.data == NULL) { - ngx_http_finalize_request(r, NGX_HTTP_INTERNAL_SERVER_ERROR); - return; - } - - u->peer.server_name.len = name.len; - - ngx_memcpy(u->peer.server_name.data, name.data, name.len); - u->peer.server_name.data[name.len] = '\0'; + u->peer.verify = u->conf->ssl_verify; } #endif @@ -1419,6 +1424,8 @@ ngx_http_upstream_ssl_init_connection(ng static void ngx_http_upstream_ssl_handshake(ngx_connection_t *c) { + long rc; + X509 *cert; ngx_http_request_t *r; ngx_http_upstream_t *u; @@ -1427,6 +1434,49 @@ ngx_http_upstream_ssl_handshake(ngx_conn if (c->ssl->handshaked) { + if (u->conf->ssl_verify) { + + rc = SSL_get_verify_result(c->ssl->connection); + + if (rc != X509_V_OK) { + ngx_log_error(NGX_LOG_ERR, c->log, 0, + "upstream SSL certificate verify error: (%l:%s)", + rc, X509_verify_cert_error_string(rc)); + + goto failed; + } + + cert = SSL_get_peer_certificate(c->ssl->connection); + + if (cert == NULL) { + ngx_log_error(NGX_LOG_ERR, c->log, 0, + "upstream sent no required SSL certificate"); + + goto failed; + } + +#if OPENSSL_VERSION_NUMBER >= 0x10002000L + + if (u->conf->ssl_verify == 2 && u->peer.server_name.len) { + + if (X509_check_host(cert, u->peer.server_name.data, + u->peer.server_name.len, 0) + != 1) + { + ngx_log_error(NGX_LOG_ERR, c->log, 0, + "upstream SSL certificate doesn't match " + "\"%V\"", &u->peer.server_name); + + X509_free(cert); + goto failed; + } + } + +#endif + + X509_free(cert); + } + if (u->conf->ssl_session_reuse) { u->peer.save_session(&u->peer, u->peer.data); } @@ -1442,6 +1492,8 @@ ngx_http_upstream_ssl_handshake(ngx_conn return; } +failed: + c = r->connection; ngx_http_upstream_next(r, u, NGX_HTTP_UPSTREAM_FT_ERROR); diff -r 92b99bb6851d -r c05c0b2fec8f src/http/ngx_http_upstream.h --- a/src/http/ngx_http_upstream.h Tue Feb 04 18:14:51 2014 -0800 +++ b/src/http/ngx_http_upstream.h Tue Feb 04 18:15:04 2014 -0800 @@ -196,6 +196,7 @@ typedef struct { ngx_ssl_t *ssl; ngx_flag_t ssl_session_reuse; ngx_http_complex_value_t *ssl_server_name; + ngx_uint_t ssl_verify; #endif ngx_str_t module; From piotr at cloudflare.com Wed Feb 5 06:54:47 2014 From: piotr at cloudflare.com (Piotr Sikora) Date: Tue, 04 Feb 2014 22:54:47 -0800 Subject: [PATCH] SSL: add "{proxy, uwsgi}_ssl_verify" and supporting directives In-Reply-To: References: Message-ID: # HG changeset patch # User Piotr Sikora # Date 1391582213 28800 # Tue Feb 04 22:36:53 2014 -0800 # Node ID e7704dcea76c83708cd8bf01709e15dc658871ae # Parent f0129ac05ced1ee418fa97dbbae35f3c0b831992 SSL: add "{proxy,uwsgi}_ssl_verify" and supporting directives. Verify SSL certificate when connecting to an SSL upstream. "{proxy,uwsgi}_ssl_verify" directives support 3 modes: - off - don't verify upstream's SSL certificate (default), - on - verify validity and trust of upstream's SSL certificate, - server_name - same as above, but when SNI is used, also verify that it matches one of the hostnames in the certificate. This mode requires OpenSSL-1.0.2+. Supporting directives: - "{proxy,uwsgi}_ssl_verify_depth", - "{proxy,uwsgi}_ssl_trusted_certificate", - "{proxy,uwsgi}_ssl_crl". Signed-off-by: Piotr Sikora diff -r f0129ac05ced -r e7704dcea76c src/event/ngx_event_connect.h --- a/src/event/ngx_event_connect.h Tue Feb 04 22:36:41 2014 -0800 +++ b/src/event/ngx_event_connect.h Tue Feb 04 22:36:53 2014 -0800 @@ -68,6 +68,10 @@ struct ngx_peer_connection_s { /* ngx_connection_log_error_e */ unsigned log_error:2; + +#if (NGX_SSL) + unsigned verify:2; +#endif }; diff -r f0129ac05ced -r e7704dcea76c src/http/modules/ngx_http_proxy_module.c --- a/src/http/modules/ngx_http_proxy_module.c Tue Feb 04 22:36:41 2014 -0800 +++ b/src/http/modules/ngx_http_proxy_module.c Tue Feb 04 22:36:53 2014 -0800 @@ -81,6 +81,9 @@ typedef struct { ngx_uint_t ssl; ngx_uint_t ssl_protocols; ngx_str_t ssl_ciphers; + ngx_uint_t ssl_verify_depth; + ngx_str_t ssl_trusted_certificate; + ngx_str_t ssl_crl; #endif } ngx_http_proxy_loc_conf_t; @@ -203,6 +206,16 @@ static ngx_conf_bitmask_t ngx_http_prox { ngx_null_string, 0 } }; + +static ngx_conf_enum_t ngx_http_proxy_ssl_verify[] = { + { ngx_string("off"), 0 }, + { ngx_string("on"), 1 }, +#if OPENSSL_VERSION_NUMBER >= 0x10002000L + { ngx_string("server_name"), 2 }, +#endif + { ngx_null_string, 0 } +}; + #endif @@ -560,6 +573,34 @@ static ngx_command_t ngx_http_proxy_com offsetof(ngx_http_proxy_loc_conf_t, upstream.ssl_server_name), NULL }, + { ngx_string("proxy_ssl_verify"), + NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1, + ngx_conf_set_enum_slot, + NGX_HTTP_LOC_CONF_OFFSET, + offsetof(ngx_http_proxy_loc_conf_t, upstream.ssl_verify), + &ngx_http_proxy_ssl_verify }, + + { ngx_string("proxy_ssl_verify_depth"), + NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1, + ngx_conf_set_num_slot, + NGX_HTTP_LOC_CONF_OFFSET, + offsetof(ngx_http_proxy_loc_conf_t, ssl_verify_depth), + NULL }, + + { ngx_string("proxy_ssl_trusted_certificate"), + NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1, + ngx_conf_set_str_slot, + NGX_HTTP_LOC_CONF_OFFSET, + offsetof(ngx_http_proxy_loc_conf_t, ssl_trusted_certificate), + NULL }, + + { ngx_string("proxy_ssl_crl"), + NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1, + ngx_conf_set_str_slot, + NGX_HTTP_LOC_CONF_OFFSET, + offsetof(ngx_http_proxy_loc_conf_t, ssl_crl), + NULL }, + #endif ngx_null_command @@ -2411,6 +2452,8 @@ ngx_http_proxy_create_loc_conf(ngx_conf_ * conf->ssl = 0; * conf->ssl_protocols = 0; * conf->ssl_ciphers = { 0, NULL }; + * conf->ssl_trusted_certificate = { 0, NULL }; + * conf->ssl_crl = { 0, NULL }; */ conf->upstream.store = NGX_CONF_UNSET; @@ -2449,8 +2492,10 @@ ngx_http_proxy_create_loc_conf(ngx_conf_ conf->upstream.pass_headers = NGX_CONF_UNSET_PTR; conf->upstream.intercept_errors = NGX_CONF_UNSET; + #if (NGX_HTTP_SSL) conf->upstream.ssl_session_reuse = NGX_CONF_UNSET; + conf->upstream.ssl_verify = NGX_CONF_UNSET_UINT; #endif /* "proxy_cyclic_temp_file" is disabled */ @@ -2467,6 +2512,10 @@ ngx_http_proxy_create_loc_conf(ngx_conf_ conf->headers_hash_max_size = NGX_CONF_UNSET_UINT; conf->headers_hash_bucket_size = NGX_CONF_UNSET_UINT; +#if (NGX_HTTP_SSL) + conf->ssl_verify_depth = NGX_CONF_UNSET_UINT; +#endif + ngx_str_set(&conf->upstream.module, "proxy"); return conf; @@ -2737,8 +2786,50 @@ ngx_http_proxy_merge_loc_conf(ngx_conf_t conf->upstream.ssl_server_name = prev->upstream.ssl_server_name; } - if (conf->ssl && ngx_http_proxy_set_ssl(cf, conf) != NGX_OK) { - return NGX_CONF_ERROR; + ngx_conf_merge_uint_value(conf->upstream.ssl_verify, + prev->upstream.ssl_verify, 0); + + ngx_conf_merge_uint_value(conf->ssl_verify_depth, + prev->ssl_verify_depth, 9); + + ngx_conf_merge_str_value(conf->ssl_trusted_certificate, + prev->ssl_trusted_certificate, ""); + + ngx_conf_merge_str_value(conf->ssl_crl, + prev->ssl_crl, ""); + + if (conf->ssl) { + + if (ngx_http_proxy_set_ssl(cf, conf) != NGX_OK) { + return NGX_CONF_ERROR; + } + + if (conf->upstream.ssl_verify) { + + if (conf->ssl_trusted_certificate.len == 0) { + ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, + "no \"proxy_ssl_trusted_certificate\" " + "is defined for the \"proxy_ssl_verify\" " + "directive"); + return NGX_CONF_ERROR; + } + + if (ngx_ssl_trusted_certificate(cf, conf->upstream.ssl, + &conf->ssl_trusted_certificate, + conf->ssl_verify_depth) + != NGX_OK) + { + return NGX_CONF_ERROR; + } + + if (ngx_ssl_crl(cf, conf->upstream.ssl, &conf->ssl_crl) != NGX_OK) { + return NGX_CONF_ERROR; + } + } + } + + if (conf->upstream.ssl == NULL) { + conf->upstream.ssl = prev->upstream.ssl; } #endif @@ -2797,12 +2888,6 @@ ngx_http_proxy_merge_loc_conf(ngx_conf_t ngx_conf_merge_ptr_value(conf->cookie_paths, prev->cookie_paths, NULL); -#if (NGX_HTTP_SSL) - if (conf->upstream.ssl == NULL) { - conf->upstream.ssl = prev->upstream.ssl; - } -#endif - ngx_conf_merge_uint_value(conf->http_version, prev->http_version, NGX_HTTP_VERSION_10); diff -r f0129ac05ced -r e7704dcea76c src/http/modules/ngx_http_upstream_keepalive_module.c --- a/src/http/modules/ngx_http_upstream_keepalive_module.c Tue Feb 04 22:36:41 2014 -0800 +++ b/src/http/modules/ngx_http_upstream_keepalive_module.c Tue Feb 04 22:36:53 2014 -0800 @@ -51,6 +51,7 @@ typedef struct { #if (NGX_HTTP_SSL) ngx_str_t server_name; + unsigned verify:2; #endif } ngx_http_upstream_keepalive_cache_t; @@ -250,6 +251,7 @@ ngx_http_upstream_get_keepalive_peer(ngx || ngx_strncmp(pc->server_name.data, item->server_name.data, pc->server_name.len) == 0) + && (pc->verify <= item->verify) #endif ) { @@ -372,6 +374,8 @@ ngx_http_upstream_free_keepalive_peer(ng pc->server_name.len); } + item->verify = pc->verify; + #endif if (c->read->ready) { diff -r f0129ac05ced -r e7704dcea76c src/http/modules/ngx_http_uwsgi_module.c --- a/src/http/modules/ngx_http_uwsgi_module.c Tue Feb 04 22:36:41 2014 -0800 +++ b/src/http/modules/ngx_http_uwsgi_module.c Tue Feb 04 22:36:53 2014 -0800 @@ -39,6 +39,9 @@ typedef struct { ngx_uint_t ssl; ngx_uint_t ssl_protocols; ngx_str_t ssl_ciphers; + ngx_uint_t ssl_verify_depth; + ngx_str_t ssl_trusted_certificate; + ngx_str_t ssl_crl; #endif } ngx_http_uwsgi_loc_conf_t; @@ -108,6 +111,16 @@ static ngx_conf_bitmask_t ngx_http_uwsg { ngx_null_string, 0 } }; + +static ngx_conf_enum_t ngx_http_uwsgi_ssl_verify[] = { + { ngx_string("off"), 0 }, + { ngx_string("on"), 1 }, +#if OPENSSL_VERSION_NUMBER >= 0x10002000L + { ngx_string("server_name"), 2 }, +#endif + { ngx_null_string, 0 } +}; + #endif @@ -416,6 +429,34 @@ static ngx_command_t ngx_http_uwsgi_comm offsetof(ngx_http_uwsgi_loc_conf_t, upstream.ssl_server_name), NULL }, + { ngx_string("uwsgi_ssl_verify"), + NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1, + ngx_conf_set_enum_slot, + NGX_HTTP_LOC_CONF_OFFSET, + offsetof(ngx_http_uwsgi_loc_conf_t, upstream.ssl_verify), + &ngx_http_uwsgi_ssl_verify }, + + { ngx_string("uwsgi_ssl_verify_depth"), + NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1, + ngx_conf_set_num_slot, + NGX_HTTP_LOC_CONF_OFFSET, + offsetof(ngx_http_uwsgi_loc_conf_t, ssl_verify_depth), + NULL }, + + { ngx_string("uwsgi_ssl_trusted_certificate"), + NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1, + ngx_conf_set_str_slot, + NGX_HTTP_LOC_CONF_OFFSET, + offsetof(ngx_http_uwsgi_loc_conf_t, ssl_trusted_certificate), + NULL }, + + { ngx_string("uwsgi_ssl_crl"), + NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1, + ngx_conf_set_str_slot, + NGX_HTTP_LOC_CONF_OFFSET, + offsetof(ngx_http_uwsgi_loc_conf_t, ssl_crl), + NULL }, + #endif ngx_null_command @@ -1250,8 +1291,10 @@ ngx_http_uwsgi_create_loc_conf(ngx_conf_ conf->upstream.pass_headers = NGX_CONF_UNSET_PTR; conf->upstream.intercept_errors = NGX_CONF_UNSET; + #if (NGX_HTTP_SSL) conf->upstream.ssl_session_reuse = NGX_CONF_UNSET; + conf->upstream.ssl_verify = NGX_CONF_UNSET_UINT; #endif /* "uwsgi_cyclic_temp_file" is disabled */ @@ -1259,6 +1302,10 @@ ngx_http_uwsgi_create_loc_conf(ngx_conf_ conf->upstream.change_buffering = 1; +#if (NGX_HTTP_SSL) + conf->ssl_verify_depth = NGX_CONF_UNSET_UINT; +#endif + ngx_str_set(&conf->upstream.module, "uwsgi"); return conf; @@ -1516,8 +1563,46 @@ ngx_http_uwsgi_merge_loc_conf(ngx_conf_t conf->upstream.ssl_server_name = prev->upstream.ssl_server_name; } - if (conf->ssl && ngx_http_uwsgi_set_ssl(cf, conf) != NGX_OK) { - return NGX_CONF_ERROR; + ngx_conf_merge_uint_value(conf->upstream.ssl_verify, + prev->upstream.ssl_verify, 0); + + ngx_conf_merge_uint_value(conf->ssl_verify_depth, + prev->ssl_verify_depth, 9); + + ngx_conf_merge_str_value(conf->ssl_trusted_certificate, + prev->ssl_trusted_certificate, ""); + + ngx_conf_merge_str_value(conf->ssl_crl, + prev->ssl_crl, ""); + + if (conf->ssl) { + + if (ngx_http_uwsgi_set_ssl(cf, conf) != NGX_OK) { + return NGX_CONF_ERROR; + } + + if (conf->upstream.ssl_verify) { + + if (conf->ssl_trusted_certificate.len == 0) { + ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, + "no \"uwsgi_ssl_trusted_certificate\" " + "is defined for the \"uwsgi_ssl_verify\" " + "directive"); + return NGX_CONF_ERROR; + } + + if (ngx_ssl_trusted_certificate(cf, conf->upstream.ssl, + &conf->ssl_trusted_certificate, + conf->ssl_verify_depth) + != NGX_OK) + { + return NGX_CONF_ERROR; + } + + if (ngx_ssl_crl(cf, conf->upstream.ssl, &conf->ssl_crl) != NGX_OK) { + return NGX_CONF_ERROR; + } + } } if (conf->upstream.ssl == NULL) { diff -r f0129ac05ced -r e7704dcea76c src/http/ngx_http_upstream.c --- a/src/http/ngx_http_upstream.c Tue Feb 04 22:36:41 2014 -0800 +++ b/src/http/ngx_http_upstream.c Tue Feb 04 22:36:53 2014 -0800 @@ -541,27 +541,33 @@ ngx_http_upstream_init_request(ngx_http_ #if (NGX_HTTP_SSL) - if (u->ssl && u->conf->ssl_server_name) { - - if (ngx_http_complex_value(r, u->conf->ssl_server_name, &name) - != NGX_OK) - { - ngx_http_finalize_request(r, NGX_HTTP_INTERNAL_SERVER_ERROR); - return; - } - - u->peer.server_name.len = name.len; - - if (u->peer.server_name.len) { - u->peer.server_name.data = ngx_pnalloc(r->pool, name.len + 1); - if (u->peer.server_name.data == NULL) { + if (u->ssl) { + + if (u->conf->ssl_server_name) { + + if (ngx_http_complex_value(r, u->conf->ssl_server_name, &name) + != NGX_OK) + { ngx_http_finalize_request(r, NGX_HTTP_INTERNAL_SERVER_ERROR); return; } - ngx_memcpy(u->peer.server_name.data, name.data, name.len); - u->peer.server_name.data[name.len] = '\0'; + u->peer.server_name.len = name.len; + + if (u->peer.server_name.len) { + u->peer.server_name.data = ngx_pnalloc(r->pool, name.len + 1); + if (u->peer.server_name.data == NULL) { + ngx_http_finalize_request(r, + NGX_HTTP_INTERNAL_SERVER_ERROR); + return; + } + + ngx_memcpy(u->peer.server_name.data, name.data, name.len); + u->peer.server_name.data[name.len] = '\0'; + } } + + u->peer.verify = u->conf->ssl_verify; } #endif @@ -1421,6 +1427,8 @@ ngx_http_upstream_ssl_init_connection(ng static void ngx_http_upstream_ssl_handshake(ngx_connection_t *c) { + long rc; + X509 *cert; ngx_http_request_t *r; ngx_http_upstream_t *u; @@ -1429,6 +1437,49 @@ ngx_http_upstream_ssl_handshake(ngx_conn if (c->ssl->handshaked) { + if (u->conf->ssl_verify) { + + rc = SSL_get_verify_result(c->ssl->connection); + + if (rc != X509_V_OK) { + ngx_log_error(NGX_LOG_ERR, c->log, 0, + "upstream SSL certificate verify error: (%l:%s)", + rc, X509_verify_cert_error_string(rc)); + + goto failed; + } + + cert = SSL_get_peer_certificate(c->ssl->connection); + + if (cert == NULL) { + ngx_log_error(NGX_LOG_ERR, c->log, 0, + "upstream sent no required SSL certificate"); + + goto failed; + } + +#if OPENSSL_VERSION_NUMBER >= 0x10002000L + + if (u->conf->ssl_verify == 2 && u->peer.server_name.len) { + + if (X509_check_host(cert, u->peer.server_name.data, + u->peer.server_name.len, 0) + != 1) + { + ngx_log_error(NGX_LOG_ERR, c->log, 0, + "upstream SSL certificate doesn't match " + "\"%V\"", &u->peer.server_name); + + X509_free(cert); + goto failed; + } + } + +#endif + + X509_free(cert); + } + if (u->conf->ssl_session_reuse) { u->peer.save_session(&u->peer, u->peer.data); } @@ -1444,6 +1495,8 @@ ngx_http_upstream_ssl_handshake(ngx_conn return; } +failed: + c = r->connection; ngx_http_upstream_next(r, u, NGX_HTTP_UPSTREAM_FT_ERROR); diff -r f0129ac05ced -r e7704dcea76c src/http/ngx_http_upstream.h --- a/src/http/ngx_http_upstream.h Tue Feb 04 22:36:41 2014 -0800 +++ b/src/http/ngx_http_upstream.h Tue Feb 04 22:36:53 2014 -0800 @@ -196,6 +196,7 @@ typedef struct { ngx_ssl_t *ssl; ngx_flag_t ssl_session_reuse; ngx_http_complex_value_t *ssl_server_name; + ngx_uint_t ssl_verify; #endif ngx_str_t module; From piotr at cloudflare.com Wed Feb 5 06:54:34 2014 From: piotr at cloudflare.com (Piotr Sikora) Date: Tue, 04 Feb 2014 22:54:34 -0800 Subject: [PATCH] SSL: add "{proxy,uwsgi}_ssl_server_name" directives In-Reply-To: <92b99bb6851da6c2c72b.1391567415@piotrs-macbook-pro.local> References: <92b99bb6851da6c2c72b.1391567415@piotrs-macbook-pro.local> Message-ID: # HG changeset patch # User Piotr Sikora # Date 1391582201 28800 # Tue Feb 04 22:36:41 2014 -0800 # Node ID f0129ac05ced1ee418fa97dbbae35f3c0b831992 # Parent 3abb7076b3ecc27d970183c4d0238cefaa7a7c78 SSL: add "{proxy,uwsgi}_ssl_server_name" directives. Send TLS Server Name Indication (SNI) when connecting to an SSL upstream and provided value isn't an empty string. Signed-off-by: Piotr Sikora diff -r 3abb7076b3ec -r f0129ac05ced src/event/ngx_event_connect.h --- a/src/event/ngx_event_connect.h Tue Feb 04 16:26:46 2014 +0400 +++ b/src/event/ngx_event_connect.h Tue Feb 04 22:36:41 2014 -0800 @@ -50,6 +50,8 @@ struct ngx_peer_connection_s { #if (NGX_SSL) ngx_event_set_peer_session_pt set_session; ngx_event_save_peer_session_pt save_session; + + ngx_str_t server_name; #endif #if (NGX_THREADS) diff -r 3abb7076b3ec -r f0129ac05ced src/http/modules/ngx_http_proxy_module.c --- a/src/http/modules/ngx_http_proxy_module.c Tue Feb 04 16:26:46 2014 +0400 +++ b/src/http/modules/ngx_http_proxy_module.c Tue Feb 04 22:36:41 2014 -0800 @@ -553,6 +553,13 @@ static ngx_command_t ngx_http_proxy_com offsetof(ngx_http_proxy_loc_conf_t, ssl_ciphers), NULL }, + { ngx_string("proxy_ssl_server_name"), + NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1, + ngx_http_set_complex_value_slot, + NGX_HTTP_LOC_CONF_OFFSET, + offsetof(ngx_http_proxy_loc_conf_t, upstream.ssl_server_name), + NULL }, + #endif ngx_null_command @@ -2390,6 +2397,7 @@ ngx_http_proxy_create_loc_conf(ngx_conf_ * conf->upstream.location = NULL; * conf->upstream.store_lengths = NULL; * conf->upstream.store_values = NULL; + * conf->upstream.ssl_server_name = NULL; * * conf->method = { 0, NULL }; * conf->headers_source = NULL; @@ -2725,6 +2733,10 @@ ngx_http_proxy_merge_loc_conf(ngx_conf_t ngx_conf_merge_str_value(conf->ssl_ciphers, prev->ssl_ciphers, "DEFAULT"); + if (conf->upstream.ssl_server_name == NULL) { + conf->upstream.ssl_server_name = prev->upstream.ssl_server_name; + } + if (conf->ssl && ngx_http_proxy_set_ssl(cf, conf) != NGX_OK) { return NGX_CONF_ERROR; } diff -r 3abb7076b3ec -r f0129ac05ced src/http/modules/ngx_http_upstream_keepalive_module.c --- a/src/http/modules/ngx_http_upstream_keepalive_module.c Tue Feb 04 16:26:46 2014 +0400 +++ b/src/http/modules/ngx_http_upstream_keepalive_module.c Tue Feb 04 22:36:41 2014 -0800 @@ -49,6 +49,10 @@ typedef struct { socklen_t socklen; u_char sockaddr[NGX_SOCKADDRLEN]; +#if (NGX_HTTP_SSL) + ngx_str_t server_name; +#endif + } ngx_http_upstream_keepalive_cache_t; @@ -237,9 +241,17 @@ ngx_http_upstream_get_keepalive_peer(ngx item = ngx_queue_data(q, ngx_http_upstream_keepalive_cache_t, queue); c = item->connection; - if (ngx_memn2cmp((u_char *) &item->sockaddr, (u_char *) pc->sockaddr, - item->socklen, pc->socklen) - == 0) + if ((ngx_memn2cmp((u_char *) &item->sockaddr, (u_char *) pc->sockaddr, + item->socklen, pc->socklen) + == 0) +#if (NGX_HTTP_SSL) + && (pc->server_name.len == item->server_name.len) + && (pc->server_name.len == 0 + || ngx_strncmp(pc->server_name.data, item->server_name.data, + pc->server_name.len) + == 0) +#endif + ) { ngx_queue_remove(q); ngx_queue_insert_head(&kp->conf->free, q); @@ -346,6 +358,22 @@ ngx_http_upstream_free_keepalive_peer(ng item->socklen = pc->socklen; ngx_memcpy(&item->sockaddr, pc->sockaddr, pc->socklen); +#if (NGX_HTTP_SSL) + + item->server_name.len = pc->server_name.len; + + if (item->server_name.len) { + item->server_name.data = ngx_pnalloc(c->pool, pc->server_name.len); + if (item->server_name.data == NULL) { + goto invalid; + } + + ngx_memcpy(item->server_name.data, pc->server_name.data, + pc->server_name.len); + } + +#endif + if (c->read->ready) { ngx_http_upstream_keepalive_close_handler(c->read); } diff -r 3abb7076b3ec -r f0129ac05ced src/http/modules/ngx_http_uwsgi_module.c --- a/src/http/modules/ngx_http_uwsgi_module.c Tue Feb 04 16:26:46 2014 +0400 +++ b/src/http/modules/ngx_http_uwsgi_module.c Tue Feb 04 22:36:41 2014 -0800 @@ -409,6 +409,13 @@ static ngx_command_t ngx_http_uwsgi_comm offsetof(ngx_http_uwsgi_loc_conf_t, ssl_ciphers), NULL }, + { ngx_string("uwsgi_ssl_server_name"), + NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1, + ngx_http_set_complex_value_slot, + NGX_HTTP_LOC_CONF_OFFSET, + offsetof(ngx_http_uwsgi_loc_conf_t, upstream.ssl_server_name), + NULL }, + #endif ngx_null_command @@ -1505,6 +1512,10 @@ ngx_http_uwsgi_merge_loc_conf(ngx_conf_t ngx_conf_merge_str_value(conf->ssl_ciphers, prev->ssl_ciphers, "DEFAULT"); + if (conf->upstream.ssl_server_name == NULL) { + conf->upstream.ssl_server_name = prev->upstream.ssl_server_name; + } + if (conf->ssl && ngx_http_uwsgi_set_ssl(cf, conf) != NGX_OK) { return NGX_CONF_ERROR; } diff -r 3abb7076b3ec -r f0129ac05ced src/http/ngx_http_upstream.c --- a/src/http/ngx_http_upstream.c Tue Feb 04 16:26:46 2014 +0400 +++ b/src/http/ngx_http_upstream.c Tue Feb 04 22:36:41 2014 -0800 @@ -478,6 +478,9 @@ static void ngx_http_upstream_init_request(ngx_http_request_t *r) { ngx_str_t *host; +#if (NGX_HTTP_SSL) + ngx_str_t name; +#endif ngx_uint_t i; ngx_resolver_ctx_t *ctx, temp; ngx_http_cleanup_t *cln; @@ -536,6 +539,33 @@ ngx_http_upstream_init_request(ngx_http_ u->peer.local = ngx_http_upstream_get_local(r, u->conf->local); +#if (NGX_HTTP_SSL) + + if (u->ssl && u->conf->ssl_server_name) { + + if (ngx_http_complex_value(r, u->conf->ssl_server_name, &name) + != NGX_OK) + { + ngx_http_finalize_request(r, NGX_HTTP_INTERNAL_SERVER_ERROR); + return; + } + + u->peer.server_name.len = name.len; + + if (u->peer.server_name.len) { + u->peer.server_name.data = ngx_pnalloc(r->pool, name.len + 1); + if (u->peer.server_name.data == NULL) { + ngx_http_finalize_request(r, NGX_HTTP_INTERNAL_SERVER_ERROR); + return; + } + + ngx_memcpy(u->peer.server_name.data, name.data, name.len); + u->peer.server_name.data[name.len] = '\0'; + } + } + +#endif + clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module); u->output.alignment = clcf->directio_alignment; @@ -1363,6 +1393,18 @@ ngx_http_upstream_ssl_init_connection(ng } } + if (u->peer.server_name.len) { + + if (SSL_set_tlsext_host_name(c->ssl->connection, + u->peer.server_name.data) + == 0) + { + ngx_http_upstream_finalize_request(r, u, + NGX_HTTP_INTERNAL_SERVER_ERROR); + return; + } + } + r->connection->log->action = "SSL handshaking to upstream"; rc = ngx_ssl_handshake(c); diff -r 3abb7076b3ec -r f0129ac05ced src/http/ngx_http_upstream.h --- a/src/http/ngx_http_upstream.h Tue Feb 04 16:26:46 2014 +0400 +++ b/src/http/ngx_http_upstream.h Tue Feb 04 22:36:41 2014 -0800 @@ -195,6 +195,7 @@ typedef struct { #if (NGX_HTTP_SSL) ngx_ssl_t *ssl; ngx_flag_t ssl_session_reuse; + ngx_http_complex_value_t *ssl_server_name; #endif ngx_str_t module; From ru at nginx.com Wed Feb 5 13:10:57 2014 From: ru at nginx.com (Ruslan Ermilov) Date: Wed, 5 Feb 2014 17:10:57 +0400 Subject: [PATCH] Use ngx_socket_errno where appropriate. In-Reply-To: References: <20140131043525.GF31221@lo0.su> <20140131113844.GJ1835@mdounin.ru> <20140203130444.GJ1835@mdounin.ru> Message-ID: <20140205131057.GB27064@lo0.su> On Mon, Feb 03, 2014 at 02:22:39PM -0800, Piotr Sikora wrote: > Hey, > > > Note that I still agree with Ruslan's comments to your patch, use > > of ngx_socket_errno to check errors from ioctl() / fcntl() in > > unix-specific code looks unneeded. And in case of eventfd - it > > looks certainly wrong, as eventfd isn't a socket. > > > > I would rather drop most of the src/os/unix changes, probably with > > the exception of ngx_tcp_nopush() checks. > > Done. Your latest patch looks good to me. From mdounin at mdounin.ru Wed Feb 5 15:19:54 2014 From: mdounin at mdounin.ru (Maxim Dounin) Date: Wed, 05 Feb 2014 15:19:54 +0000 Subject: [nginx] Version bump. Message-ID: details: http://hg.nginx.org/nginx/rev/4006bf77943b branches: changeset: 5556:4006bf77943b user: Maxim Dounin date: Wed Feb 05 18:51:30 2014 +0400 description: Version bump. diffstat: src/core/nginx.h | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diffs (14 lines): diff --git a/src/core/nginx.h b/src/core/nginx.h --- a/src/core/nginx.h +++ b/src/core/nginx.h @@ -9,8 +9,8 @@ #define _NGINX_H_INCLUDED_ -#define nginx_version 1005010 -#define NGINX_VERSION "1.5.10" +#define nginx_version 1005011 +#define NGINX_VERSION "1.5.11" #define NGINX_VER "nginx/" NGINX_VERSION #define NGINX_VAR "NGINX" From mdounin at mdounin.ru Wed Feb 5 15:19:56 2014 From: mdounin at mdounin.ru (Maxim Dounin) Date: Wed, 05 Feb 2014 15:19:56 +0000 Subject: [nginx] Use ngx_socket_errno where appropriate. Message-ID: details: http://hg.nginx.org/nginx/rev/188481078faf branches: changeset: 5557:188481078faf user: Piotr Sikora date: Mon Feb 03 14:17:17 2014 -0800 description: Use ngx_socket_errno where appropriate. Signed-off-by: Piotr Sikora diffstat: src/core/ngx_connection.c | 10 +++++----- src/http/ngx_http_request.c | 2 +- src/http/ngx_http_upstream.c | 4 ++-- src/os/unix/ngx_freebsd_sendfile_chain.c | 2 +- src/os/unix/ngx_linux_sendfile_chain.c | 4 ++-- 5 files changed, 11 insertions(+), 11 deletions(-) diffs (114 lines): diff --git a/src/core/ngx_connection.c b/src/core/ngx_connection.c --- a/src/core/ngx_connection.c +++ b/src/core/ngx_connection.c @@ -244,7 +244,7 @@ ngx_set_inherited_sockets(ngx_cycle_t *c if (getsockopt(ls[i].fd, SOL_SOCKET, SO_ACCEPTFILTER, &af, &olen) == -1) { - err = ngx_errno; + err = ngx_socket_errno; if (err == NGX_EINVAL) { continue; @@ -277,7 +277,7 @@ ngx_set_inherited_sockets(ngx_cycle_t *c if (getsockopt(ls[i].fd, IPPROTO_TCP, TCP_DEFER_ACCEPT, &timeout, &olen) == -1) { - err = ngx_errno; + err = ngx_socket_errno; if (err == NGX_EOPNOTSUPP) { continue; @@ -661,7 +661,7 @@ ngx_configure_listening_sockets(ngx_cycl if (setsockopt(ls[i].fd, SOL_SOCKET, SO_ACCEPTFILTER, NULL, 0) == -1) { - ngx_log_error(NGX_LOG_ALERT, cycle->log, ngx_errno, + ngx_log_error(NGX_LOG_ALERT, cycle->log, ngx_socket_errno, "setsockopt(SO_ACCEPTFILTER, NULL) " "for %V failed, ignored", &ls[i].addr_text); @@ -688,7 +688,7 @@ ngx_configure_listening_sockets(ngx_cycl &af, sizeof(struct accept_filter_arg)) == -1) { - ngx_log_error(NGX_LOG_ALERT, cycle->log, ngx_errno, + ngx_log_error(NGX_LOG_ALERT, cycle->log, ngx_socket_errno, "setsockopt(SO_ACCEPTFILTER, \"%s\") " "for %V failed, ignored", ls[i].accept_filter, &ls[i].addr_text); @@ -721,7 +721,7 @@ ngx_configure_listening_sockets(ngx_cycl &value, sizeof(int)) == -1) { - ngx_log_error(NGX_LOG_ALERT, cycle->log, ngx_errno, + ngx_log_error(NGX_LOG_ALERT, cycle->log, ngx_socket_errno, "setsockopt(TCP_DEFER_ACCEPT, %d) for %V failed, " "ignored", value, &ls[i].addr_text); diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c --- a/src/http/ngx_http_request.c +++ b/src/http/ngx_http_request.c @@ -2707,7 +2707,7 @@ ngx_http_test_reading(ngx_http_request_t if (getsockopt(c->fd, SOL_SOCKET, SO_ERROR, (void *) &err, &len) == -1) { - err = ngx_errno; + err = ngx_socket_errno; } goto closed; diff --git a/src/http/ngx_http_upstream.c b/src/http/ngx_http_upstream.c --- a/src/http/ngx_http_upstream.c +++ b/src/http/ngx_http_upstream.c @@ -1096,7 +1096,7 @@ ngx_http_upstream_check_broken_connectio if (getsockopt(c->fd, SOL_SOCKET, SO_ERROR, (void *) &err, &len) == -1) { - err = ngx_errno; + err = ngx_socket_errno; } if (err) { @@ -1977,7 +1977,7 @@ ngx_http_upstream_test_connect(ngx_conne if (getsockopt(c->fd, SOL_SOCKET, SO_ERROR, (void *) &err, &len) == -1) { - err = ngx_errno; + err = ngx_socket_errno; } if (err) { diff --git a/src/os/unix/ngx_freebsd_sendfile_chain.c b/src/os/unix/ngx_freebsd_sendfile_chain.c --- a/src/os/unix/ngx_freebsd_sendfile_chain.c +++ b/src/os/unix/ngx_freebsd_sendfile_chain.c @@ -231,7 +231,7 @@ ngx_freebsd_sendfile_chain(ngx_connectio && c->tcp_nopush == NGX_TCP_NOPUSH_UNSET) { if (ngx_tcp_nopush(c->fd) == NGX_ERROR) { - err = ngx_errno; + err = ngx_socket_errno; /* * there is a tiny chance to be interrupted, however, diff --git a/src/os/unix/ngx_linux_sendfile_chain.c b/src/os/unix/ngx_linux_sendfile_chain.c --- a/src/os/unix/ngx_linux_sendfile_chain.c +++ b/src/os/unix/ngx_linux_sendfile_chain.c @@ -163,7 +163,7 @@ ngx_linux_sendfile_chain(ngx_connection_ if (setsockopt(c->fd, IPPROTO_TCP, TCP_NODELAY, (const void *) &tcp_nodelay, sizeof(int)) == -1) { - err = ngx_errno; + err = ngx_socket_errno; /* * there is a tiny chance to be interrupted, however, @@ -189,7 +189,7 @@ ngx_linux_sendfile_chain(ngx_connection_ if (c->tcp_nodelay == NGX_TCP_NODELAY_UNSET) { if (ngx_tcp_nopush(c->fd) == NGX_ERROR) { - err = ngx_errno; + err = ngx_socket_errno; /* * there is a tiny chance to be interrupted, however, From mdounin at mdounin.ru Wed Feb 5 15:20:27 2014 From: mdounin at mdounin.ru (Maxim Dounin) Date: Wed, 5 Feb 2014 19:20:27 +0400 Subject: [PATCH] Use ngx_socket_errno where appropriate. In-Reply-To: <20140205131057.GB27064@lo0.su> References: <20140131043525.GF31221@lo0.su> <20140131113844.GJ1835@mdounin.ru> <20140203130444.GJ1835@mdounin.ru> <20140205131057.GB27064@lo0.su> Message-ID: <20140205152027.GP1835@mdounin.ru> Hello! On Wed, Feb 05, 2014 at 05:10:57PM +0400, Ruslan Ermilov wrote: > On Mon, Feb 03, 2014 at 02:22:39PM -0800, Piotr Sikora wrote: > > Hey, > > > > > Note that I still agree with Ruslan's comments to your patch, use > > > of ngx_socket_errno to check errors from ioctl() / fcntl() in > > > unix-specific code looks unneeded. And in case of eventfd - it > > > looks certainly wrong, as eventfd isn't a socket. > > > > > > I would rather drop most of the src/os/unix changes, probably with > > > the exception of ngx_tcp_nopush() checks. > > > > Done. > > Your latest patch looks good to me. Same here. Committed, thanks. -- Maxim Dounin http://nginx.org/ From sorin.v.manole at gmail.com Wed Feb 5 15:33:51 2014 From: sorin.v.manole at gmail.com (Sorin Manole) Date: Wed, 5 Feb 2014 17:33:51 +0200 Subject: proxy_pass without buffering and request filter question Message-ID: Hello fellow nginxers, >From searching the Internet I gathered that proxying requests to a backend without buffering the whole body wasn't available at the time the question was asked. Is still the case? If yes, is this a limitation of the nginx core (lack of implementation of a phase for request body processing) or of the proxy_pass module or of the upstream module? Could you give some more details of the limitation and whether the reason for it still not being implemented is the lack of user requests or the technical difficulty? More specifically, how feasible do you think it would be for someone (like me) to do this? Does it involve significant changes to the current design? Thank you, Sorin. -------------- next part -------------- An HTML attachment was scrubbed... URL: From piotr at cloudflare.com Wed Feb 5 23:13:26 2014 From: piotr at cloudflare.com (Piotr Sikora) Date: Wed, 5 Feb 2014 15:13:26 -0800 Subject: [PATCH] SSL: add "{proxy,uwsgi}_ssl_server_name" directives In-Reply-To: References: <92b99bb6851da6c2c72b.1391567415@piotrs-macbook-pro.local> Message-ID: Hey guys, please hold on with the review, it looks that I sent this a bit too early... I forgot that nginx officially supports ancient OpenSSL releases and I managed to introduce memory leak. Stay tuned for the revisited patch. Best regards, Piotr Sikora From mdounin at mdounin.ru Thu Feb 6 11:20:13 2014 From: mdounin at mdounin.ru (Maxim Dounin) Date: Thu, 6 Feb 2014 15:20:13 +0400 Subject: [PATCH] SSL: add "{proxy,uwsgi}_ssl_server_name" directives In-Reply-To: References: <92b99bb6851da6c2c72b.1391567415@piotrs-macbook-pro.local> Message-ID: <20140206112013.GT1835@mdounin.ru> Hello! On Wed, Feb 05, 2014 at 03:13:26PM -0800, Piotr Sikora wrote: > Hey guys, > please hold on with the review, it looks that I sent this a bit too > early... I forgot that nginx officially supports ancient OpenSSL > releases and I managed to introduce memory leak. > > Stay tuned for the revisited patch. Just a quick comment: using ccv->zero might be a better idea than using additional allocation and memcpy() to add trailing zero. -- Maxim Dounin http://nginx.org/ From yaoweibin at gmail.com Thu Feb 6 13:06:25 2014 From: yaoweibin at gmail.com (Weibin Yao) Date: Thu, 6 Feb 2014 21:06:25 +0800 Subject: proxy_pass without buffering and request filter question In-Reply-To: References: Message-ID: You may looks at the patch I wrote as an example (http://yaoweibin.cn/patches/). Thank you. 2014-02-05 23:33 GMT+08:00 Sorin Manole : > Hello fellow nginxers, > > From searching the Internet I gathered that proxying requests to a backend > without buffering the whole body wasn't available at the time the question > was asked. Is still the case? > If yes, is this a limitation of the nginx core (lack of implementation of a > phase for request body processing) or of the proxy_pass module or of the > upstream module? > Could you give some more details of the limitation and whether the reason > for it still not being implemented is the lack of user requests or the > technical difficulty? > More specifically, how feasible do you think it would be for someone (like > me) to do this? Does it involve significant changes to the current design? > > Thank you, > Sorin. > > _______________________________________________ > nginx-devel mailing list > nginx-devel at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx-devel -- Weibin Yao Developer @ Server Platform Team of Taobao From mdounin at mdounin.ru Thu Feb 6 16:09:55 2014 From: mdounin at mdounin.ru (Maxim Dounin) Date: Thu, 6 Feb 2014 20:09:55 +0400 Subject: [PATCH] SSL: add "{proxy, uwsgi}_ssl_verify" and supporting directives In-Reply-To: References: Message-ID: <20140206160955.GH1835@mdounin.ru> Hello! On Tue, Feb 04, 2014 at 10:54:47PM -0800, Piotr Sikora wrote: > # HG changeset patch > # User Piotr Sikora > # Date 1391582213 28800 > # Tue Feb 04 22:36:53 2014 -0800 > # Node ID e7704dcea76c83708cd8bf01709e15dc658871ae > # Parent f0129ac05ced1ee418fa97dbbae35f3c0b831992 > SSL: add "{proxy,uwsgi}_ssl_verify" and supporting directives. Nitpicking: It may be better to write about "proxy_..." directives, and mention uwsgi counterparts separately and/or introduce them in a separate patch. Cryptic names to mention all the modules aren't very readable and hardly searchable, so we generally try to avoid them now. > Verify SSL certificate when connecting to an SSL upstream. > > "{proxy,uwsgi}_ssl_verify" directives support 3 modes: > - off - don't verify upstream's SSL certificate (default), > - on - verify validity and trust of upstream's SSL certificate, > - server_name - same as above, but when SNI is used, also verify > that it matches one of the hostnames in the certificate. This > mode requires OpenSSL-1.0.2+. I don't really like this approach of a special "server_name" value and SNI dependency, it looks counterintuitive. Peer name verification should be done by default, and probably there should be a separate option to turn it off if needed for some reason. I believe the main reason for SNI dependency is a name to verify against. In case of proxy, shouldn't it be $proxy_host by default? Something like this: proxy_ssl_verify on; proxy_ssl_name $proxy_host; or this: proxy_ssl_verify on; proxy_ssl_verify_name off; And the same name probably may be used for SNI, with an additional flag to switch it on, like this: proxy_ssl_sni on; proxy_ssl_name $proxy_host; (Well, it might be better to introduce something more generic to also resolve default proxy_cache_key vs. "proxy_set_header Host" issue, but I don't see any obvious solution yet.) What do you think? [...] > diff -r f0129ac05ced -r e7704dcea76c src/http/modules/ngx_http_upstream_keepalive_module.c > --- a/src/http/modules/ngx_http_upstream_keepalive_module.c Tue Feb 04 22:36:41 2014 -0800 > +++ b/src/http/modules/ngx_http_upstream_keepalive_module.c Tue Feb 04 22:36:53 2014 -0800 > @@ -51,6 +51,7 @@ typedef struct { > > #if (NGX_HTTP_SSL) > ngx_str_t server_name; > + unsigned verify:2; > #endif > > } ngx_http_upstream_keepalive_cache_t; > @@ -250,6 +251,7 @@ ngx_http_upstream_get_keepalive_peer(ngx > || ngx_strncmp(pc->server_name.data, item->server_name.data, > pc->server_name.len) > == 0) > + && (pc->verify <= item->verify) > #endif > ) > { > @@ -372,6 +374,8 @@ ngx_http_upstream_free_keepalive_peer(ng > pc->server_name.len); > } > > + item->verify = pc->verify; > + > #endif > > if (c->read->ready) { Not sure if it's needed at all. I think we can safely assume that verification options are the same in all cases. -- Maxim Dounin http://nginx.org/ From piotr at cloudflare.com Thu Feb 6 22:38:30 2014 From: piotr at cloudflare.com (Piotr Sikora) Date: Thu, 6 Feb 2014 14:38:30 -0800 Subject: [PATCH] SSL: add "{proxy, uwsgi}_ssl_verify" and supporting directives In-Reply-To: <20140206160955.GH1835@mdounin.ru> References: <20140206160955.GH1835@mdounin.ru> Message-ID: Hey Maxim, > Nitpicking: > > It may be better to write about "proxy_..." directives, and > mention uwsgi counterparts separately and/or introduce them in a > separate patch. Cryptic names to mention all the modules aren't > very readable and hardly searchable, so we generally try to avoid > them now. Will do. > I don't really like this approach of a special "server_name" value > and SNI dependency, it looks counterintuitive. Peer name > verification should be done by default, and probably there should > be a separate option to turn it off if needed for some reason. > > I believe the main reason for SNI dependency is a name to verify > against. In case of proxy, shouldn't it be $proxy_host by > default? I strongly disagree with you on that. IMHO, peer has no obligation to deliver certificate matching hostname if we don't ask for it using SNI and therefore we can't complain if it doesn't match. > Something like this: > > proxy_ssl_verify on; > proxy_ssl_name $proxy_host; > > or this: > > proxy_ssl_verify on; > proxy_ssl_verify_name off; > > And the same name probably may be used for SNI, with an > additional flag to switch it on, like this: > > proxy_ssl_sni on; > proxy_ssl_name $proxy_host; > > (Well, it might be better to introduce something more generic to > also resolve default proxy_cache_key vs. "proxy_set_header Host" > issue, but I don't see any obvious solution yet.) > > What do you think? What about defaults being: proxy_ssl_verify on; proxy_ssl_server_name $proxy_host; where "proxy_ssl_verify on" automatically checks server name if supported (basically, merging "server_name" and "on" from my patch)? > Not sure if it's needed at all. I think we can safely assume that > verification options are the same in all cases. I'd rather be safe and do one more comparison than allow server block with proxy SSL verification to reuse connection established by a server block without it. Best regards, Piotr Sikora From piotr at cloudflare.com Thu Feb 6 22:39:57 2014 From: piotr at cloudflare.com (Piotr Sikora) Date: Thu, 6 Feb 2014 14:39:57 -0800 Subject: [PATCH] SSL: add "{proxy,uwsgi}_ssl_server_name" directives In-Reply-To: <20140206112013.GT1835@mdounin.ru> References: <92b99bb6851da6c2c72b.1391567415@piotrs-macbook-pro.local> <20140206112013.GT1835@mdounin.ru> Message-ID: Hey Maxim, > Just a quick comment: using ccv->zero might be a better idea than > using additional allocation and memcpy() to add trailing zero. Thanks! I knew this had to be solved issue, but I didn't know about ccv->zero. Best regards, Piotr Sikora From mdounin at mdounin.ru Fri Feb 7 00:03:19 2014 From: mdounin at mdounin.ru (Maxim Dounin) Date: Fri, 7 Feb 2014 04:03:19 +0400 Subject: [PATCH] SSL: add "{proxy, uwsgi}_ssl_verify" and supporting directives In-Reply-To: References: <20140206160955.GH1835@mdounin.ru> Message-ID: <20140207000319.GL1835@mdounin.ru> Hello! On Thu, Feb 06, 2014 at 02:38:30PM -0800, Piotr Sikora wrote: > > I don't really like this approach of a special "server_name" value > > and SNI dependency, it looks counterintuitive. Peer name > > verification should be done by default, and probably there should > > be a separate option to turn it off if needed for some reason. > > > > I believe the main reason for SNI dependency is a name to verify > > against. In case of proxy, shouldn't it be $proxy_host by > > default? > > I strongly disagree with you on that. IMHO, peer has no obligation to > deliver certificate matching hostname if we don't ask for it using SNI > and therefore we can't complain if it doesn't match. Uhm? SSL used to work without SNI for years, and works now as SNI still not supported by many clients. The name asked by a connecting to an IP address into which the name resolves. > > Something like this: > > > > proxy_ssl_verify on; > > proxy_ssl_name $proxy_host; > > > > or this: > > > > proxy_ssl_verify on; > > proxy_ssl_verify_name off; > > > > And the same name probably may be used for SNI, with an > > additional flag to switch it on, like this: > > > > proxy_ssl_sni on; > > proxy_ssl_name $proxy_host; > > > > (Well, it might be better to introduce something more generic to > > also resolve default proxy_cache_key vs. "proxy_set_header Host" > > issue, but I don't see any obvious solution yet.) > > > > What do you think? > > What about defaults being: > > proxy_ssl_verify on; > proxy_ssl_server_name $proxy_host; > > where "proxy_ssl_verify on" automatically checks server name if > supported (basically, merging "server_name" and "on" from my patch)? I think that automatic checking peer name is how it should work (I believe examples above imply this, please let me know if you need more clarification on the proposal above). Moreover, I think it should complain if verify is on but checking isn't supported, and ask administrator to explicitly switch off peer name check. I strongly disagree with the idea of verify being on by default though, at least for now, it will break too many configurations. And I also think that there should be a way to at least switch off SNI, and do this independently from peer verification. > > Not sure if it's needed at all. I think we can safely assume that > > verification options are the same in all cases. > > I'd rather be safe and do one more comparison than allow server block > with proxy SSL verification to reuse connection established by a > server block without it. My point is that connections can be quite different anyway, and e.g. have much different ciphers negotiated (up to eNULL ciphers I think). It's up to administrator to configure upstream{} blocks appropriately to avoid such clashes if they aren't allowed. -- Maxim Dounin http://nginx.org/ From piotr at cloudflare.com Fri Feb 7 02:40:29 2014 From: piotr at cloudflare.com (Piotr Sikora) Date: Thu, 6 Feb 2014 18:40:29 -0800 Subject: [PATCH] SSL: add "{proxy, uwsgi}_ssl_verify" and supporting directives In-Reply-To: <20140207000319.GL1835@mdounin.ru> References: <20140206160955.GH1835@mdounin.ru> <20140207000319.GL1835@mdounin.ru> Message-ID: Hey Maxim, > I think that automatic checking peer name is how it should work (I > believe examples above imply this, please let me know if you need > more clarification on the proposal above). Moreover, I think it > should complain if verify is on but checking isn't supported, and > ask administrator to explicitly switch off peer name check. > > I strongly disagree with the idea of verify being on by default > though, at least for now, it will break too many configurations. > > And I also think that there should be a way to at least switch off > SNI, and do this independently from peer verification. Got it, I mis-read your previous comment. To make sure we're on the same page: - proxy_ssl_name - complex value, defaults to $proxy_host, - proxy_ssl_verify - on / no_name / off (default) switch, verifies upstream's certificate and optionally checks that it matches value from proxy_ssl_name, - proxy_ssl_server_name - on (default) / off switch, sends value from proxy_ssl_name to SNI to upstream. I don't like adding proxy_ssl_verify_name directive just to configure the host checking logic. IMHO, it's part of the verification process and should be configureable via proxy_ssl_verify. I'm also not 100% convinced that we should allow users to configure proxy_ssl_name... Maybe just force it to $proxy_host? Does it match your proposal or did I miss something? Regarding complaining - do we want to re-implement X509_check_host() (from OpenSSL-1.0.2) or do we want to complain to virtually anybody that turns upstream SSL verification on? > My point is that connections can be quite different anyway, and > e.g. have much different ciphers negotiated (up to eNULL ciphers I > think). It's up to administrator to configure upstream{} blocks > appropriately to avoid such clashes if they aren't allowed. Ah, right, I forgot about the SSL connection parameters. Best regards, Piotr Sikora From mdounin at mdounin.ru Fri Feb 7 10:58:18 2014 From: mdounin at mdounin.ru (Maxim Dounin) Date: Fri, 7 Feb 2014 14:58:18 +0400 Subject: [PATCH] SSL: add "{proxy, uwsgi}_ssl_verify" and supporting directives In-Reply-To: References: <20140206160955.GH1835@mdounin.ru> <20140207000319.GL1835@mdounin.ru> Message-ID: <20140207105818.GQ1835@mdounin.ru> Hello! On Thu, Feb 06, 2014 at 06:40:29PM -0800, Piotr Sikora wrote: > Hey Maxim, > > > I think that automatic checking peer name is how it should work (I > > believe examples above imply this, please let me know if you need > > more clarification on the proposal above). Moreover, I think it > > should complain if verify is on but checking isn't supported, and > > ask administrator to explicitly switch off peer name check. > > > > I strongly disagree with the idea of verify being on by default > > though, at least for now, it will break too many configurations. > > > > And I also think that there should be a way to at least switch off > > SNI, and do this independently from peer verification. > > Got it, I mis-read your previous comment. > > To make sure we're on the same page: > - proxy_ssl_name - complex value, defaults to $proxy_host, > - proxy_ssl_verify - on / no_name / off (default) switch, verifies > upstream's certificate and optionally checks that it matches value > from proxy_ssl_name, > - proxy_ssl_server_name - on (default) / off switch, sends value from > proxy_ssl_name to SNI to upstream. > > I don't like adding proxy_ssl_verify_name directive just to configure > the host checking logic. IMHO, it's part of the verification process > and should be configureable via proxy_ssl_verify. Well, there is no real difference, but I think that it would be easier to use distinct flags instead. Note that it also matches what Apache has: http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslproxycheckpeername By looking around you may also find various other flags in Apache to control verification (like SSLProxyCheckPeerExpire). I suspect eventually we may need to add at least some of them. Having all this controlled in a single directive would be a pain. My original suggestion is as follows: proxy_ssl_name default: $proxy_host complex value, controls a name used in SNI (if enabled) proxy_ssl_verify on|off default: off flag, controls if remote certificate verification is enabled proxy_ssl_verify_name on|off default: on flag, controls if remote certificate verification needs to check peer's name; must be explicitly switched off if certificate verification is switched on, but the name can't be checked due to too old OpenSSL proxy_ssl_sni on|off default: off (?) flag, controls if SNI (Server Name Indication) will be used while connecting to backends; (I tend to think that "proxy_ssl_sni" is a better name compared to "proxy_ssl_server_name", as Server Name Indication is usually called SNI in various places.) > I'm also not 100% convinced that we should allow users to configure > proxy_ssl_name... Maybe just force it to $proxy_host? Certainly we should. There are lots of configurations where something like "proxy_set_header Host $host" is used to override hostname in a request to upstream, and forcing $proxy_host as a name for SNI and certificate verification would be a bad idea. > Does it match your proposal or did I miss something? Mostly, see above. > Regarding complaining - do we want to re-implement X509_check_host() > (from OpenSSL-1.0.2) or do we want to complain to virtually anybody > that turns upstream SSL verification on? Well, I think it would be fine to have some fallback for current OpenSSL versions. But given amount of code it adds, I'm ok with something simplified, up to unconditional rejection of all certificates if OpenSSL isn't 1.0.2+, at least for now. -- Maxim Dounin http://nginx.org/ From fdasilvayy at gmail.com Mon Feb 10 08:50:22 2014 From: fdasilvayy at gmail.com (Filipe da Silva) Date: Mon, 10 Feb 2014 09:50:22 +0100 Subject: [PATCH] Mail: add IMAP ID command support (RFC2971) In-Reply-To: <20140122181057.GQ1835@mdounin.ru> References: <20140122181057.GQ1835@mdounin.ru> Message-ID: # HG changeset patch # User Filipe da Silva # Date 1392021996 -3600 # Mon Feb 10 09:46:36 2014 +0100 # Node ID dec4454e6b1327d7737ae95db9f713cc9117ab81 # Parent 887e5abf8446603d9163a8cd011f14fab57e2a3a Mail: add IMAP ID command support (RFC2971). Parse the ID command and its arguments( NIL or params_list) Handle the server response to ID command. It accepts : tag ID NIL tag ID ( "Key" "Value" ) tag ID ( "Key" NIL ) tag ID () diff -r 887e5abf8446 -r dec4454e6b13 src/mail/ngx_mail.h --- a/src/mail/ngx_mail.h Mon Feb 10 09:46:36 2014 +0100 +++ b/src/mail/ngx_mail.h Mon Feb 10 09:46:36 2014 +0100 @@ -215,6 +215,7 @@ typedef struct { unsigned quoted:1; unsigned backslash:1; unsigned no_sync_literal:1; + unsigned params_list:1; unsigned starttls:1; unsigned esmtp:1; unsigned auth_method:3; @@ -233,6 +234,7 @@ typedef struct { ngx_str_t smtp_helo; ngx_str_t smtp_from; ngx_str_t smtp_to; + ngx_str_t imap_id; ngx_str_t cmd; @@ -279,10 +281,10 @@ typedef struct { #define NGX_IMAP_CAPABILITY 3 #define NGX_IMAP_NOOP 4 #define NGX_IMAP_STARTTLS 5 +#define NGX_IMAP_AUTHENTICATE 6 +#define NGX_IMAP_ID 7 -#define NGX_IMAP_NEXT 6 - -#define NGX_IMAP_AUTHENTICATE 7 +#define NGX_IMAP_NEXT 8 #define NGX_SMTP_HELO 1 diff -r 887e5abf8446 -r dec4454e6b13 src/mail/ngx_mail_imap_handler.c --- a/src/mail/ngx_mail_imap_handler.c Mon Feb 10 09:46:36 2014 +0100 +++ b/src/mail/ngx_mail_imap_handler.c Mon Feb 10 09:46:36 2014 +0100 @@ -18,6 +18,8 @@ static ngx_int_t ngx_mail_imap_authentic ngx_connection_t *c); static ngx_int_t ngx_mail_imap_capability(ngx_mail_session_t *s, ngx_connection_t *c); +static ngx_int_t ngx_mail_imap_id(ngx_mail_session_t *s, + ngx_connection_t *c); static ngx_int_t ngx_mail_imap_starttls(ngx_mail_session_t *s, ngx_connection_t *c); @@ -31,6 +33,7 @@ static u_char imap_username[] = "+ VXNl static u_char imap_password[] = "+ UGFzc3dvcmQ6" CRLF; static u_char imap_bye[] = "* BYE" CRLF; static u_char imap_invalid_command[] = "BAD invalid command" CRLF; +static u_char imap_server_id_nil[] = "* ID NIL" CRLF; void @@ -183,6 +186,10 @@ ngx_mail_imap_auth_state(ngx_event_t *re rc = ngx_mail_imap_capability(s, c); break; + case NGX_IMAP_ID: + rc = ngx_mail_imap_id(s, c); + break; + case NGX_IMAP_LOGOUT: s->quit = 1; ngx_str_set(&s->text, imap_bye); @@ -438,6 +445,70 @@ ngx_mail_imap_capability(ngx_mail_sessio static ngx_int_t +ngx_mail_imap_id(ngx_mail_session_t *s, ngx_connection_t *c) +{ + ngx_uint_t i; + ngx_str_t *arg, cmd; + + arg = s->args.elts; + cmd.data = s->tag.data + s->tag.len; + cmd.len = s->arg_end - cmd.data; + + /* client may send 'tag ID NIL' */ + if (s->args.nelts == 1) { + if (cmd.len != 6 + || ngx_strncasecmp(cmd.data, (u_char *) "ID NIL", 6) != 0) + { + ngx_log_debug1(NGX_LOG_DEBUG_MAIL, c->log, 0, + "Invalid argument supplied:\"%V\"", &cmd); + return NGX_MAIL_PARSE_INVALID_COMMAND; + } + + goto valid; + } + + /* + * Client may send 'tag ID ( "Key" "value" )'. + * Only even list count is allowed. + */ + if (s->args.nelts % 2 != 0) { + return NGX_MAIL_PARSE_INVALID_COMMAND; + } + + for (i = 0; i < s->args.nelts; i += 2) { + + if ( arg[i].len == 0) { + ngx_log_debug1(NGX_LOG_DEBUG_MAIL, c->log, 0, + "ID empty key #%ui name : \"\"", i ); + return NGX_MAIL_PARSE_INVALID_COMMAND; + } + else if (arg[i].len > 30) { + ngx_log_debug2(NGX_LOG_DEBUG_MAIL, c->log, 0, + "ID Key #%ui name \"%V\" is too long", i, &arg[i]); + return NGX_MAIL_PARSE_INVALID_COMMAND; + } + } + +valid: + s->imap_id.len = cmd.len; + s->imap_id.data = ngx_pnalloc(c->pool, cmd.len); + if (s->imap_id.data == NULL) { + return NGX_ERROR; + } + + ngx_memcpy(s->imap_id.data, cmd.data, cmd.len); + + ngx_log_debug2(NGX_LOG_DEBUG_MAIL, c->log, 0, + "imap client ID:\"%V%V\"", &s->tag, &s->imap_id); + + /* prepare server response to ID command */ + ngx_str_set(&s->text, imap_server_id_nil); + + return NGX_OK; +} + + +static ngx_int_t ngx_mail_imap_starttls(ngx_mail_session_t *s, ngx_connection_t *c) { #if (NGX_MAIL_SSL) diff -r 887e5abf8446 -r dec4454e6b13 src/mail/ngx_mail_parse.c --- a/src/mail/ngx_mail_parse.c Mon Feb 10 09:46:36 2014 +0100 +++ b/src/mail/ngx_mail_parse.c Mon Feb 10 09:46:36 2014 +0100 @@ -280,6 +280,17 @@ ngx_mail_imap_parse_command(ngx_mail_ses switch (p - c) { + case 2: + if ((c[0] == 'I' || c[0] == 'i') + && (c[1] == 'D'|| c[1] == 'd')) + { + s->command = NGX_IMAP_ID; + + } else { + goto invalid; + } + break; + case 4: if ((c[0] == 'N' || c[0] == 'n') && (c[1] == 'O'|| c[1] == 'o') @@ -385,6 +396,9 @@ ngx_mail_imap_parse_command(ngx_mail_ses goto invalid; } + s->cmd.data = s->cmd_start; + s->cmd.len = p - s->cmd_start; + switch (ch) { case ' ': state = sw_spaces_before_argument; @@ -409,14 +423,33 @@ ngx_mail_imap_parse_command(ngx_mail_ses case ' ': break; case CR: + if (s->params_list) { + goto invalid; + } state = sw_almost_done; s->arg_end = p; break; case LF: + if (s->params_list) { + goto invalid; + } s->arg_end = p; goto done; + case '(': + if (!s->params_list && s->args.nelts == 0) { + s->params_list = 1; + break; + } + goto invalid; + case ')': + if (s->params_list && s->args.nelts % 2 == 0) { + s->params_list = 0; + break; + } + goto invalid; case '"': - if (s->args.nelts <= 2) { + if (s->args.nelts <= 2 + || (s->params_list && s->args.nelts < 60)) { s->quoted = 1; s->arg_start = p + 1; state = sw_argument; @@ -430,7 +463,8 @@ ngx_mail_imap_parse_command(ngx_mail_ses } goto invalid; default: - if (s->args.nelts <= 2) { + if (s->args.nelts <= 2 + || (s->params_list && s->args.nelts < 60)) { s->arg_start = p; state = sw_argument; break; @@ -443,6 +477,9 @@ ngx_mail_imap_parse_command(ngx_mail_ses if (ch == ' ' && s->quoted) { break; } + if (ch == ')' && s->quoted) { + break; + } switch (ch) { case '"': @@ -451,6 +488,7 @@ ngx_mail_imap_parse_command(ngx_mail_ses } s->quoted = 0; /* fall through */ + case ')': case ' ': case CR: case LF: @@ -462,15 +500,42 @@ ngx_mail_imap_parse_command(ngx_mail_ses arg->data = s->arg_start; s->arg_start = NULL; + /* only accepts 'nil' as keyword in arguments */ + if ( s->command == NGX_IMAP_ID && ch != '"') { + c = arg->data; + if (arg->len != 3 + || (c[0] != 'N' && c[0] != 'n') + || (c[1] != 'I' && c[1] != 'i') + || (c[2] != 'L' && c[2] != 'l')) { + goto invalid; + } + /* only accepts 'nil' as value in id_params_list */ + if (s->params_list && s->args.nelts % 2 != 0) { + goto invalid; + } + } + switch (ch) { + case ')': + if (!s->params_list) { + goto invalid; + } + s->params_list = 0; + /* fall through */ case '"': case ' ': state = sw_spaces_before_argument; break; case CR: + if (s->params_list) + goto invalid; state = sw_almost_done; + s->arg_end = p; break; case LF: + if (s->params_list) + goto invalid; + s->arg_end = p; goto done; } break; @@ -614,6 +679,7 @@ invalid: s->quoted = 0; s->no_sync_literal = 0; s->literal_len = 0; + s->params_list = 0; return NGX_MAIL_PARSE_INVALID_COMMAND; } -------------- next part -------------- A non-text attachment was scrubbed... Name: 000-ImapID_CommandSupport.diff Type: text/x-patch Size: 9778 bytes Desc: not available URL: From fdasilvayy at gmail.com Mon Feb 10 09:02:51 2014 From: fdasilvayy at gmail.com (Filipe da Silva) Date: Mon, 10 Feb 2014 10:02:51 +0100 Subject: [PATCH] Mail: ngx_mail_session_t 'protocol' field resize Message-ID: <9e519ec4328ab9b8dd06.1392022971@HPC> # HG changeset patch # User Filipe da Silva # Date 1389727364 -3600 # Tue Jan 14 20:22:44 2014 +0100 # Node ID 9e519ec4328ab9b8dd0639e1f9321f62f9bce287 # Parent 188481078faf4b2bff88a4086d6d509730f90099 Mail: ngx_mail_session_t 'protocol' field resize As possible values are NGX_MAIL_*_PROTOCOL(0,1,2) diff -r 188481078faf -r 9e519ec4328a src/mail/ngx_mail.h --- a/src/mail/ngx_mail.h Mon Feb 03 14:17:17 2014 -0800 +++ b/src/mail/ngx_mail.h Tue Jan 14 20:22:44 2014 +0100 @@ -209,7 +209,7 @@ typedef struct { ngx_uint_t mail_state; - unsigned protocol:3; + unsigned protocol:2; unsigned blocked:1; unsigned quit:1; unsigned quoted:1; -------------- next part -------------- A non-text attachment was scrubbed... Name: 5558.diff Type: text/x-patch Size: 783 bytes Desc: not available URL: From mdounin at mdounin.ru Mon Feb 10 10:09:08 2014 From: mdounin at mdounin.ru (Maxim Dounin) Date: Mon, 10 Feb 2014 14:09:08 +0400 Subject: [PATCH] Mail: ngx_mail_session_t 'protocol' field resize In-Reply-To: <9e519ec4328ab9b8dd06.1392022971@HPC> References: <9e519ec4328ab9b8dd06.1392022971@HPC> Message-ID: <20140210100908.GB1835@mdounin.ru> Hello! On Mon, Feb 10, 2014 at 10:02:51AM +0100, Filipe da Silva wrote: > # HG changeset patch > # User Filipe da Silva > # Date 1389727364 -3600 > # Tue Jan 14 20:22:44 2014 +0100 > # Node ID 9e519ec4328ab9b8dd0639e1f9321f62f9bce287 > # Parent 188481078faf4b2bff88a4086d6d509730f90099 > Mail: ngx_mail_session_t 'protocol' field resize > > As possible values are NGX_MAIL_*_PROTOCOL(0,1,2) > > diff -r 188481078faf -r 9e519ec4328a src/mail/ngx_mail.h > --- a/src/mail/ngx_mail.h Mon Feb 03 14:17:17 2014 -0800 > +++ b/src/mail/ngx_mail.h Tue Jan 14 20:22:44 2014 +0100 > @@ -209,7 +209,7 @@ typedef struct { > > ngx_uint_t mail_state; > > - unsigned protocol:3; > + unsigned protocol:2; > unsigned blocked:1; > unsigned quit:1; > unsigned quoted:1; No, please. In theory, more protocols can be added by addon modules. And there is no real difference in practice as there is padding after bit fields anyway. -- Maxim Dounin http://nginx.org/ From ru at nginx.com Mon Feb 10 12:43:18 2014 From: ru at nginx.com (Ruslan Ermilov) Date: Mon, 10 Feb 2014 12:43:18 +0000 Subject: [nginx] Range filter: fixed duplicate charset. Message-ID: details: http://hg.nginx.org/nginx/rev/eeb3c2719147 branches: changeset: 5558:eeb3c2719147 user: Ruslan Ermilov date: Tue Feb 04 17:13:35 2014 +0400 description: Range filter: fixed duplicate charset. If a proxied response had charset in Content-Type, the charset was duplicated in a response to client request with byte ranges. diffstat: src/http/modules/ngx_http_range_filter_module.c | 12 ++++++++---- 1 files changed, 8 insertions(+), 4 deletions(-) diffs (43 lines): diff -r 188481078faf -r eeb3c2719147 src/http/modules/ngx_http_range_filter_module.c --- a/src/http/modules/ngx_http_range_filter_module.c Mon Feb 03 14:17:17 2014 -0800 +++ b/src/http/modules/ngx_http_range_filter_module.c Tue Feb 04 17:13:35 2014 +0400 @@ -432,7 +432,9 @@ ngx_http_range_multipart_header(ngx_http + r->headers_out.content_type.len + sizeof(CRLF "Content-Range: bytes ") - 1; - if (r->headers_out.charset.len) { + if (r->headers_out.content_type_len == r->headers_out.content_type.len + && r->headers_out.charset.len) + { len += sizeof("; charset=") - 1 + r->headers_out.charset.len; } @@ -451,7 +453,9 @@ ngx_http_range_multipart_header(ngx_http * "Content-Range: bytes " */ - if (r->headers_out.charset.len) { + if (r->headers_out.content_type_len == r->headers_out.content_type.len + && r->headers_out.charset.len) + { ctx->boundary_header.len = ngx_sprintf(ctx->boundary_header.data, CRLF "--%0muA" CRLF "Content-Type: %V; charset=%V" CRLF @@ -461,8 +465,6 @@ ngx_http_range_multipart_header(ngx_http &r->headers_out.charset) - ctx->boundary_header.data; - r->headers_out.charset.len = 0; - } else if (r->headers_out.content_type.len) { ctx->boundary_header.len = ngx_sprintf(ctx->boundary_header.data, CRLF "--%0muA" CRLF @@ -501,6 +503,8 @@ ngx_http_range_multipart_header(ngx_http r->headers_out.content_type_len = r->headers_out.content_type.len; + r->headers_out.charset.len = 0; + /* the size of the last boundary CRLF "--0123456789--" CRLF */ len = sizeof(CRLF "--") - 1 + NGX_ATOMIC_T_LEN + sizeof("--" CRLF) - 1; From flevionnois at gmail.com Mon Feb 10 13:08:52 2014 From: flevionnois at gmail.com (Franck Levionnois) Date: Mon, 10 Feb 2014 14:08:52 +0100 Subject: [PATCH] Mail: added support for SSL client certificate In-Reply-To: <20140128141852.GA1835@mdounin.ru> References: <9dc48eeb8e5cb022676d.1390639629@HPC> <20140128141852.GA1835@mdounin.ru> Message-ID: Hello, I've just seen that my previous mail was sent with wrong mail address, and without mail copies. I answer on the thread with the good one, and add some clarifications. 2014-01-28 15:18 GMT+01:00 Maxim Dounin : > Hello! > > On Sat, Jan 25, 2014 at 09:47:09AM +0100, Filipe da Silva wrote: > > > # HG changeset patch > > # User Franck Levionnois > > # Date 1390577176 -3600 > > # Fri Jan 24 16:26:16 2014 +0100 > > # Node ID 9dc48eeb8e5cb022676dbbe56e3435d20e822ab3 > > # Parent a387ce36744aa36b50e8171dbf01ef716748327e > > Mail: added support for SSL client certificate. > > > > Add support for SSL Mutual Authentification like in HTTP module. > > > > Added mail configuration directives (like http): > > ssl_verify_client, ssl_verify_depth, ssl_client_certificate, > ssl_trusted_certificate, ssl_crl > > > > Added headers: > > Auth-Certificate, Auth-Certificate-Verify, Auth-Issuer-DN, > Auth-Subject-DN, Auth-Subject-Serial > > Please limit commit logs line lengths to 80 chars, much like in > the code. > > > > > diff -r a387ce36744a -r 9dc48eeb8e5c src/mail/ngx_mail_auth_http_module.c > > --- a/src/mail/ngx_mail_auth_http_module.c Thu Jan 23 22:09:59 2014 > +0900 > > +++ b/src/mail/ngx_mail_auth_http_module.c Fri Jan 24 16:26:16 2014 > +0100 > > @@ -1135,6 +1135,35 @@ ngx_mail_auth_http_dummy_handler(ngx_eve > > "mail auth http dummy handler"); > > } > > > > +#if (NGX_MAIL_SSL) > > + > > +static ngx_int_t > > After Filipe's cleanup it looks much better than what was > originally submitted by Franck (thanks Filipe!), but there are > still lots of style problems. > > > +ngx_ssl_get_certificate_oneline(ngx_connection_t *c, ngx_pool_t *pool, > > + ngx_str_t *b64_cert) > > +{ > > + ngx_str_t pem_cert; > > + if (ngx_ssl_get_raw_certificate(c, pool, &pem_cert) != NGX_OK) { > > + return NGX_ERROR; > > + } > > + > > + if (pem_cert.len == 0) { > > + b64_cert->len = 0; > > + return NGX_OK; > > + } > > + > > + b64_cert->len = ngx_base64_encoded_length(pem_cert.len); > > + b64_cert->data = ngx_palloc(pool, b64_cert->len); > > + if (b64_cert->data == NULL) { > > + b64_cert->len = 0; > > + return NGX_ERROR; > > + } > > + ngx_encode_base64(b64_cert, &pem_cert); > > Using a raw certificate escaped as other other Auth-* headers may > be a better idea than inventing another method to pass things. > Base64 encoding of base64 encoded data looks especially strange. > :) > Base64 encoding of the PEM certificate may looks strange, but it is done for compatibility with other reverse proxy like F5 BigIp. It is also possible to simply remove PEM header / footer and carriage returns (like another reverse proxy) The function "ngx_ssl_get_certificate" is about to do the work, but it let headers, and replaces carriage returns by tabulations. Modify this one to remove the headers may have some consequences. Although i would have preferred not to have the headers, i think i can do with it, if you think this is better than adding a third function to get ssl client certificate. > [...] > > > +#if (NGX_MAIL_SSL) > > + if (s->connection->ssl) { > > + if (ngx_ssl_get_client_verify(s->connection, pool, > > + &client_verify) != NGX_OK) { > > + return NULL; > > + } > > The "client_" prefix looks unneeded. > > > + > > + if (ngx_ssl_get_subject_dn(s->connection, pool, > > + &client_subject) != NGX_OK) { > > + return NULL; > > + } > > + > > + if (ngx_ssl_get_issuer_dn(s->connection, pool, > > + &client_issuer) != NGX_OK) { > > + return NULL; > > + } > > + > > + if (ngx_ssl_get_serial_number(s->connection, pool, > > + &client_serial) != NGX_OK) { > > + return NULL; > > + } > > One of questions left open during Sven Peter's patch review was > whether subject/issuer can contain CR/LF and require escaping. > The code here suggests they can't. I would like to know if it was > actually checked. > > It would be also cool to get Sven's review of the code (and/or his > own patch improved instead if he don't happy with one from > Franck). Added Sven to Cc. > > Subject and Issuer DN may contains special chars but "X509_NAME_oneline" function escapes every chars outside " " -> "~" range (in ASCII table). This is the function used by "ngx_ssl_get_subject_dn" and "ngx_ssl_get_issuer_dn" to get the DN This is a sample output from the function of DN with carriage returns : Issuer: /C=FR/ST=Some-State \x0D\x0A\x0D\x0A\x0D\x0Atest/ L=Paris/OU=An\x0D\x0Aign/CN=Autorite de certification Even if i've never seen Distinguished names with carriage returns, i haven't seen such limitation in RFC 3280 / X500. RFC 2253 shows a sample of distinguished name with carriage return. > [...] > > -- > Maxim Dounin > http://nginx.org/ > > _______________________________________________ > nginx-devel mailing list > nginx-devel at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx-devel > Kind regards. Franck. -------------- next part -------------- An HTML attachment was scrubbed... URL: From mdounin at mdounin.ru Mon Feb 10 13:36:38 2014 From: mdounin at mdounin.ru (Maxim Dounin) Date: Mon, 10 Feb 2014 13:36:38 +0000 Subject: [nginx] Version bump. Message-ID: details: http://hg.nginx.org/nginx/rev/f1621a2b92d0 branches: stable-1.4 changeset: 5559:f1621a2b92d0 user: Maxim Dounin date: Thu Feb 06 20:49:12 2014 +0400 description: Version bump. diffstat: src/core/nginx.h | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diffs (14 lines): diff --git a/src/core/nginx.h b/src/core/nginx.h --- a/src/core/nginx.h +++ b/src/core/nginx.h @@ -9,8 +9,8 @@ #define _NGINX_H_INCLUDED_ -#define nginx_version 1004004 -#define NGINX_VERSION "1.4.4" +#define nginx_version 1004005 +#define NGINX_VERSION "1.4.5" #define NGINX_VER "nginx/" NGINX_VERSION #define NGINX_VAR "NGINX" From mdounin at mdounin.ru Mon Feb 10 13:36:39 2014 From: mdounin at mdounin.ru (Maxim Dounin) Date: Mon, 10 Feb 2014 13:36:39 +0000 Subject: [nginx] Win32: plugged memory leak. Message-ID: details: http://hg.nginx.org/nginx/rev/fd77e2018652 branches: stable-1.4 changeset: 5560:fd77e2018652 user: Maxim Dounin date: Thu Oct 31 18:23:49 2013 +0400 description: Win32: plugged memory leak. diffstat: src/os/win32/ngx_files.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) diffs (12 lines): diff --git a/src/os/win32/ngx_files.c b/src/os/win32/ngx_files.c --- a/src/os/win32/ngx_files.c +++ b/src/os/win32/ngx_files.c @@ -753,6 +753,8 @@ ngx_win32_check_filename(u_char *name, u goto invalid; } + ngx_free(lu); + return NGX_OK; invalid: From mdounin at mdounin.ru Mon Feb 10 13:36:41 2014 From: mdounin at mdounin.ru (Maxim Dounin) Date: Mon, 10 Feb 2014 13:36:41 +0000 Subject: [nginx] SSL: fixed c->read->ready handling in ngx_ssl_recv(). Message-ID: details: http://hg.nginx.org/nginx/rev/35b00bcf72fe branches: stable-1.4 changeset: 5561:35b00bcf72fe user: Maxim Dounin date: Fri Nov 29 17:16:06 2013 +0400 description: SSL: fixed c->read->ready handling in ngx_ssl_recv(). If c->read->ready was reset, but later some data were read from a socket buffer due to a call to ngx_ssl_recv(), the c->read->ready flag should be restored if not all data were read from OpenSSL buffers (as kernel won't notify us about the data anymore). More details are available here: http://mailman.nginx.org/pipermail/nginx/2013-November/041178.html diffstat: src/event/ngx_event_openssl.c | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) diffs (22 lines): diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c --- a/src/event/ngx_event_openssl.c +++ b/src/event/ngx_event_openssl.c @@ -965,6 +965,7 @@ ngx_ssl_recv(ngx_connection_t *c, u_char size -= n; if (size == 0) { + c->read->ready = 1; return bytes; } @@ -974,6 +975,10 @@ ngx_ssl_recv(ngx_connection_t *c, u_char } if (bytes) { + if (c->ssl->last != NGX_AGAIN) { + c->read->ready = 1; + } + return bytes; } From mdounin at mdounin.ru Mon Feb 10 13:36:42 2014 From: mdounin at mdounin.ru (Maxim Dounin) Date: Mon, 10 Feb 2014 13:36:42 +0000 Subject: [nginx] Request body: fixed r->count increment on allocation fai... Message-ID: details: http://hg.nginx.org/nginx/rev/4196ea50004a branches: stable-1.4 changeset: 5562:4196ea50004a user: Maxim Dounin date: Sat May 11 18:49:19 2013 +0400 description: Request body: fixed r->count increment on allocation failure. diffstat: src/http/ngx_http_request_body.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) diffs (13 lines): diff --git a/src/http/ngx_http_request_body.c b/src/http/ngx_http_request_body.c --- a/src/http/ngx_http_request_body.c +++ b/src/http/ngx_http_request_body.c @@ -152,7 +152,8 @@ ngx_http_read_client_request_body(ngx_ht cl = ngx_chain_get_free_buf(r->pool, &rb->free); if (cl == NULL) { - return NGX_HTTP_INTERNAL_SERVER_ERROR; + rc = NGX_HTTP_INTERNAL_SERVER_ERROR; + goto done; } b = cl->buf; From mdounin at mdounin.ru Mon Feb 10 13:36:43 2014 From: mdounin at mdounin.ru (Maxim Dounin) Date: Mon, 10 Feb 2014 13:36:43 +0000 Subject: [nginx] Fixed "zero size buf in output" alerts. Message-ID: details: http://hg.nginx.org/nginx/rev/3b7463b08747 branches: stable-1.4 changeset: 5563:3b7463b08747 user: Maxim Dounin date: Sat Jan 04 03:32:22 2014 +0400 description: Fixed "zero size buf in output" alerts. If a request had an empty request body (with Content-Length: 0), and there were preread data available (e.g., due to a pipelined request in the buffer), the "zero size buf in output" alert might be logged while proxying the request to an upstream. Similar alerts appeared with client_body_in_file_only if a request had an empty request body. diffstat: src/http/ngx_http_request_body.c | 70 ++++++++++++++++++++++++--------------- 1 files changed, 43 insertions(+), 27 deletions(-) diffs (96 lines): diff --git a/src/http/ngx_http_request_body.c b/src/http/ngx_http_request_body.c --- a/src/http/ngx_http_request_body.c +++ b/src/http/ngx_http_request_body.c @@ -150,21 +150,27 @@ ngx_http_read_client_request_body(ngx_ht goto done; } - cl = ngx_chain_get_free_buf(r->pool, &rb->free); - if (cl == NULL) { - rc = NGX_HTTP_INTERNAL_SERVER_ERROR; - goto done; + if (rb->temp_file->file.offset != 0) { + + cl = ngx_chain_get_free_buf(r->pool, &rb->free); + if (cl == NULL) { + rc = NGX_HTTP_INTERNAL_SERVER_ERROR; + goto done; + } + + b = cl->buf; + + ngx_memzero(b, sizeof(ngx_buf_t)); + + b->in_file = 1; + b->file_last = rb->temp_file->file.offset; + b->file = &rb->temp_file->file; + + rb->bufs = cl; + + } else { + rb->bufs = NULL; } - - b = cl->buf; - - ngx_memzero(b, sizeof(ngx_buf_t)); - - b->in_file = 1; - b->file_last = rb->temp_file->file.offset; - b->file = &rb->temp_file->file; - - rb->bufs = cl; } post_handler(r); @@ -375,20 +381,26 @@ ngx_http_do_read_client_request_body(ngx return NGX_HTTP_INTERNAL_SERVER_ERROR; } - cl = ngx_chain_get_free_buf(r->pool, &rb->free); - if (cl == NULL) { - return NGX_HTTP_INTERNAL_SERVER_ERROR; + if (rb->temp_file->file.offset != 0) { + + cl = ngx_chain_get_free_buf(r->pool, &rb->free); + if (cl == NULL) { + return NGX_HTTP_INTERNAL_SERVER_ERROR; + } + + b = cl->buf; + + ngx_memzero(b, sizeof(ngx_buf_t)); + + b->in_file = 1; + b->file_last = rb->temp_file->file.offset; + b->file = &rb->temp_file->file; + + rb->bufs = cl; + + } else { + rb->bufs = NULL; } - - b = cl->buf; - - ngx_memzero(b, sizeof(ngx_buf_t)); - - b->in_file = 1; - b->file_last = rb->temp_file->file.offset; - b->file = &rb->temp_file->file; - - rb->bufs = cl; } r->read_event_handler = ngx_http_block_reading; @@ -843,6 +855,10 @@ ngx_http_request_body_length_filter(ngx_ for (cl = in; cl; cl = cl->next) { + if (rb->rest == 0) { + break; + } + tl = ngx_chain_get_free_buf(r->pool, &rb->free); if (tl == NULL) { return NGX_HTTP_INTERNAL_SERVER_ERROR; From mdounin at mdounin.ru Mon Feb 10 13:36:45 2014 From: mdounin at mdounin.ru (Maxim Dounin) Date: Mon, 10 Feb 2014 13:36:45 +0000 Subject: [nginx] Year 2014. Message-ID: details: http://hg.nginx.org/nginx/rev/7e38aafc0342 branches: stable-1.4 changeset: 5564:7e38aafc0342 user: Valentin Bartenev date: Tue Jan 14 16:24:02 2014 +0400 description: Year 2014. diffstat: docs/text/LICENSE | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diffs (12 lines): diff --git a/docs/text/LICENSE b/docs/text/LICENSE --- a/docs/text/LICENSE +++ b/docs/text/LICENSE @@ -1,6 +1,6 @@ /* - * Copyright (C) 2002-2013 Igor Sysoev - * Copyright (C) 2011-2013 Nginx, Inc. + * Copyright (C) 2002-2014 Igor Sysoev + * Copyright (C) 2011-2014 Nginx, Inc. * All rights reserved. * * Redistribution and use in source and binary forms, with or without From mdounin at mdounin.ru Mon Feb 10 13:36:46 2014 From: mdounin at mdounin.ru (Maxim Dounin) Date: Mon, 10 Feb 2014 13:36:46 +0000 Subject: [nginx] SPDY: fixed possible segfault. Message-ID: details: http://hg.nginx.org/nginx/rev/b8e6297358b5 branches: stable-1.4 changeset: 5565:b8e6297358b5 user: Valentin Bartenev date: Wed Jan 22 04:58:19 2014 +0400 description: SPDY: fixed possible segfault. While processing a DATA frame, the link to related stream is stored in spdy connection object as part of connection state. But this stream can be closed between receiving parts of the frame. diffstat: src/http/ngx_http_spdy.c | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) diffs (14 lines): diff --git a/src/http/ngx_http_spdy.c b/src/http/ngx_http_spdy.c --- a/src/http/ngx_http_spdy.c +++ b/src/http/ngx_http_spdy.c @@ -2626,6 +2626,10 @@ ngx_http_spdy_close_stream(ngx_http_spdy } } + if (sc->stream == stream) { + sc->stream = NULL; + } + sscf = ngx_http_get_module_srv_conf(sc->http_connection->conf_ctx, ngx_http_spdy_module); From mdounin at mdounin.ru Mon Feb 10 13:36:47 2014 From: mdounin at mdounin.ru (Maxim Dounin) Date: Mon, 10 Feb 2014 13:36:47 +0000 Subject: [nginx] SSL: fixed $ssl_session_id variable. Message-ID: details: http://hg.nginx.org/nginx/rev/70f4d99ded41 branches: stable-1.4 changeset: 5566:70f4d99ded41 user: Maxim Dounin date: Wed Jan 22 16:05:06 2014 +0400 description: SSL: fixed $ssl_session_id variable. Previously, it used to contain full session serialized instead of just a session id, making it almost impossible to use the variable in a safe way. Thanks to Ivan Risti?. diffstat: src/event/ngx_event_openssl.c | 16 +++------------- 1 files changed, 3 insertions(+), 13 deletions(-) diffs (39 lines): diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c --- a/src/event/ngx_event_openssl.c +++ b/src/event/ngx_event_openssl.c @@ -2229,32 +2229,22 @@ ngx_int_t ngx_ssl_get_session_id(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) { int len; - u_char *p, *buf; + u_char *buf; SSL_SESSION *sess; sess = SSL_get0_session(c->ssl->connection); - len = i2d_SSL_SESSION(sess, NULL); - - buf = ngx_alloc(len, c->log); - if (buf == NULL) { - return NGX_ERROR; - } + buf = sess->session_id; + len = sess->session_id_length; s->len = 2 * len; s->data = ngx_pnalloc(pool, 2 * len); if (s->data == NULL) { - ngx_free(buf); return NGX_ERROR; } - p = buf; - i2d_SSL_SESSION(sess, &p); - ngx_hex_dump(s->data, buf, len); - ngx_free(buf); - return NGX_OK; } From mdounin at mdounin.ru Mon Feb 10 13:36:49 2014 From: mdounin at mdounin.ru (Maxim Dounin) Date: Mon, 10 Feb 2014 13:36:49 +0000 Subject: [nginx] SSL: fixed $ssl_session_id possible segfault after 97e37... Message-ID: details: http://hg.nginx.org/nginx/rev/5a38f9609d85 branches: stable-1.4 changeset: 5567:5a38f9609d85 user: Maxim Dounin date: Thu Jan 23 18:32:26 2014 +0400 description: SSL: fixed $ssl_session_id possible segfault after 97e3769637a7. Even during execution of a request it is possible that there will be no session available, notably in case of renegotiation. As a result logging of $ssl_session_id in some cases caused NULL pointer dereference after revision 97e3769637a7 (1.5.9). The check added returns an empty string if there is no session available. diffstat: src/event/ngx_event_openssl.c | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) diffs (14 lines): diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c --- a/src/event/ngx_event_openssl.c +++ b/src/event/ngx_event_openssl.c @@ -2233,6 +2233,10 @@ ngx_ssl_get_session_id(ngx_connection_t SSL_SESSION *sess; sess = SSL_get0_session(c->ssl->connection); + if (sess == NULL) { + s->len = 0; + return NGX_OK; + } buf = sess->session_id; len = sess->session_id_length; From mdounin at mdounin.ru Mon Feb 10 13:36:50 2014 From: mdounin at mdounin.ru (Maxim Dounin) Date: Mon, 10 Feb 2014 13:36:50 +0000 Subject: [nginx] Upstream: reading from a client after connection upgrade. Message-ID: details: http://hg.nginx.org/nginx/rev/560de9681661 branches: stable-1.4 changeset: 5568:560de9681661 user: Maxim Dounin date: Wed Jan 22 16:05:07 2014 +0400 description: Upstream: reading from a client after connection upgrade. Read event on a client connection might have been disabled during previous processing, and we at least need to handle events. Calling ngx_http_upstream_process_upgraded() is a simpliest way to do it. Notably this change is needed for select, poll and /dev/poll event methods. Previous version of this patch was posted here: http://mailman.nginx.org/pipermail/nginx/2014-January/041839.html diffstat: src/http/ngx_http_upstream.c | 6 +----- 1 files changed, 1 insertions(+), 5 deletions(-) diffs (16 lines): diff --git a/src/http/ngx_http_upstream.c b/src/http/ngx_http_upstream.c --- a/src/http/ngx_http_upstream.c +++ b/src/http/ngx_http_upstream.c @@ -2459,11 +2459,7 @@ ngx_http_upstream_upgrade(ngx_http_reque ngx_http_upstream_process_upgraded(r, 1, 1); } - if (c->read->ready - || r->header_in->pos != r->header_in->last) - { - ngx_http_upstream_process_upgraded(r, 0, 1); - } + ngx_http_upstream_process_upgraded(r, 0, 1); } From mdounin at mdounin.ru Mon Feb 10 13:36:51 2014 From: mdounin at mdounin.ru (Maxim Dounin) Date: Mon, 10 Feb 2014 13:36:51 +0000 Subject: [nginx] Fixed TCP_DEFER_ACCEPT handling (ticket #353). Message-ID: details: http://hg.nginx.org/nginx/rev/462ae7eedc68 branches: stable-1.4 changeset: 5569:462ae7eedc68 user: Maxim Dounin date: Tue Jan 28 15:40:46 2014 +0400 description: Fixed TCP_DEFER_ACCEPT handling (ticket #353). Backed out 05a56ebb084a, as it turns out that kernel can return connections without any delay if syncookies are used. This basically means we can't assume anything about connections returned with deferred accept set. To solve original problem the 05a56ebb084a tried to solve, i.e. to don't wait longer than needed if a connection was accepted after deferred accept timeout, this patch changes a timeout set with setsockopt(TCP_DEFER_ACCEPT) to 1 second, unconditionally. This is believed to be enough for speed improvements, and doesn't imply major changes to timeouts used. Note that before 2.6.32 connections were dropped after a timeout. Though it is believed that 1s is still appropriate for kernels before 2.6.32, as previously tcp_synack_retries controlled the actual timeout and 1s results in more than 1 minute actual timeout by default. diffstat: src/core/ngx_connection.c | 8 +++++++- src/http/ngx_http_request.c | 23 ----------------------- 2 files changed, 7 insertions(+), 24 deletions(-) diffs (58 lines): diff --git a/src/core/ngx_connection.c b/src/core/ngx_connection.c --- a/src/core/ngx_connection.c +++ b/src/core/ngx_connection.c @@ -647,7 +647,13 @@ ngx_configure_listening_sockets(ngx_cycl if (ls[i].add_deferred || ls[i].delete_deferred) { if (ls[i].add_deferred) { - timeout = (int) (ls[i].post_accept_timeout / 1000); + /* + * There is no way to find out how long a connection was + * in queue (and a connection may bypass deferred queue at all + * if syncookies were used), hence we use 1 second timeout + * here. + */ + timeout = 1; } else { timeout = 0; diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c --- a/src/http/ngx_http_request.c +++ b/src/http/ngx_http_request.c @@ -423,20 +423,6 @@ ngx_http_wait_request_handler(ngx_event_ if (n == NGX_AGAIN) { -#if (NGX_HAVE_DEFERRED_ACCEPT && defined TCP_DEFER_ACCEPT) - if (c->listening->deferred_accept -#if (NGX_HTTP_SSL) - && c->ssl == NULL -#endif - ) - { - ngx_log_error(NGX_LOG_INFO, c->log, NGX_ETIMEDOUT, - "client timed out in deferred accept"); - ngx_http_close_connection(c); - return; - } -#endif - if (!rev->timer_set) { ngx_add_timer(rev, c->listening->post_accept_timeout); ngx_reusable_connection(c, 1); @@ -635,15 +621,6 @@ ngx_http_ssl_handshake(ngx_event_t *rev) if (n == -1) { if (err == NGX_EAGAIN) { -#if (NGX_HAVE_DEFERRED_ACCEPT && defined TCP_DEFER_ACCEPT) - if (c->listening->deferred_accept) { - ngx_log_error(NGX_LOG_INFO, c->log, NGX_ETIMEDOUT, - "client timed out in deferred accept"); - ngx_http_close_connection(c); - return; - } -#endif - if (!rev->timer_set) { ngx_add_timer(rev, c->listening->post_accept_timeout); ngx_reusable_connection(c, 1); From mdounin at mdounin.ru Mon Feb 10 13:36:53 2014 From: mdounin at mdounin.ru (Maxim Dounin) Date: Mon, 10 Feb 2014 13:36:53 +0000 Subject: [nginx] Updated OpenSSL used for win32 builds. Message-ID: details: http://hg.nginx.org/nginx/rev/64d4837c9541 branches: stable-1.4 changeset: 5570:64d4837c9541 user: Maxim Dounin date: Wed Jan 22 16:10:13 2014 +0400 description: Updated OpenSSL used for win32 builds. diffstat: misc/GNUmakefile | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diffs (12 lines): diff --git a/misc/GNUmakefile b/misc/GNUmakefile --- a/misc/GNUmakefile +++ b/misc/GNUmakefile @@ -5,7 +5,7 @@ NGINX = nginx-$(VER) TEMP = tmp OBJS = objs.msvc8 -OPENSSL = openssl-1.0.1e +OPENSSL = openssl-1.0.1f ZLIB = zlib-1.2.8 PCRE = pcre-8.32 From sorin.v.manole at gmail.com Mon Feb 10 20:32:15 2014 From: sorin.v.manole at gmail.com (Sorin Manole) Date: Mon, 10 Feb 2014 22:32:15 +0200 Subject: proxy_pass without buffering and request filter question In-Reply-To: References: Message-ID: Thanks a lot, Weibin. Your patches help me a lot, though even now, I can't say I understand everything. It would be impossible to do something like that right without having a good grasp on the nginx internals. Did you use these in production by the way? Also, to the nginx creators. The same question stands still, is there a reason a patch like this isn't integrated into the mainline? Thank you. 2014-02-06 15:06 GMT+02:00 Weibin Yao : > You may looks at the patch I wrote as an example > (http://yaoweibin.cn/patches/). Thank you. > > 2014-02-05 23:33 GMT+08:00 Sorin Manole : > > Hello fellow nginxers, > > > > From searching the Internet I gathered that proxying requests to a > backend > > without buffering the whole body wasn't available at the time the > question > > was asked. Is still the case? > > If yes, is this a limitation of the nginx core (lack of implementation > of a > > phase for request body processing) or of the proxy_pass module or of the > > upstream module? > > Could you give some more details of the limitation and whether the reason > > for it still not being implemented is the lack of user requests or the > > technical difficulty? > > More specifically, how feasible do you think it would be for someone > (like > > me) to do this? Does it involve significant changes to the current > design? > > > > Thank you, > > Sorin. > > > > _______________________________________________ > > nginx-devel mailing list > > nginx-devel at nginx.org > > http://mailman.nginx.org/mailman/listinfo/nginx-devel > > > > -- > Weibin Yao > Developer @ Server Platform Team of Taobao > > _______________________________________________ > nginx-devel mailing list > nginx-devel at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx-devel > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mdounin at mdounin.ru Tue Feb 11 10:34:40 2014 From: mdounin at mdounin.ru (Maxim Dounin) Date: Tue, 11 Feb 2014 14:34:40 +0400 Subject: proxy_pass without buffering and request filter question In-Reply-To: References: Message-ID: <20140211103440.GI1835@mdounin.ru> Hello! On Mon, Feb 10, 2014 at 10:32:15PM +0200, Sorin Manole wrote: > Thanks a lot, Weibin. Your patches help me a lot, though even now, I can't > say I understand everything. It would be impossible to do something like > that right without having a good grasp on the nginx internals. Did you use > these in production by the way? > > Also, to the nginx creators. The same question stands still, is there a > reason a patch like this isn't integrated into the mainline? http://mailman.nginx.org/pipermail/nginx/2013-December/041532.html -- Maxim Dounin http://nginx.org/ From mdounin at mdounin.ru Tue Feb 11 12:41:46 2014 From: mdounin at mdounin.ru (Maxim Dounin) Date: Tue, 11 Feb 2014 16:41:46 +0400 Subject: [PATCH] Mail: added support for SSL client certificate In-Reply-To: References: <9dc48eeb8e5cb022676d.1390639629@HPC> <20140128141852.GA1835@mdounin.ru> Message-ID: <20140211124146.GQ1835@mdounin.ru> Hello! On Mon, Feb 10, 2014 at 02:08:52PM +0100, Franck Levionnois wrote: > > > + b64_cert->len = ngx_base64_encoded_length(pem_cert.len); > > > + b64_cert->data = ngx_palloc(pool, b64_cert->len); > > > + if (b64_cert->data == NULL) { > > > + b64_cert->len = 0; > > > + return NGX_ERROR; > > > + } > > > + ngx_encode_base64(b64_cert, &pem_cert); > > > > Using a raw certificate escaped as other other Auth-* headers may > > be a better idea than inventing another method to pass things. > > Base64 encoding of base64 encoded data looks especially strange. > > :) > > > > Base64 encoding of the PEM certificate may looks strange, but it is done > for compatibility with other reverse proxy like F5 BigIp. It is also > possible to simply remove PEM header / footer and carriage returns (like > another reverse proxy) While compatibility with 3rd party code is a good thing, I don't think that it should be done at cost of consistency with other code. > > The function "ngx_ssl_get_certificate" is about to do the work, but it let > headers, and replaces carriage returns by tabulations. Modify this one to > remove the headers may have some consequences. > Although i would have preferred not to have the headers, i think i can do > with it, if you think this is better than adding a third function to get ssl > client certificate. The ngx_ssl_get_certificate() is for $ssl_client_cert variable in http[1], and it uses header continuation to make it possible to pass certificate to upstream servers. This aproach doesn't work very well as header continuation isn't really supported nowadays (in particular, by nginx itself) and deprecated by HTTPbis, so it probably needs revision. But I don't think it's relevant to this case, as we already have escaping applied to other Auth-* headers, and it should be trivial for auth script to unescape certificates as well. [1] http://nginx.org/en/docs/http/ngx_http_ssl_module.html#variables [...] > > > + if (ngx_ssl_get_issuer_dn(s->connection, pool, > > > + &client_issuer) != NGX_OK) { > > > + return NULL; > > > + } > > > + > > > + if (ngx_ssl_get_serial_number(s->connection, pool, > > > + &client_serial) != NGX_OK) { > > > + return NULL; > > > + } > > > > One of questions left open during Sven Peter's patch review was > > whether subject/issuer can contain CR/LF and require escaping. > > The code here suggests they can't. I would like to know if it was > > actually checked. > > > > It would be also cool to get Sven's review of the code (and/or his > > own patch improved instead if he don't happy with one from > > Franck). Added Sven to Cc. > > > > > Subject and Issuer DN may contains special chars but "X509_NAME_oneline" > function escapes every chars outside " " -> "~" range (in ASCII table). > This is the function used by "ngx_ssl_get_subject_dn" and > "ngx_ssl_get_issuer_dn" to get the DN > This is a sample output from the function of DN with carriage returns : > Issuer: /C=FR/ST=Some-State \x0D\x0A\x0D\x0A\x0D\x0Atest/ > L=Paris/OU=An\x0D\x0Aign/CN=Autorite de certification > > Even if i've never seen Distinguished names with carriage returns, i > haven't seen such limitation in RFC 3280 / X500. > RFC 2253 shows a sample of distinguished name with carriage return. So escaping or CR/LF is already done by X509_NAME_oneline() and there is no need for additional one, right? -- Maxim Dounin http://nginx.org/ From mdounin at mdounin.ru Tue Feb 11 13:31:53 2014 From: mdounin at mdounin.ru (Maxim Dounin) Date: Tue, 11 Feb 2014 13:31:53 +0000 Subject: [nginx] nginx-1.4.5-RELEASE Message-ID: details: http://hg.nginx.org/nginx/rev/844b2af1d65c branches: stable-1.4 changeset: 5571:844b2af1d65c user: Maxim Dounin date: Tue Feb 11 17:24:43 2014 +0400 description: nginx-1.4.5-RELEASE diffstat: docs/xml/nginx/changes.xml | 84 ++++++++++++++++++++++++++++++++++++++++++++++ 1 files changed, 84 insertions(+), 0 deletions(-) diffs (94 lines): diff --git a/docs/xml/nginx/changes.xml b/docs/xml/nginx/changes.xml --- a/docs/xml/nginx/changes.xml +++ b/docs/xml/nginx/changes.xml @@ -5,6 +5,90 @@ + + + + +?????????? $ssl_session_id ????????? ??? ?????? ? ??????????????? ???? +?????? ?? ??????????????.
+??????? Ivan Risti?. +
+ +the $ssl_session_id variable contained full session serialized +instead of just a session id.
+Thanks to Ivan Risti?. +
+
+ + + +?????????? ?????????? ????? ????? ???????????, +???? ????????????? ?????????? accept; +?????? ????????? ? 1.3.15. + + +client connections might be immediately closed +if deferred accept was used; +the bug had appeared in 1.3.15. + + + + + +??? ????????????? ? ????? ????? ?????????? ????????? "zero size buf in output"; +?????? ????????? ? 1.3.9. + + +alerts "zero size buf in output" might appear in logs while proxying; +the bug had appeared in 1.3.9. + + + + + +? ??????? ???????? ??? ????????? segmentation fault, +???? ????????????? ?????? ngx_http_spdy_module. + + +a segmentation fault might occur in a worker process +if the ngx_http_spdy_module was used. + + + + + +??? ????????????? ??????? ????????? ?????????? select, poll ? /dev/poll +???????????? WebSocket-?????????? ????? ???????? ????? ????? ????????. + + +proxied WebSocket connections might hang right after handshake +if the select, poll, or /dev/poll methods were used. + + + + + +??? ?????? ???? ??????? ? ?????????????? chunked transfer encoding +?? SSL-?????????? ??? ????????? ???????. + + +a timeout might occur while reading client request body +in an SSL connection using chunked transfer encoding. + + + + + +?????? ?????? ? nginx/Windows. + + +memory leak in nginx/Windows. + + + +
+ + From mdounin at mdounin.ru Tue Feb 11 13:31:54 2014 From: mdounin at mdounin.ru (Maxim Dounin) Date: Tue, 11 Feb 2014 13:31:54 +0000 Subject: [nginx] release-1.4.5 tag Message-ID: details: http://hg.nginx.org/nginx/rev/bbf43d63af4e branches: stable-1.4 changeset: 5572:bbf43d63af4e user: Maxim Dounin date: Tue Feb 11 17:24:43 2014 +0400 description: release-1.4.5 tag diffstat: .hgtags | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) diffs (8 lines): diff --git a/.hgtags b/.hgtags --- a/.hgtags +++ b/.hgtags @@ -359,3 +359,4 @@ 0702de638a4c51123d7b97801d393e8e25eb48de 50f065641b4c52ced41fae1ce216c73aaf112306 release-1.4.2 69ffaca7795531e19f3827940cc28dca0b50d0b8 release-1.4.3 7e9543faf5f0a443ba605d9d483cf4721fae30a5 release-1.4.4 +844b2af1d65cbb143e8ecaa1c3ad9968f60d1882 release-1.4.5 From wangxiaochen0 at gmail.com Tue Feb 11 13:38:27 2014 From: wangxiaochen0 at gmail.com (Xiaochen Wang) Date: Tue, 11 Feb 2014 21:38:27 +0800 Subject: SPDY: fixed parsing of http version Message-ID: <20140211133827.GA6099@gmail.com> # HG changeset patch # User Xiaochen Wang # Date 1392123256 -28800 # Node ID d8d499624b0941a989e43538ac33aead31d55efb # Parent eeb3c27191471471ff8c3853d847399264498463 SPDY: fixed parsing of http version There is an error while parsing multi-digit minor version numbers (e.g. "HTTP/1.10"). diff -r eeb3c2719147 -r d8d499624b09 src/http/ngx_http_spdy.c --- a/src/http/ngx_http_spdy.c Tue Feb 04 17:13:35 2014 +0400 +++ b/src/http/ngx_http_spdy.c Tue Feb 11 20:54:16 2014 +0800 @@ -2794,6 +2794,10 @@ ch = *p; + if (ch == '.') { + break; + } + if (ch < '0' || ch > '9') { return NGX_HTTP_PARSE_INVALID_REQUEST; } From mdounin at mdounin.ru Tue Feb 11 16:21:07 2014 From: mdounin at mdounin.ru (Maxim Dounin) Date: Tue, 11 Feb 2014 16:21:07 +0000 Subject: [nginx] SSL: the $ssl_session_reused variable. Message-ID: details: http://hg.nginx.org/nginx/rev/7c05f6590753 branches: changeset: 5573:7c05f6590753 user: Maxim Dounin date: Tue Feb 11 19:20:25 2014 +0400 description: SSL: the $ssl_session_reused variable. diffstat: src/event/ngx_event_openssl.c | 14 ++++++++++++++ src/event/ngx_event_openssl.h | 2 ++ src/http/modules/ngx_http_ssl_module.c | 3 +++ 3 files changed, 19 insertions(+), 0 deletions(-) diffs (49 lines): diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c --- a/src/event/ngx_event_openssl.c +++ b/src/event/ngx_event_openssl.c @@ -2529,6 +2529,20 @@ ngx_ssl_get_session_id(ngx_connection_t ngx_int_t +ngx_ssl_get_session_reused(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) +{ + if (SSL_session_reused(c->ssl->connection)) { + ngx_str_set(s, "r"); + + } else { + ngx_str_set(s, "."); + } + + return NGX_OK; +} + + +ngx_int_t ngx_ssl_get_raw_certificate(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) { size_t len; diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h --- a/src/event/ngx_event_openssl.h +++ b/src/event/ngx_event_openssl.h @@ -157,6 +157,8 @@ ngx_int_t ngx_ssl_get_cipher_name(ngx_co ngx_str_t *s); ngx_int_t ngx_ssl_get_session_id(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s); +ngx_int_t ngx_ssl_get_session_reused(ngx_connection_t *c, ngx_pool_t *pool, + ngx_str_t *s); ngx_int_t ngx_ssl_get_raw_certificate(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s); ngx_int_t ngx_ssl_get_certificate(ngx_connection_t *c, ngx_pool_t *pool, diff --git a/src/http/modules/ngx_http_ssl_module.c b/src/http/modules/ngx_http_ssl_module.c --- a/src/http/modules/ngx_http_ssl_module.c +++ b/src/http/modules/ngx_http_ssl_module.c @@ -270,6 +270,9 @@ static ngx_http_variable_t ngx_http_ssl { ngx_string("ssl_session_id"), NULL, ngx_http_ssl_variable, (uintptr_t) ngx_ssl_get_session_id, NGX_HTTP_VAR_CHANGEABLE, 0 }, + { ngx_string("ssl_session_reused"), NULL, ngx_http_ssl_variable, + (uintptr_t) ngx_ssl_get_session_reused, NGX_HTTP_VAR_CHANGEABLE, 0 }, + { ngx_string("ssl_client_cert"), NULL, ngx_http_ssl_variable, (uintptr_t) ngx_ssl_get_certificate, NGX_HTTP_VAR_CHANGEABLE, 0 }, From mdounin at mdounin.ru Tue Feb 11 18:32:28 2014 From: mdounin at mdounin.ru (Maxim Dounin) Date: Tue, 11 Feb 2014 18:32:28 +0000 Subject: [nginx] SPDY: fixed parsing of http version. Message-ID: details: http://hg.nginx.org/nginx/rev/cff36d2d7fe6 branches: changeset: 5574:cff36d2d7fe6 user: Xiaochen Wang date: Tue Feb 11 20:54:16 2014 +0800 description: SPDY: fixed parsing of http version. There is an error while parsing multi-digit minor version numbers (e.g. "HTTP/1.10"). diffstat: src/http/ngx_http_spdy.c | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) diffs (14 lines): diff --git a/src/http/ngx_http_spdy.c b/src/http/ngx_http_spdy.c --- a/src/http/ngx_http_spdy.c +++ b/src/http/ngx_http_spdy.c @@ -2794,6 +2794,10 @@ ngx_http_spdy_parse_version(ngx_http_req ch = *p; + if (ch == '.') { + break; + } + if (ch < '0' || ch > '9') { return NGX_HTTP_PARSE_INVALID_REQUEST; } From mdounin at mdounin.ru Tue Feb 11 18:33:03 2014 From: mdounin at mdounin.ru (Maxim Dounin) Date: Tue, 11 Feb 2014 22:33:03 +0400 Subject: SPDY: fixed parsing of http version In-Reply-To: <20140211133827.GA6099@gmail.com> References: <20140211133827.GA6099@gmail.com> Message-ID: <20140211183303.GB38830@mdounin.ru> Hello! On Tue, Feb 11, 2014 at 09:38:27PM +0800, Xiaochen Wang wrote: > # HG changeset patch > # User Xiaochen Wang > # Date 1392123256 -28800 > # Node ID d8d499624b0941a989e43538ac33aead31d55efb > # Parent eeb3c27191471471ff8c3853d847399264498463 > SPDY: fixed parsing of http version > > There is an error while parsing multi-digit minor version numbers (e.g. "HTTP/1.10"). > > diff -r eeb3c2719147 -r d8d499624b09 src/http/ngx_http_spdy.c > --- a/src/http/ngx_http_spdy.c Tue Feb 04 17:13:35 2014 +0400 > +++ b/src/http/ngx_http_spdy.c Tue Feb 11 20:54:16 2014 +0800 > @@ -2794,6 +2794,10 @@ > > ch = *p; > > + if (ch == '.') { > + break; > + } > + > if (ch < '0' || ch > '9') { > return NGX_HTTP_PARSE_INVALID_REQUEST; > } Committed (with minor changes to commit log), thanks. -- Maxim Dounin http://nginx.org/ From piotr at cloudflare.com Tue Feb 11 21:16:41 2014 From: piotr at cloudflare.com (Piotr Sikora) Date: Tue, 11 Feb 2014 13:16:41 -0800 Subject: [PATCH] SSL: add "{proxy, uwsgi}_ssl_verify" and supporting directives In-Reply-To: <20140207105818.GQ1835@mdounin.ru> References: <20140206160955.GH1835@mdounin.ru> <20140207000319.GL1835@mdounin.ru> <20140207105818.GQ1835@mdounin.ru> Message-ID: Hey Maxim, > Well, there is no real difference, but I think that it would be > easier to use distinct flags instead. Note that it also matches > what Apache has: > > http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslproxycheckpeername > > By looking around you may also find various other flags in Apache > to control verification (like SSLProxyCheckPeerExpire). I suspect > eventually we may need to add at least some of them. Having all > this controlled in a single directive would be a pain. But isn't having multiple parameters on the directive line kind of nginx style? ;) Anyway, I'll do it your way. > My original suggestion is as follows: > > proxy_ssl_name > > default: $proxy_host > complex value, controls a name used in SNI (if > enabled) > > proxy_ssl_verify on|off > > default: off > flag, controls if remote certificate verification is enabled > > proxy_ssl_verify_name on|off > > default: on > flag, controls if remote certificate verification needs to > check peer's name; must be explicitly switched off > if certificate verification is switched on, but > the name can't be checked due to too old OpenSSL Got it. > proxy_ssl_sni on|off > > default: off (?) > flag, controls if SNI (Server Name Indication) will be used > while connecting to backends; > > (I tend to think that "proxy_ssl_sni" is a better name compared to > "proxy_ssl_server_name", as Server Name Indication is usually > called SNI in various places.) I dislike the "_sni" suffix, it just looks ugly in lowercase and most of the variable and directive names in nginx is rather verbose... "proxy_ssl_server_name" would also match "$ssl_server_name" (if that ever gets merged...). I also believe that it should be turned on by default. Other than broken upstream that can't handle large SSL Client Hello (F5, etc.), there is no reason for any HTTP client to not use SNI. Best regards, Piotr Sikora From piotr at cloudflare.com Wed Feb 12 05:57:55 2014 From: piotr at cloudflare.com (Piotr Sikora) Date: Tue, 11 Feb 2014 21:57:55 -0800 Subject: [PATCH] Upstream: fix $upstream_status variable Message-ID: <3f21f5b57864af853ad0.1392184675@piotrs-macbook-pro.local> # HG changeset patch # User Piotr Sikora # Date 1392184482 28800 # Tue Feb 11 21:54:42 2014 -0800 # Node ID 3f21f5b57864af853ad097a113e419086a603aae # Parent cff36d2d7fe6db1baa9d44ed30ebd26b20c05d06 Upstream: fix $upstream_status variable. Previously, upstream's status code was overwritten with cached response's status code when STALE or REVALIDATED response was sent to the client. Signed-off-by: Piotr Sikora diff -r cff36d2d7fe6 -r 3f21f5b57864 src/http/modules/ngx_http_fastcgi_module.c --- a/src/http/modules/ngx_http_fastcgi_module.c Tue Feb 11 20:54:16 2014 +0800 +++ b/src/http/modules/ngx_http_fastcgi_module.c Tue Feb 11 21:54:42 2014 -0800 @@ -1584,7 +1584,7 @@ ngx_http_fastcgi_process_header(ngx_http ngx_str_set(&u->headers_in.status_line, "200 OK"); } - if (u->state) { + if (u->state && u->state->status == 0) { u->state->status = u->headers_in.status_n; } diff -r cff36d2d7fe6 -r 3f21f5b57864 src/http/modules/ngx_http_proxy_module.c --- a/src/http/modules/ngx_http_proxy_module.c Tue Feb 11 20:54:16 2014 +0800 +++ b/src/http/modules/ngx_http_proxy_module.c Tue Feb 11 21:54:42 2014 -0800 @@ -1362,7 +1362,7 @@ ngx_http_proxy_process_status_line(ngx_h return NGX_OK; } - if (u->state) { + if (u->state && u->state->status == 0) { u->state->status = ctx->status.code; } diff -r cff36d2d7fe6 -r 3f21f5b57864 src/http/modules/ngx_http_scgi_module.c --- a/src/http/modules/ngx_http_scgi_module.c Tue Feb 11 20:54:16 2014 +0800 +++ b/src/http/modules/ngx_http_scgi_module.c Tue Feb 11 21:54:42 2014 -0800 @@ -885,7 +885,7 @@ ngx_http_scgi_process_status_line(ngx_ht return ngx_http_scgi_process_header(r); } - if (u->state) { + if (u->state && u->state->status == 0) { u->state->status = status->code; } @@ -1013,7 +1013,7 @@ ngx_http_scgi_process_header(ngx_http_re ngx_str_set(&u->headers_in.status_line, "200 OK"); } - if (u->state) { + if (u->state && u->state->status == 0) { u->state->status = u->headers_in.status_n; } diff -r cff36d2d7fe6 -r 3f21f5b57864 src/http/modules/ngx_http_uwsgi_module.c --- a/src/http/modules/ngx_http_uwsgi_module.c Tue Feb 11 20:54:16 2014 +0800 +++ b/src/http/modules/ngx_http_uwsgi_module.c Tue Feb 11 21:54:42 2014 -0800 @@ -1017,7 +1017,7 @@ ngx_http_uwsgi_process_status_line(ngx_h return ngx_http_uwsgi_process_header(r); } - if (u->state) { + if (u->state && u->state->status == 0) { u->state->status = status->code; } @@ -1145,7 +1145,7 @@ ngx_http_uwsgi_process_header(ngx_http_r ngx_str_set(&u->headers_in.status_line, "200 OK"); } - if (u->state) { + if (u->state && u->state->status == 0) { u->state->status = u->headers_in.status_n; } From ru at nginx.com Wed Feb 12 08:18:55 2014 From: ru at nginx.com (Ruslan Ermilov) Date: Wed, 12 Feb 2014 12:18:55 +0400 Subject: [PATCH] Upstream: fix $upstream_status variable In-Reply-To: <3f21f5b57864af853ad0.1392184675@piotrs-macbook-pro.local> References: <3f21f5b57864af853ad0.1392184675@piotrs-macbook-pro.local> Message-ID: <20140212081855.GH77081@lo0.su> On Tue, Feb 11, 2014 at 09:57:55PM -0800, Piotr Sikora wrote: > # HG changeset patch > # User Piotr Sikora > # Date 1392184482 28800 > # Tue Feb 11 21:54:42 2014 -0800 > # Node ID 3f21f5b57864af853ad097a113e419086a603aae > # Parent cff36d2d7fe6db1baa9d44ed30ebd26b20c05d06 > Upstream: fix $upstream_status variable. > > Previously, upstream's status code was overwritten with > cached response's status code when STALE or REVALIDATED > response was sent to the client. > > Signed-off-by: Piotr Sikora Looks good. From mdounin at mdounin.ru Wed Feb 12 14:09:04 2014 From: mdounin at mdounin.ru (Maxim Dounin) Date: Wed, 12 Feb 2014 18:09:04 +0400 Subject: [PATCH] Upstream: fix $upstream_status variable In-Reply-To: <20140212081855.GH77081@lo0.su> References: <3f21f5b57864af853ad0.1392184675@piotrs-macbook-pro.local> <20140212081855.GH77081@lo0.su> Message-ID: <20140212140903.GG38830@mdounin.ru> Hello! On Wed, Feb 12, 2014 at 12:18:55PM +0400, Ruslan Ermilov wrote: > On Tue, Feb 11, 2014 at 09:57:55PM -0800, Piotr Sikora wrote: > > # HG changeset patch > > # User Piotr Sikora > > # Date 1392184482 28800 > > # Tue Feb 11 21:54:42 2014 -0800 > > # Node ID 3f21f5b57864af853ad097a113e419086a603aae > > # Parent cff36d2d7fe6db1baa9d44ed30ebd26b20c05d06 > > Upstream: fix $upstream_status variable. > > > > Previously, upstream's status code was overwritten with > > cached response's status code when STALE or REVALIDATED > > response was sent to the client. > > > > Signed-off-by: Piotr Sikora > > Looks good. Same here, please commit. -- Maxim Dounin http://nginx.org/ From ru at nginx.com Wed Feb 12 14:53:37 2014 From: ru at nginx.com (Ruslan Ermilov) Date: Wed, 12 Feb 2014 14:53:37 +0000 Subject: [nginx] Upstream: fix $upstream_status variable. Message-ID: details: http://hg.nginx.org/nginx/rev/d15822784cf9 branches: changeset: 5575:d15822784cf9 user: Piotr Sikora date: Tue Feb 11 21:54:42 2014 -0800 description: Upstream: fix $upstream_status variable. Previously, upstream's status code was overwritten with cached response's status code when STALE or REVALIDATED response was sent to the client. Signed-off-by: Piotr Sikora diffstat: src/http/modules/ngx_http_fastcgi_module.c | 2 +- src/http/modules/ngx_http_proxy_module.c | 2 +- src/http/modules/ngx_http_scgi_module.c | 4 ++-- src/http/modules/ngx_http_uwsgi_module.c | 4 ++-- 4 files changed, 6 insertions(+), 6 deletions(-) diffs (66 lines): diff -r cff36d2d7fe6 -r d15822784cf9 src/http/modules/ngx_http_fastcgi_module.c --- a/src/http/modules/ngx_http_fastcgi_module.c Tue Feb 11 20:54:16 2014 +0800 +++ b/src/http/modules/ngx_http_fastcgi_module.c Tue Feb 11 21:54:42 2014 -0800 @@ -1584,7 +1584,7 @@ ngx_http_fastcgi_process_header(ngx_http ngx_str_set(&u->headers_in.status_line, "200 OK"); } - if (u->state) { + if (u->state && u->state->status == 0) { u->state->status = u->headers_in.status_n; } diff -r cff36d2d7fe6 -r d15822784cf9 src/http/modules/ngx_http_proxy_module.c --- a/src/http/modules/ngx_http_proxy_module.c Tue Feb 11 20:54:16 2014 +0800 +++ b/src/http/modules/ngx_http_proxy_module.c Tue Feb 11 21:54:42 2014 -0800 @@ -1362,7 +1362,7 @@ ngx_http_proxy_process_status_line(ngx_h return NGX_OK; } - if (u->state) { + if (u->state && u->state->status == 0) { u->state->status = ctx->status.code; } diff -r cff36d2d7fe6 -r d15822784cf9 src/http/modules/ngx_http_scgi_module.c --- a/src/http/modules/ngx_http_scgi_module.c Tue Feb 11 20:54:16 2014 +0800 +++ b/src/http/modules/ngx_http_scgi_module.c Tue Feb 11 21:54:42 2014 -0800 @@ -885,7 +885,7 @@ ngx_http_scgi_process_status_line(ngx_ht return ngx_http_scgi_process_header(r); } - if (u->state) { + if (u->state && u->state->status == 0) { u->state->status = status->code; } @@ -1013,7 +1013,7 @@ ngx_http_scgi_process_header(ngx_http_re ngx_str_set(&u->headers_in.status_line, "200 OK"); } - if (u->state) { + if (u->state && u->state->status == 0) { u->state->status = u->headers_in.status_n; } diff -r cff36d2d7fe6 -r d15822784cf9 src/http/modules/ngx_http_uwsgi_module.c --- a/src/http/modules/ngx_http_uwsgi_module.c Tue Feb 11 20:54:16 2014 +0800 +++ b/src/http/modules/ngx_http_uwsgi_module.c Tue Feb 11 21:54:42 2014 -0800 @@ -1017,7 +1017,7 @@ ngx_http_uwsgi_process_status_line(ngx_h return ngx_http_uwsgi_process_header(r); } - if (u->state) { + if (u->state && u->state->status == 0) { u->state->status = status->code; } @@ -1145,7 +1145,7 @@ ngx_http_uwsgi_process_header(ngx_http_r ngx_str_set(&u->headers_in.status_line, "200 OK"); } - if (u->state) { + if (u->state && u->state->status == 0) { u->state->status = u->headers_in.status_n; } From mdounin at mdounin.ru Wed Feb 12 16:29:08 2014 From: mdounin at mdounin.ru (Maxim Dounin) Date: Wed, 12 Feb 2014 20:29:08 +0400 Subject: [PATCH] SSL: add "{proxy, uwsgi}_ssl_verify" and supporting directives In-Reply-To: References: <20140206160955.GH1835@mdounin.ru> <20140207000319.GL1835@mdounin.ru> <20140207105818.GQ1835@mdounin.ru> Message-ID: <20140212162908.GK38830@mdounin.ru> Hello! On Tue, Feb 11, 2014 at 01:16:41PM -0800, Piotr Sikora wrote: > Hey Maxim, > > > Well, there is no real difference, but I think that it would be > > easier to use distinct flags instead. Note that it also matches > > what Apache has: > > > > http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslproxycheckpeername > > > > By looking around you may also find various other flags in Apache > > to control verification (like SSLProxyCheckPeerExpire). I suspect > > eventually we may need to add at least some of them. Having all > > this controlled in a single directive would be a pain. > > But isn't having multiple parameters on the directive line kind of > nginx style? ;) > > Anyway, I'll do it your way. > > > My original suggestion is as follows: > > > > proxy_ssl_name > > > > default: $proxy_host > > complex value, controls a name used in SNI (if > > enabled) > > > > proxy_ssl_verify on|off > > > > default: off > > flag, controls if remote certificate verification is enabled > > > > proxy_ssl_verify_name on|off > > > > default: on > > flag, controls if remote certificate verification needs to > > check peer's name; must be explicitly switched off > > if certificate verification is switched on, but > > the name can't be checked due to too old OpenSSL > > Got it. Just a quick note: We've discussed this with Igor, and he thinks that peer's name should be always checked, without an ability to check switch the check off selectively. Mostly to simplify user experience. This implies that we either need our own peer's name check code, or verification won't work at all if OpenSSL is too old. > > proxy_ssl_sni on|off > > > > default: off (?) > > flag, controls if SNI (Server Name Indication) will be used > > while connecting to backends; > > > > (I tend to think that "proxy_ssl_sni" is a better name compared to > > "proxy_ssl_server_name", as Server Name Indication is usually > > called SNI in various places.) > > I dislike the "_sni" suffix, it just looks ugly in lowercase and most > of the variable and directive names in nginx is rather verbose... > "proxy_ssl_server_name" would also match "$ssl_server_name" (if that > ever gets merged...). Well, I don't think I care too much about the color. The "proxy_ssl_server_name" looks a bit too long for me, but I certainly can live with it. > I also believe that it should be turned on by default. Other than > broken upstream that can't handle large SSL Client Hello (F5, etc.), > there is no reason for any HTTP client to not use SNI. I mostly agree. What raises the question is $proxy_host default, which may not be appropriate if "proxy_set_header Host" is used. But probably we can live with it, at least till some better solution is implemented. It's also not clear what should be used in case of uwsgi. (Being paranoid enough, I also think that sending server name in a clear text is a privacy problem, but it's mostly browser-related problem, and as long as it can be switched off it's certainly ok.) -- Maxim Dounin http://nginx.org/ From vbart at nginx.com Wed Feb 12 17:03:09 2014 From: vbart at nginx.com (Valentin Bartenev) Date: Wed, 12 Feb 2014 17:03:09 +0000 Subject: [nginx] SPDY: fixed reversed priority order in window waiting qu... Message-ID: details: http://hg.nginx.org/nginx/rev/2bc609a4b516 branches: changeset: 5576:2bc609a4b516 user: Valentin Bartenev date: Wed Feb 12 21:02:29 2014 +0400 description: SPDY: fixed reversed priority order in window waiting queue. diffstat: src/http/ngx_http_spdy.h | 3 +++ src/http/ngx_http_spdy_filter_module.c | 5 ++++- 2 files changed, 7 insertions(+), 1 deletions(-) diffs (28 lines): diff -r d15822784cf9 -r 2bc609a4b516 src/http/ngx_http_spdy.h --- a/src/http/ngx_http_spdy.h Tue Feb 11 21:54:42 2014 -0800 +++ b/src/http/ngx_http_spdy.h Wed Feb 12 21:02:29 2014 +0400 @@ -174,6 +174,9 @@ ngx_http_spdy_queue_frame(ngx_http_spdy_ for (out = &sc->last_out; *out; out = &(*out)->next) { + /* + * NB: higher values represent lower priorities. + */ if (frame->priority >= (*out)->priority) { break; } diff -r d15822784cf9 -r 2bc609a4b516 src/http/ngx_http_spdy_filter_module.c --- a/src/http/ngx_http_spdy_filter_module.c Tue Feb 11 21:54:42 2014 -0800 +++ b/src/http/ngx_http_spdy_filter_module.c Wed Feb 12 21:02:29 2014 +0400 @@ -967,7 +967,10 @@ ngx_http_spdy_waiting_queue(ngx_http_spd { s = ngx_queue_data(q, ngx_http_spdy_stream_t, queue); - if (s->priority >= stream->priority) { + /* + * NB: higher values represent lower priorities. + */ + if (stream->priority >= s->priority) { break; } } From vbart at nginx.com Wed Feb 12 18:42:33 2014 From: vbart at nginx.com (Valentin V. Bartenev) Date: Wed, 12 Feb 2014 22:42:33 +0400 Subject: [PATCH] SSL: add "{proxy, uwsgi}_ssl_verify" and supporting directives In-Reply-To: <20140212162908.GK38830@mdounin.ru> References: <20140212162908.GK38830@mdounin.ru> Message-ID: <22826235.NI75ka2U57@vbart-laptop> On Wednesday 12 February 2014 20:29:08 Maxim Dounin wrote: [..] > > > proxy_ssl_sni on|off > > > > > > default: off (?) > > > flag, controls if SNI (Server Name Indication) will be used > > > while connecting to backends; > > > > > > (I tend to think that "proxy_ssl_sni" is a better name compared to > > > "proxy_ssl_server_name", as Server Name Indication is usually > > > called SNI in various places.) > > > > I dislike the "_sni" suffix, it just looks ugly in lowercase and most > > of the variable and directive names in nginx is rather verbose... > > "proxy_ssl_server_name" would also match "$ssl_server_name" (if that > > ever gets merged...). > > Well, I don't think I care too much about the color. The > "proxy_ssl_server_name" looks a bit too long for me, but I > certainly can live with it. Then my vote goes to proxy_ssl_server_name. =) wbr, Valentin V. Bartenev From apunch at brandscreen.com Thu Feb 13 00:15:41 2014 From: apunch at brandscreen.com (Andrew Punch) Date: Thu, 13 Feb 2014 11:15:41 +1100 Subject: Intercepting USR1 in a module Message-ID: Hi, I am maintaining a custom module for nginx. We currently rotate our logs and load dynamic data every 5 minutes by using SIGHUP. Unfortunately this is also tears down our keepalive connections which harms our performance (we are handling about 1500 requests per second per server). We have a number of custom log files in addition to the access log and error log which also need to be rotated. I was hoping that I could use SIGUSR1 to reopen the logs (including the module's custom logs) and notify the module that it should reload the dynamic data without dropping the keepalive connections. I can see that I could use ngx_conf_open_file() to open the module's custom log files so that nginx will take care of reopening them. However for reloading the dynamic data: I can't see a way to hook the SIGUSR1 in the worker process (which shows up as a NGX_CMD_REOPEN in the channel for the worker process). However if I added a new hook for NGX_CMD_REOPEN then epoll inside the channel handler would probably return EEXIST. So what is the best way for a module to hook NGX_CMD_REOPEN? Or is there better way of approaching this? -Andrew -- NOTICE This e-mail and any attachments are confidential and may contain copyright material of Brandscreen or third parties. If you are not the intended recipient of this email you should not read, print, re-transmit, store or act in reliance on this e-mail or any attachments, and should destroy all copies of them. Brandscreen does not guarantee the integrity of any emails or any attached files. The views or opinions expressed are the author's own and may not reflect the views or opinions of Brandscreen. -------------- next part -------------- An HTML attachment was scrubbed... URL: From mdounin at mdounin.ru Thu Feb 13 10:47:21 2014 From: mdounin at mdounin.ru (Maxim Dounin) Date: Thu, 13 Feb 2014 14:47:21 +0400 Subject: Intercepting USR1 in a module In-Reply-To: References: Message-ID: <20140213104721.GQ38830@mdounin.ru> Hello! On Thu, Feb 13, 2014 at 11:15:41AM +1100, Andrew Punch wrote: > Hi, > > I am maintaining a custom module for nginx. We currently rotate our logs > and load dynamic data every 5 minutes by using SIGHUP. Unfortunately this > is also tears down our keepalive connections which harms our performance > (we are handling about 1500 requests per second per server). We have a > number of custom log files in addition to the access log and error log > which also need to be rotated. > > I was hoping that I could use SIGUSR1 to reopen the logs (including the > module's custom logs) and notify the module that it should reload the > dynamic data without dropping the keepalive connections. > > I can see that I could use ngx_conf_open_file() to open the module's custom > log files so that nginx will take care of reopening them. However for > reloading the dynamic data: I can't see a way to hook the SIGUSR1 in the > worker process (which shows up as a NGX_CMD_REOPEN in the channel for the > worker process). However if I added a new hook for NGX_CMD_REOPEN then > epoll inside the channel handler would probably return EEXIST. > > So what is the best way for a module to hook NGX_CMD_REOPEN? Or is there > better way of approaching this? Take a look at ngx_open_file_t's flush() handler. E.g., it is used by ngx_http_log_module to flush buffered/gzipped logs before reopen. -- Maxim Dounin http://nginx.org/ From mdounin at mdounin.ru Thu Feb 13 12:55:05 2014 From: mdounin at mdounin.ru (Maxim Dounin) Date: Thu, 13 Feb 2014 12:55:05 +0000 Subject: [nginx] Win32: MSVC 2013 compatibility. Message-ID: details: http://hg.nginx.org/nginx/rev/bfe536716dbf branches: changeset: 5577:bfe536716dbf user: Maxim Dounin date: Thu Feb 13 16:54:00 2014 +0400 description: Win32: MSVC 2013 compatibility. Warnings about GetVersionEx() deprecation silenced. Precompiled object linked in. diffstat: auto/cc/msvc | 1 + src/os/win32/ngx_win32_init.c | 8 ++++++++ 2 files changed, 9 insertions(+), 0 deletions(-) diffs (36 lines): diff --git a/auto/cc/msvc b/auto/cc/msvc --- a/auto/cc/msvc +++ b/auto/cc/msvc @@ -106,6 +106,7 @@ fi # precompiled headers CORE_DEPS="$CORE_DEPS $NGX_OBJS/ngx_config.pch" +CORE_LINK="$NGX_OBJS/ngx_pch.obj" NGX_PCH="$NGX_OBJS/ngx_config.pch" NGX_BUILD_PCH="-Ycngx_config.h -Fp$NGX_OBJS/ngx_config.pch" NGX_USE_PCH="-Yungx_config.h -Fp$NGX_OBJS/ngx_config.pch" diff --git a/src/os/win32/ngx_win32_init.c b/src/os/win32/ngx_win32_init.c --- a/src/os/win32/ngx_win32_init.c +++ b/src/os/win32/ngx_win32_init.c @@ -71,6 +71,10 @@ ngx_os_init(ngx_log_t *log) ngx_memzero(&osvi, sizeof(OSVERSIONINFOEX)); osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFOEX); +#ifdef _MSC_VER +#pragma warning(disable:4996) +#endif + osviex = GetVersionEx((OSVERSIONINFO *) &osvi); if (osviex == 0) { @@ -82,6 +86,10 @@ ngx_os_init(ngx_log_t *log) } } +#ifdef _MSC_VER +#pragma warning(default:4996) +#endif + /* * Windows 3.1 Win32s 0xxxxx * From flevionnois at gmail.com Fri Feb 14 10:41:35 2014 From: flevionnois at gmail.com (Franck Levionnois) Date: Fri, 14 Feb 2014 11:41:35 +0100 Subject: [PATCH] Mail: added support for SSL client certificate In-Reply-To: <20140211124146.GQ1835@mdounin.ru> References: <9dc48eeb8e5cb022676d.1390639629@HPC> <20140128141852.GA1835@mdounin.ru> <20140211124146.GQ1835@mdounin.ru> Message-ID: Hello. 2014-02-11 13:41 GMT+01:00 Maxim Dounin : > Hello! > > On Mon, Feb 10, 2014 at 02:08:52PM +0100, Franck Levionnois wrote: > > > > > + b64_cert->len = ngx_base64_encoded_length(pem_cert.len); > > > > + b64_cert->data = ngx_palloc(pool, b64_cert->len); > > > > + if (b64_cert->data == NULL) { > > > > + b64_cert->len = 0; > > > > + return NGX_ERROR; > > > > + } > > > > + ngx_encode_base64(b64_cert, &pem_cert); > > > > > > Using a raw certificate escaped as other other Auth-* headers may > > > be a better idea than inventing another method to pass things. > > > Base64 encoding of base64 encoded data looks especially strange. > > > :) > > > > > > > Base64 encoding of the PEM certificate may looks strange, but it is done > > for compatibility with other reverse proxy like F5 BigIp. It is also > > possible to simply remove PEM header / footer and carriage returns (like > > another reverse proxy) > > While compatibility with 3rd party code is a good thing, I don't > think that it should be done at cost of consistency with other > code. > > > > > The function "ngx_ssl_get_certificate" is about to do the work, but it > let > > headers, and replaces carriage returns by tabulations. Modify this one to > > remove the headers may have some consequences. > > Although i would have preferred not to have the headers, i think i can do > > with it, if you think this is better than adding a third function to get > ssl > > client certificate. > > The ngx_ssl_get_certificate() is for $ssl_client_cert variable in > http[1], and it uses header continuation to make it possible to > pass certificate to upstream servers. This aproach doesn't work > very well as header continuation isn't really supported nowadays > (in particular, by nginx itself) and deprecated by HTTPbis, so it > probably needs revision. But I don't think it's relevant to this > case, as we already have escaping applied to other Auth-* headers, > and it should be trivial for auth script to unescape certificates > as well. > > [1] http://nginx.org/en/docs/http/ngx_http_ssl_module.html#variables > > Ok, it's trivial. I'll modify the patch to use the escape function. [...] > > > > > + if (ngx_ssl_get_issuer_dn(s->connection, pool, > > > > + &client_issuer) != NGX_OK) { > > > > + return NULL; > > > > + } > > > > + > > > > + if (ngx_ssl_get_serial_number(s->connection, pool, > > > > + &client_serial) != NGX_OK) { > > > > + return NULL; > > > > + } > > > > > > One of questions left open during Sven Peter's patch review was > > > whether subject/issuer can contain CR/LF and require escaping. > > > The code here suggests they can't. I would like to know if it was > > > actually checked. > > > > > > It would be also cool to get Sven's review of the code (and/or his > > > own patch improved instead if he don't happy with one from > > > Franck). Added Sven to Cc. > > > > > > > > Subject and Issuer DN may contains special chars but "X509_NAME_oneline" > > function escapes every chars outside " " -> "~" range (in ASCII table). > > This is the function used by "ngx_ssl_get_subject_dn" and > > "ngx_ssl_get_issuer_dn" to get the DN > > This is a sample output from the function of DN with carriage returns : > > Issuer: /C=FR/ST=Some-State \x0D\x0A\x0D\x0A\x0D\x0Atest/ > > L=Paris/OU=An\x0D\x0Aign/CN=Autorite de certification > > > > Even if i've never seen Distinguished names with carriage returns, i > > haven't seen such limitation in RFC 3280 / X500. > > RFC 2253 shows a sample of distinguished name with carriage return. > > So escaping or CR/LF is already done by X509_NAME_oneline() and > there is no need for additional one, right? > > Yes, it's right. > -- > Maxim Dounin > http://nginx.org/ > > _______________________________________________ > nginx-devel mailing list > nginx-devel at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx-devel > Kind regards. Franck Levionnois. -------------- next part -------------- An HTML attachment was scrubbed... URL: From arut at nginx.com Fri Feb 14 11:16:03 2014 From: arut at nginx.com (Roman Arutyunyan) Date: Fri, 14 Feb 2014 11:16:03 +0000 Subject: [nginx] Mp4: remove useless leading stsc entry in result mp4. Message-ID: details: http://hg.nginx.org/nginx/rev/e280ece17020 branches: changeset: 5578:e280ece17020 user: Roman Arutyunyan date: Fri Feb 14 15:14:48 2014 +0400 description: Mp4: remove useless leading stsc entry in result mp4. The fix removes useless stsc entry in result mp4. If start_sample == n then current stsc entry should be skipped and the result stsc should start with the next entry. The reason for that is start_sample starts from 0, not 1. diffstat: src/http/modules/ngx_http_mp4_module.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diffs (12 lines): diff -r bfe536716dbf -r e280ece17020 src/http/modules/ngx_http_mp4_module.c --- a/src/http/modules/ngx_http_mp4_module.c Thu Feb 13 16:54:00 2014 +0400 +++ b/src/http/modules/ngx_http_mp4_module.c Fri Feb 14 15:14:48 2014 +0400 @@ -2481,7 +2481,7 @@ ngx_http_mp4_update_stsc_atom(ngx_http_m n = (next_chunk - chunk) * samples; - if (start_sample <= n) { + if (start_sample < n) { goto found; } From apunch at brandscreen.com Fri Feb 14 22:35:23 2014 From: apunch at brandscreen.com (Andrew Punch) Date: Sat, 15 Feb 2014 09:35:23 +1100 Subject: Intercepting USR1 in a module Message-ID: Hi, I created a dummy log file to test using the flush handler. This was successful. I will now integrate it with our code. An alternative (but more complex) method I thought of was to assign an unused signal, use signalfd() to get a file descriptor then use ngx_add_event() to add a handler to the main event queue. When this handler was triggered it could set ngx_reopen=1 Your solution is faster to code up, so I will go with that. Thanks for the help! -Andrew -- NOTICE This e-mail and any attachments are confidential and may contain copyright material of Brandscreen or third parties. If you are not the intended recipient of this email you should not read, print, re-transmit, store or act in reliance on this e-mail or any attachments, and should destroy all copies of them. Brandscreen does not guarantee the integrity of any emails or any attached files. The views or opinions expressed are the author's own and may not reflect the views or opinions of Brandscreen. -------------- next part -------------- An HTML attachment was scrubbed... URL: From mdounin at mdounin.ru Tue Feb 18 14:26:51 2014 From: mdounin at mdounin.ru (Maxim Dounin) Date: Tue, 18 Feb 2014 14:26:51 +0000 Subject: [nginx] Upstream: ngx_post_event() instead of upgraded call (tic... Message-ID: details: http://hg.nginx.org/nginx/rev/7586e7b2dbe9 branches: changeset: 5579:7586e7b2dbe9 user: Maxim Dounin date: Tue Feb 18 17:30:40 2014 +0400 description: Upstream: ngx_post_event() instead of upgraded call (ticket #503). If a request is finalized in the first call to the ngx_http_upstream_process_upgraded() function, e.g., because upstream server closed the connection for some reason, in the second call the u->peer.connection pointer will be null, resulting in segmentation fault. Fix is to avoid second direct call, and post event instead. This ensures that ngx_http_upstream_process_upgraded() won't be called again if a request is finalized. diffstat: src/http/ngx_http_upstream.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) diffs (13 lines): diff --git a/src/http/ngx_http_upstream.c b/src/http/ngx_http_upstream.c --- a/src/http/ngx_http_upstream.c +++ b/src/http/ngx_http_upstream.c @@ -2557,7 +2557,9 @@ ngx_http_upstream_upgrade(ngx_http_reque if (u->peer.connection->read->ready || u->buffer.pos != u->buffer.last) { + ngx_post_event(c->read, &ngx_posted_events); ngx_http_upstream_process_upgraded(r, 1, 1); + return; } ngx_http_upstream_process_upgraded(r, 0, 1); From ru at nginx.com Wed Feb 19 17:47:06 2014 From: ru at nginx.com (Ruslan Ermilov) Date: Wed, 19 Feb 2014 17:47:06 +0000 Subject: [nginx] Access: supplemented the obfuscated code with a comment. Message-ID: details: http://hg.nginx.org/nginx/rev/06c227e9edd0 branches: changeset: 5580:06c227e9edd0 user: Ruslan Ermilov date: Wed Feb 19 21:45:27 2014 +0400 description: Access: supplemented the obfuscated code with a comment. diffstat: src/http/modules/ngx_http_access_module.c | 6 +++++- 1 files changed, 5 insertions(+), 1 deletions(-) diffs (16 lines): diff -r 7586e7b2dbe9 -r 06c227e9edd0 src/http/modules/ngx_http_access_module.c --- a/src/http/modules/ngx_http_access_module.c Tue Feb 18 17:30:40 2014 +0400 +++ b/src/http/modules/ngx_http_access_module.c Wed Feb 19 21:45:27 2014 +0400 @@ -259,7 +259,11 @@ ngx_http_access_unix(ngx_http_request_t rule_un = alcf->rules_un->elts; for (i = 0; i < alcf->rules_un->nelts; i++) { - return ngx_http_access_found(r, rule_un[i].deny); + + /* TODO: check path */ + if (1) { + return ngx_http_access_found(r, rule_un[i].deny); + } } return NGX_DECLINED; From thresh at nginx.com Thu Feb 20 12:48:43 2014 From: thresh at nginx.com (Konstantin Pavlov) Date: Thu, 20 Feb 2014 12:48:43 +0000 Subject: [nginx] Upstream: fixed error message wording. Message-ID: details: http://hg.nginx.org/nginx/rev/4dee5ad51e9e branches: changeset: 5581:4dee5ad51e9e user: Konstantin Pavlov date: Thu Feb 20 13:48:40 2014 +0400 description: Upstream: fixed error message wording. diffstat: src/http/ngx_http_upstream.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diffs (12 lines): diff -r 06c227e9edd0 -r 4dee5ad51e9e src/http/ngx_http_upstream.c --- a/src/http/ngx_http_upstream.c Wed Feb 19 21:45:27 2014 +0400 +++ b/src/http/ngx_http_upstream.c Thu Feb 20 13:48:40 2014 +0400 @@ -715,7 +715,7 @@ ngx_http_upstream_cache(ngx_http_request if (r->cache->header_start + 256 >= u->conf->buffer_size) { ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "%V_buffer_size %uz is not enough for cache key, " - "it should increased at least to %uz", + "it should be increased to at least %uz", &u->conf->module, u->conf->buffer_size, ngx_align(r->cache->header_start + 256, 1024)); From ru at nginx.com Fri Feb 21 07:55:40 2014 From: ru at nginx.com (Ruslan Ermilov) Date: Fri, 21 Feb 2014 07:55:40 +0000 Subject: [nginx] Resolver: properly handle connect() failures. Message-ID: details: http://hg.nginx.org/nginx/rev/545a4d393e2f branches: changeset: 5582:545a4d393e2f user: Ruslan Ermilov date: Thu Feb 20 17:27:09 2014 +0400 description: Resolver: properly handle connect() failures. If initial attempt to connect() the UDP socket failed, e.g. due to network unreachable, no further attempts were made. diffstat: src/core/ngx_resolver.c | 22 +++++++++++----------- 1 files changed, 11 insertions(+), 11 deletions(-) diffs (54 lines): diff -r 4dee5ad51e9e -r 545a4d393e2f src/core/ngx_resolver.c --- a/src/core/ngx_resolver.c Thu Feb 20 13:48:40 2014 +0400 +++ b/src/core/ngx_resolver.c Thu Feb 20 17:27:09 2014 +0400 @@ -3037,14 +3037,7 @@ ngx_udp_connect(ngx_udp_connection_t *uc ngx_log_error(NGX_LOG_ALERT, &uc->log, ngx_socket_errno, ngx_nonblocking_n " failed"); - ngx_free_connection(c); - - if (ngx_close_socket(s) == -1) { - ngx_log_error(NGX_LOG_ALERT, &uc->log, ngx_socket_errno, - ngx_close_socket_n " failed"); - } - - return NGX_ERROR; + goto failed; } rev = c->read; @@ -3079,7 +3072,7 @@ ngx_udp_connect(ngx_udp_connection_t *uc ngx_log_error(NGX_LOG_CRIT, &uc->log, ngx_socket_errno, "connect() failed"); - return NGX_ERROR; + goto failed; } /* UDP sockets are always ready to write */ @@ -3093,16 +3086,23 @@ ngx_udp_connect(ngx_udp_connection_t *uc /* eventport event type has no meaning: oneshot only */ if (ngx_add_event(rev, NGX_READ_EVENT, event) != NGX_OK) { - return NGX_ERROR; + goto failed; } } else { /* rtsig */ if (ngx_add_conn(c) == NGX_ERROR) { - return NGX_ERROR; + goto failed; } } return NGX_OK; + +failed: + + ngx_close_connection(c); + uc->connection = NULL; + + return NGX_ERROR; } From flevionnois at gmail.com Fri Feb 21 10:11:23 2014 From: flevionnois at gmail.com (flevionnois at gmail.com) Date: Fri, 21 Feb 2014 11:11:23 +0100 Subject: [PATCH] Mail: added support for SSL client certificate In-Reply-To: References: Message-ID: <0a3fd2d54154c3d56131.1392977483@FLEVIONNOIS2.dictao.com> # HG changeset patch # User Franck Levionnois # Date 1390577176 -3600 # Fri Jan 24 16:26:16 2014 +0100 # Node ID 0a3fd2d54154c3d56131ee5053df0939db32d7b4 # Parent 4dee5ad51e9e5b49085011e8785001e2d6c02b0d Mail: added support for SSL client certificate. Add support for SSL Mutual Authentification like in mail module. Added mail configuration directives (like http): ssl_verify_client, ssl_verify_depth, ssl_client_certificate, ssl_trusted_certificate, ssl_crl. Added http auth headers: Auth-Certificate, Auth-Verify, Auth-Issuer-DN, Auth-Subject-DN, Auth-Subject-Serial. diff -r 4dee5ad51e9e -r 0a3fd2d54154 src/mail/ngx_mail_auth_http_module.c --- a/src/mail/ngx_mail_auth_http_module.c Thu Feb 20 13:48:40 2014 +0400 +++ b/src/mail/ngx_mail_auth_http_module.c Fri Jan 24 16:26:16 2014 +0100 @@ -1143,6 +1143,9 @@ ngx_mail_auth_http_create_request(ngx_ma size_t len; ngx_buf_t *b; ngx_str_t login, passwd; +#if (NGX_MAIL_SSL) + ngx_str_t cert, verify, subject, issuer, serial; +#endif ngx_mail_core_srv_conf_t *cscf; if (ngx_mail_auth_http_escape(pool, &s->login, &login) != NGX_OK) { @@ -1155,6 +1158,41 @@ ngx_mail_auth_http_create_request(ngx_ma cscf = ngx_mail_get_module_srv_conf(s, ngx_mail_core_module); +#if (NGX_MAIL_SSL) + if (s->connection->ssl) { + if (ngx_ssl_get_client_verify(s->connection, pool, &verify) != NGX_OK) + { + return NULL; + } + + if (ngx_ssl_get_subject_dn(s->connection, pool, + &subject) != NGX_OK) { + return NULL; + } + + if (ngx_ssl_get_issuer_dn(s->connection, pool, + &issuer) != NGX_OK) { + return NULL; + } + + if (ngx_ssl_get_serial_number(s->connection, pool, + &serial) != NGX_OK) { + return NULL; + } + + if (ngx_ssl_get_certificate(s->connection, pool, + &cert) != NGX_OK) { + return NULL; + } + } else { + verify.len = 0; + issuer.len = 0; + subject.len = 0; + serial.len = 0; + cert.len = 0; + } +#endif + len = sizeof("GET ") - 1 + ahcf->uri.len + sizeof(" HTTP/1.0" CRLF) - 1 + sizeof("Host: ") - 1 + ahcf->host_header.len + sizeof(CRLF) - 1 + sizeof("Auth-Method: ") - 1 @@ -1163,6 +1201,14 @@ ngx_mail_auth_http_create_request(ngx_ma + sizeof("Auth-User: ") - 1 + login.len + sizeof(CRLF) - 1 + sizeof("Auth-Pass: ") - 1 + passwd.len + sizeof(CRLF) - 1 + sizeof("Auth-Salt: ") - 1 + s->salt.len +#if (NGX_MAIL_SSL) + + sizeof("Auth-Certificate: ") - 1 + cert.len + sizeof(CRLF) - 1 + + sizeof("Auth-Verify: ") - 1 + verify.len + sizeof(CRLF) - 1 + + sizeof("Auth-Issuer-DN: ") - 1 + issuer.len + sizeof(CRLF) - 1 + + sizeof("Auth-Subject-DN: ") - 1 + subject.len + sizeof(CRLF) - 1 + + sizeof("Auth-Subject-Serial: ") - 1 + serial.len + + sizeof(CRLF) - 1 +#endif + sizeof("Auth-Protocol: ") - 1 + cscf->protocol->name.len + sizeof(CRLF) - 1 + sizeof("Auth-Login-Attempt: ") - 1 + NGX_INT_T_LEN @@ -1213,6 +1259,44 @@ ngx_mail_auth_http_create_request(ngx_ma s->passwd.data = NULL; } +#if (NGX_MAIL_SSL) + if (cert.len) { + b->last = ngx_cpymem(b->last, "Auth-Certificate: ", + sizeof("Auth-Certificate: ") - 1); + b->last = ngx_copy(b->last, cert.data, cert.len); + *b->last++ = CR; *b->last++ = LF; + } + + if (verify.len) { + b->last = ngx_cpymem(b->last, "Auth-Verify: ", + sizeof("Auth-Verify: ") - 1); + b->last = ngx_copy(b->last, verify.data, verify.len); + *b->last++ = CR; *b->last++ = LF; + } + + if (issuer.len) { + b->last = ngx_cpymem(b->last, "Auth-Issuer-DN: ", + sizeof("Auth-Issuer-DN: ") - 1); + b->last = ngx_copy(b->last, issuer.data, issuer.len); + *b->last++ = CR; *b->last++ = LF; + } + + if (subject.len) { + b->last = ngx_cpymem(b->last, "Auth-Subject-DN: ", + sizeof("Auth-Subject-DN: ") - 1); + b->last = ngx_copy(b->last, subject.data, subject.len); + *b->last++ = CR; *b->last++ = LF; + } + + if (serial.len) { + b->last = ngx_cpymem(b->last, "Auth-Subject-Serial: ", + sizeof("Auth-Subject-Serial: ") - 1); + b->last = ngx_copy(b->last, serial.data, serial.len); + *b->last++ = CR; *b->last++ = LF; + } + +#endif + b->last = ngx_cpymem(b->last, "Auth-Protocol: ", sizeof("Auth-Protocol: ") - 1); b->last = ngx_cpymem(b->last, cscf->protocol->name.data, diff -r 4dee5ad51e9e -r 0a3fd2d54154 src/mail/ngx_mail_handler.c --- a/src/mail/ngx_mail_handler.c Thu Feb 20 13:48:40 2014 +0400 +++ b/src/mail/ngx_mail_handler.c Fri Jan 24 16:26:16 2014 +0100 @@ -236,11 +236,60 @@ ngx_mail_ssl_handshake_handler(ngx_conne { ngx_mail_session_t *s; ngx_mail_core_srv_conf_t *cscf; +#if (NGX_MAIL_SSL) + ngx_mail_ssl_conf_t *sslcf; +#endif + + ngx_log_debug1(NGX_LOG_DEBUG_MAIL, c->log, 0, + "ngx_mail_ssl_handshake_handler handshaked: %d", + c->ssl->handshaked); if (c->ssl->handshaked) { s = c->data; +#if (NGX_MAIL_SSL) + sslcf = ngx_mail_get_module_srv_conf(s, ngx_mail_ssl_module); + if (sslcf->verify) { + long rc; + + rc = SSL_get_verify_result(c->ssl->connection); + + if (rc != X509_V_OK + && (sslcf->verify != 3 || !ngx_ssl_verify_error_optional(rc))) + { + ngx_log_error(NGX_LOG_INFO, c->log, 0, + "client SSL certificate verify error: (%l:%s)", + rc, X509_verify_cert_error_string(rc)); + + ngx_ssl_remove_cached_session(sslcf->ssl.ctx, + (SSL_get0_session(c->ssl->connection))); + + ngx_mail_close_connection(c); + return; + } + + if (sslcf->verify == 1) { + X509 *cert; + cert = SSL_get_peer_certificate(c->ssl->connection); + + if (cert == NULL) { + ngx_log_error(NGX_LOG_INFO, c->log, 0, + "client sent no required SSL certificate"); + + ngx_ssl_remove_cached_session(sslcf->ssl.ctx, + (SSL_get0_session(c->ssl->connection))); + + ngx_mail_close_connection(c); + return; + } + + X509_free(cert); + } + } + +#endif + if (s->starttls) { cscf = ngx_mail_get_module_srv_conf(s, ngx_mail_core_module); diff -r 4dee5ad51e9e -r 0a3fd2d54154 src/mail/ngx_mail_ssl_module.c --- a/src/mail/ngx_mail_ssl_module.c Thu Feb 20 13:48:40 2014 +0400 +++ b/src/mail/ngx_mail_ssl_module.c Fri Jan 24 16:26:16 2014 +0100 @@ -43,6 +43,14 @@ static ngx_conf_bitmask_t ngx_mail_ssl_ { ngx_null_string, 0 } }; +static ngx_conf_enum_t ngx_mail_ssl_verify[] = { + { ngx_string("off"), 0 }, + { ngx_string("on"), 1 }, + { ngx_string("optional"), 2 }, + { ngx_string("optional_no_ca"), 3 }, + { ngx_null_string, 0 } +}; + static ngx_command_t ngx_mail_ssl_commands[] = { @@ -102,6 +110,34 @@ static ngx_command_t ngx_mail_ssl_comma offsetof(ngx_mail_ssl_conf_t, ciphers), NULL }, + { ngx_string("ssl_verify_client"), + NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, + ngx_conf_set_enum_slot, + NGX_MAIL_SRV_CONF_OFFSET, + offsetof(ngx_mail_ssl_conf_t, verify), + &ngx_mail_ssl_verify }, + + { ngx_string("ssl_verify_depth"), + NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, + ngx_conf_set_num_slot, + NGX_MAIL_SRV_CONF_OFFSET, + offsetof(ngx_mail_ssl_conf_t, verify_depth), + NULL }, + + { ngx_string("ssl_client_certificate"), + NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, + ngx_conf_set_str_slot, + NGX_MAIL_SRV_CONF_OFFSET, + offsetof(ngx_mail_ssl_conf_t, client_certificate), + NULL }, + + { ngx_string("ssl_trusted_certificate"), + NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, + ngx_conf_set_str_slot, + NGX_MAIL_SRV_CONF_OFFSET, + offsetof(ngx_mail_ssl_conf_t, trusted_certificate), + NULL }, + { ngx_string("ssl_prefer_server_ciphers"), NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_FLAG, ngx_conf_set_flag_slot, @@ -137,6 +173,13 @@ static ngx_command_t ngx_mail_ssl_comma offsetof(ngx_mail_ssl_conf_t, session_timeout), NULL }, + { ngx_string("ssl_crl"), + NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, + ngx_conf_set_str_slot, + NGX_MAIL_SRV_CONF_OFFSET, + offsetof(ngx_mail_ssl_conf_t, crl), + NULL }, + ngx_null_command }; @@ -189,6 +232,9 @@ ngx_mail_ssl_create_conf(ngx_conf_t *cf) * scf->certificate_key = { 0, NULL }; * scf->dhparam = { 0, NULL }; * scf->ecdh_curve = { 0, NULL }; + * scf->client_certificate = { 0, NULL }; + * scf->trusted_certificate = { 0, NULL }; + * scf->crl = { 0, NULL }; * scf->ciphers = { 0, NULL }; * scf->shm_zone = NULL; */ @@ -196,6 +242,8 @@ ngx_mail_ssl_create_conf(ngx_conf_t *cf) scf->enable = NGX_CONF_UNSET; scf->starttls = NGX_CONF_UNSET_UINT; scf->prefer_server_ciphers = NGX_CONF_UNSET; + scf->verify = NGX_CONF_UNSET_UINT; + scf->verify_depth = NGX_CONF_UNSET_UINT; scf->builtin_session_cache = NGX_CONF_UNSET; scf->session_timeout = NGX_CONF_UNSET; scf->session_tickets = NGX_CONF_UNSET; @@ -228,11 +276,20 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf, (NGX_CONF_BITMASK_SET|NGX_SSL_SSLv3|NGX_SSL_TLSv1 |NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2)); + ngx_conf_merge_uint_value(conf->verify, prev->verify, 0); + ngx_conf_merge_uint_value(conf->verify_depth, prev->verify_depth, 1); + ngx_conf_merge_str_value(conf->certificate, prev->certificate, ""); ngx_conf_merge_str_value(conf->certificate_key, prev->certificate_key, ""); ngx_conf_merge_str_value(conf->dhparam, prev->dhparam, ""); + ngx_conf_merge_str_value(conf->client_certificate, prev->client_certificate, + ""); + ngx_conf_merge_str_value(conf->trusted_certificate, + prev->trusted_certificate, ""); + ngx_conf_merge_str_value(conf->crl, prev->crl, ""); + ngx_conf_merge_str_value(conf->ecdh_curve, prev->ecdh_curve, NGX_DEFAULT_ECDH_CURVE); @@ -318,6 +375,35 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf, return NGX_CONF_ERROR; } + if (conf->verify) { + + if (conf->client_certificate.len == 0 && conf->verify != 3) { + ngx_log_error(NGX_LOG_EMERG, cf->log, 0, + "no ssl_client_certificate for ssl_client_verify"); + return NGX_CONF_ERROR; + } + + if (ngx_ssl_client_certificate(cf, &conf->ssl, + &conf->client_certificate, + conf->verify_depth) + != NGX_OK) + { + return NGX_CONF_ERROR; + } + } + + if (ngx_ssl_trusted_certificate(cf, &conf->ssl, + &conf->trusted_certificate, + conf->verify_depth) + != NGX_OK) + { + return NGX_CONF_ERROR; + } + + if (ngx_ssl_crl(cf, &conf->ssl, &conf->crl) != NGX_OK) { + return NGX_CONF_ERROR; + } + if (conf->prefer_server_ciphers) { SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); } diff -r 4dee5ad51e9e -r 0a3fd2d54154 src/mail/ngx_mail_ssl_module.h --- a/src/mail/ngx_mail_ssl_module.h Thu Feb 20 13:48:40 2014 +0400 +++ b/src/mail/ngx_mail_ssl_module.h Fri Jan 24 16:26:16 2014 +0100 @@ -28,6 +28,8 @@ typedef struct { ngx_uint_t starttls; ngx_uint_t protocols; + ngx_uint_t verify; + ngx_uint_t verify_depth; ssize_t builtin_session_cache; time_t session_timeout; @@ -36,6 +38,9 @@ typedef struct { ngx_str_t certificate_key; ngx_str_t dhparam; ngx_str_t ecdh_curve; + ngx_str_t client_certificate; + ngx_str_t trusted_certificate; + ngx_str_t crl; ngx_str_t ciphers; From flevionnois at gmail.com Fri Feb 21 11:46:10 2014 From: flevionnois at gmail.com (Franck Levionnois) Date: Fri, 21 Feb 2014 12:46:10 +0100 Subject: [PATCH] Mail: added support for SSL client certificate In-Reply-To: <0a3fd2d54154c3d56131.1392977483@FLEVIONNOIS2.dictao.com> References: <0a3fd2d54154c3d56131.1392977483@FLEVIONNOIS2.dictao.com> Message-ID: Hello, I've forgotten to use the raw certificate and escape it. I'll re-submit Thanks to Filipe for the review. Franck. 2014-02-21 11:11 GMT+01:00 : > # HG changeset patch > # User Franck Levionnois > # Date 1390577176 -3600 > # Fri Jan 24 16:26:16 2014 +0100 > # Node ID 0a3fd2d54154c3d56131ee5053df0939db32d7b4 > # Parent 4dee5ad51e9e5b49085011e8785001e2d6c02b0d > Mail: added support for SSL client certificate. > > Add support for SSL Mutual Authentification like in mail module. > > Added mail configuration directives (like http): > ssl_verify_client, ssl_verify_depth, ssl_client_certificate, > ssl_trusted_certificate, ssl_crl. > > Added http auth headers: > Auth-Certificate, Auth-Verify, Auth-Issuer-DN, Auth-Subject-DN, > Auth-Subject-Serial. > > diff -r 4dee5ad51e9e -r 0a3fd2d54154 src/mail/ngx_mail_auth_http_module.c > --- a/src/mail/ngx_mail_auth_http_module.c Thu Feb 20 13:48:40 2014 > +0400 > +++ b/src/mail/ngx_mail_auth_http_module.c Fri Jan 24 16:26:16 2014 > +0100 > @@ -1143,6 +1143,9 @@ ngx_mail_auth_http_create_request(ngx_ma > size_t len; > ngx_buf_t *b; > ngx_str_t login, passwd; > +#if (NGX_MAIL_SSL) > + ngx_str_t cert, verify, subject, issuer, serial; > +#endif > ngx_mail_core_srv_conf_t *cscf; > > if (ngx_mail_auth_http_escape(pool, &s->login, &login) != NGX_OK) { > @@ -1155,6 +1158,41 @@ ngx_mail_auth_http_create_request(ngx_ma > > cscf = ngx_mail_get_module_srv_conf(s, ngx_mail_core_module); > > +#if (NGX_MAIL_SSL) > + if (s->connection->ssl) { > + if (ngx_ssl_get_client_verify(s->connection, pool, &verify) != > NGX_OK) > + { > + return NULL; > + } > + > + if (ngx_ssl_get_subject_dn(s->connection, pool, > + &subject) != NGX_OK) { > + return NULL; > + } > + > + if (ngx_ssl_get_issuer_dn(s->connection, pool, > + &issuer) != NGX_OK) { > + return NULL; > + } > + > + if (ngx_ssl_get_serial_number(s->connection, pool, > + &serial) != NGX_OK) { > + return NULL; > + } > + > + if (ngx_ssl_get_certificate(s->connection, pool, > + &cert) != NGX_OK) { > + return NULL; > + } > + } else { > + verify.len = 0; > + issuer.len = 0; > + subject.len = 0; > + serial.len = 0; > + cert.len = 0; > + } > +#endif > + > len = sizeof("GET ") - 1 + ahcf->uri.len + sizeof(" HTTP/1.0" CRLF) - > 1 > + sizeof("Host: ") - 1 + ahcf->host_header.len + sizeof(CRLF) - > 1 > + sizeof("Auth-Method: ") - 1 > @@ -1163,6 +1201,14 @@ ngx_mail_auth_http_create_request(ngx_ma > + sizeof("Auth-User: ") - 1 + login.len + sizeof(CRLF) - 1 > + sizeof("Auth-Pass: ") - 1 + passwd.len + sizeof(CRLF) - 1 > + sizeof("Auth-Salt: ") - 1 + s->salt.len > +#if (NGX_MAIL_SSL) > + + sizeof("Auth-Certificate: ") - 1 + cert.len + sizeof(CRLF) - 1 > + + sizeof("Auth-Verify: ") - 1 + verify.len + sizeof(CRLF) - 1 > + + sizeof("Auth-Issuer-DN: ") - 1 + issuer.len + sizeof(CRLF) - 1 > + + sizeof("Auth-Subject-DN: ") - 1 + subject.len + sizeof(CRLF) > - 1 > + + sizeof("Auth-Subject-Serial: ") - 1 + serial.len > + + sizeof(CRLF) - 1 > +#endif > + sizeof("Auth-Protocol: ") - 1 + cscf->protocol->name.len > + sizeof(CRLF) - 1 > + sizeof("Auth-Login-Attempt: ") - 1 + NGX_INT_T_LEN > @@ -1213,6 +1259,44 @@ ngx_mail_auth_http_create_request(ngx_ma > s->passwd.data = NULL; > } > > +#if (NGX_MAIL_SSL) > + if (cert.len) { > + b->last = ngx_cpymem(b->last, "Auth-Certificate: ", > + sizeof("Auth-Certificate: ") - 1); > + b->last = ngx_copy(b->last, cert.data, cert.len); > + *b->last++ = CR; *b->last++ = LF; > + } > + > + if (verify.len) { > + b->last = ngx_cpymem(b->last, "Auth-Verify: ", > + sizeof("Auth-Verify: ") - 1); > + b->last = ngx_copy(b->last, verify.data, verify.len); > + *b->last++ = CR; *b->last++ = LF; > + } > + > + if (issuer.len) { > + b->last = ngx_cpymem(b->last, "Auth-Issuer-DN: ", > + sizeof("Auth-Issuer-DN: ") - 1); > + b->last = ngx_copy(b->last, issuer.data, issuer.len); > + *b->last++ = CR; *b->last++ = LF; > + } > + > + if (subject.len) { > + b->last = ngx_cpymem(b->last, "Auth-Subject-DN: ", > + sizeof("Auth-Subject-DN: ") - 1); > + b->last = ngx_copy(b->last, subject.data, subject.len); > + *b->last++ = CR; *b->last++ = LF; > + } > + > + if (serial.len) { > + b->last = ngx_cpymem(b->last, "Auth-Subject-Serial: ", > + sizeof("Auth-Subject-Serial: ") - 1); > + b->last = ngx_copy(b->last, serial.data, serial.len); > + *b->last++ = CR; *b->last++ = LF; > + } > + > +#endif > + > b->last = ngx_cpymem(b->last, "Auth-Protocol: ", > sizeof("Auth-Protocol: ") - 1); > b->last = ngx_cpymem(b->last, cscf->protocol->name.data, > diff -r 4dee5ad51e9e -r 0a3fd2d54154 src/mail/ngx_mail_handler.c > --- a/src/mail/ngx_mail_handler.c Thu Feb 20 13:48:40 2014 +0400 > +++ b/src/mail/ngx_mail_handler.c Fri Jan 24 16:26:16 2014 +0100 > @@ -236,11 +236,60 @@ ngx_mail_ssl_handshake_handler(ngx_conne > { > ngx_mail_session_t *s; > ngx_mail_core_srv_conf_t *cscf; > +#if (NGX_MAIL_SSL) > + ngx_mail_ssl_conf_t *sslcf; > +#endif > + > + ngx_log_debug1(NGX_LOG_DEBUG_MAIL, c->log, 0, > + "ngx_mail_ssl_handshake_handler handshaked: %d", > + c->ssl->handshaked); > > if (c->ssl->handshaked) { > > s = c->data; > > +#if (NGX_MAIL_SSL) > + sslcf = ngx_mail_get_module_srv_conf(s, ngx_mail_ssl_module); > + if (sslcf->verify) { > + long rc; > + > + rc = SSL_get_verify_result(c->ssl->connection); > + > + if (rc != X509_V_OK > + && (sslcf->verify != 3 || > !ngx_ssl_verify_error_optional(rc))) > + { > + ngx_log_error(NGX_LOG_INFO, c->log, 0, > + "client SSL certificate verify error: > (%l:%s)", > + rc, X509_verify_cert_error_string(rc)); > + > + ngx_ssl_remove_cached_session(sslcf->ssl.ctx, > + > (SSL_get0_session(c->ssl->connection))); > + > + ngx_mail_close_connection(c); > + return; > + } > + > + if (sslcf->verify == 1) { > + X509 *cert; > + cert = SSL_get_peer_certificate(c->ssl->connection); > + > + if (cert == NULL) { > + ngx_log_error(NGX_LOG_INFO, c->log, 0, > + "client sent no required SSL > certificate"); > + > + ngx_ssl_remove_cached_session(sslcf->ssl.ctx, > + > (SSL_get0_session(c->ssl->connection))); > + > + ngx_mail_close_connection(c); > + return; > + } > + > + X509_free(cert); > + } > + } > + > +#endif > + > if (s->starttls) { > cscf = ngx_mail_get_module_srv_conf(s, ngx_mail_core_module); > > diff -r 4dee5ad51e9e -r 0a3fd2d54154 src/mail/ngx_mail_ssl_module.c > --- a/src/mail/ngx_mail_ssl_module.c Thu Feb 20 13:48:40 2014 +0400 > +++ b/src/mail/ngx_mail_ssl_module.c Fri Jan 24 16:26:16 2014 +0100 > @@ -43,6 +43,14 @@ static ngx_conf_bitmask_t ngx_mail_ssl_ > { ngx_null_string, 0 } > }; > > +static ngx_conf_enum_t ngx_mail_ssl_verify[] = { > + { ngx_string("off"), 0 }, > + { ngx_string("on"), 1 }, > + { ngx_string("optional"), 2 }, > + { ngx_string("optional_no_ca"), 3 }, > + { ngx_null_string, 0 } > +}; > + > > static ngx_command_t ngx_mail_ssl_commands[] = { > > @@ -102,6 +110,34 @@ static ngx_command_t ngx_mail_ssl_comma > offsetof(ngx_mail_ssl_conf_t, ciphers), > NULL }, > > + { ngx_string("ssl_verify_client"), > + NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, > + ngx_conf_set_enum_slot, > + NGX_MAIL_SRV_CONF_OFFSET, > + offsetof(ngx_mail_ssl_conf_t, verify), > + &ngx_mail_ssl_verify }, > + > + { ngx_string("ssl_verify_depth"), > + NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, > + ngx_conf_set_num_slot, > + NGX_MAIL_SRV_CONF_OFFSET, > + offsetof(ngx_mail_ssl_conf_t, verify_depth), > + NULL }, > + > + { ngx_string("ssl_client_certificate"), > + NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, > + ngx_conf_set_str_slot, > + NGX_MAIL_SRV_CONF_OFFSET, > + offsetof(ngx_mail_ssl_conf_t, client_certificate), > + NULL }, > + > + { ngx_string("ssl_trusted_certificate"), > + NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, > + ngx_conf_set_str_slot, > + NGX_MAIL_SRV_CONF_OFFSET, > + offsetof(ngx_mail_ssl_conf_t, trusted_certificate), > + NULL }, > + > { ngx_string("ssl_prefer_server_ciphers"), > NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_FLAG, > ngx_conf_set_flag_slot, > @@ -137,6 +173,13 @@ static ngx_command_t ngx_mail_ssl_comma > offsetof(ngx_mail_ssl_conf_t, session_timeout), > NULL }, > > + { ngx_string("ssl_crl"), > + NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, > + ngx_conf_set_str_slot, > + NGX_MAIL_SRV_CONF_OFFSET, > + offsetof(ngx_mail_ssl_conf_t, crl), > + NULL }, > + > ngx_null_command > }; > > @@ -189,6 +232,9 @@ ngx_mail_ssl_create_conf(ngx_conf_t *cf) > * scf->certificate_key = { 0, NULL }; > * scf->dhparam = { 0, NULL }; > * scf->ecdh_curve = { 0, NULL }; > + * scf->client_certificate = { 0, NULL }; > + * scf->trusted_certificate = { 0, NULL }; > + * scf->crl = { 0, NULL }; > * scf->ciphers = { 0, NULL }; > * scf->shm_zone = NULL; > */ > @@ -196,6 +242,8 @@ ngx_mail_ssl_create_conf(ngx_conf_t *cf) > scf->enable = NGX_CONF_UNSET; > scf->starttls = NGX_CONF_UNSET_UINT; > scf->prefer_server_ciphers = NGX_CONF_UNSET; > + scf->verify = NGX_CONF_UNSET_UINT; > + scf->verify_depth = NGX_CONF_UNSET_UINT; > scf->builtin_session_cache = NGX_CONF_UNSET; > scf->session_timeout = NGX_CONF_UNSET; > scf->session_tickets = NGX_CONF_UNSET; > @@ -228,11 +276,20 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf, > (NGX_CONF_BITMASK_SET|NGX_SSL_SSLv3|NGX_SSL_TLSv1 > |NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2)); > > + ngx_conf_merge_uint_value(conf->verify, prev->verify, 0); > + ngx_conf_merge_uint_value(conf->verify_depth, prev->verify_depth, 1); > + > ngx_conf_merge_str_value(conf->certificate, prev->certificate, ""); > ngx_conf_merge_str_value(conf->certificate_key, > prev->certificate_key, ""); > > ngx_conf_merge_str_value(conf->dhparam, prev->dhparam, ""); > > + ngx_conf_merge_str_value(conf->client_certificate, > prev->client_certificate, > + ""); > + ngx_conf_merge_str_value(conf->trusted_certificate, > + prev->trusted_certificate, ""); > + ngx_conf_merge_str_value(conf->crl, prev->crl, ""); > + > ngx_conf_merge_str_value(conf->ecdh_curve, prev->ecdh_curve, > NGX_DEFAULT_ECDH_CURVE); > > @@ -318,6 +375,35 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf, > return NGX_CONF_ERROR; > } > > + if (conf->verify) { > + > + if (conf->client_certificate.len == 0 && conf->verify != 3) { > + ngx_log_error(NGX_LOG_EMERG, cf->log, 0, > + "no ssl_client_certificate for > ssl_client_verify"); > + return NGX_CONF_ERROR; > + } > + > + if (ngx_ssl_client_certificate(cf, &conf->ssl, > + &conf->client_certificate, > + conf->verify_depth) > + != NGX_OK) > + { > + return NGX_CONF_ERROR; > + } > + } > + > + if (ngx_ssl_trusted_certificate(cf, &conf->ssl, > + &conf->trusted_certificate, > + conf->verify_depth) > + != NGX_OK) > + { > + return NGX_CONF_ERROR; > + } > + > + if (ngx_ssl_crl(cf, &conf->ssl, &conf->crl) != NGX_OK) { > + return NGX_CONF_ERROR; > + } > + > if (conf->prefer_server_ciphers) { > SSL_CTX_set_options(conf->ssl.ctx, > SSL_OP_CIPHER_SERVER_PREFERENCE); > } > diff -r 4dee5ad51e9e -r 0a3fd2d54154 src/mail/ngx_mail_ssl_module.h > --- a/src/mail/ngx_mail_ssl_module.h Thu Feb 20 13:48:40 2014 +0400 > +++ b/src/mail/ngx_mail_ssl_module.h Fri Jan 24 16:26:16 2014 +0100 > @@ -28,6 +28,8 @@ typedef struct { > ngx_uint_t starttls; > ngx_uint_t protocols; > > + ngx_uint_t verify; > + ngx_uint_t verify_depth; > ssize_t builtin_session_cache; > > time_t session_timeout; > @@ -36,6 +38,9 @@ typedef struct { > ngx_str_t certificate_key; > ngx_str_t dhparam; > ngx_str_t ecdh_curve; > + ngx_str_t client_certificate; > + ngx_str_t trusted_certificate; > + ngx_str_t crl; > > ngx_str_t ciphers; > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From flevionnois at gmail.com Fri Feb 21 11:48:48 2014 From: flevionnois at gmail.com (flevionnois at gmail.com) Date: Fri, 21 Feb 2014 12:48:48 +0100 Subject: [PATCH] Mail: added support for SSL client certificate In-Reply-To: References: Message-ID: <5c7ccfc96070fc8b5d77.1392983328@FLEVIONNOIS2.dictao.com> # HG changeset patch # User Franck Levionnois # Date 1390577176 -3600 # Fri Jan 24 16:26:16 2014 +0100 # Node ID 5c7ccfc96070fc8b5d775643d1e12c4e5a8b438f # Parent 4dee5ad51e9e5b49085011e8785001e2d6c02b0d Mail: added support for SSL client certificate. Add support for SSL Mutual Authentification like in mail module. Added mail configuration directives (like http): ssl_verify_client, ssl_verify_depth, ssl_client_certificate, ssl_trusted_certificate, ssl_crl. Added http auth headers: Auth-Certificate, Auth-Verify, Auth-Issuer-DN, Auth-Subject-DN, Auth-Subject-Serial. diff -r 4dee5ad51e9e -r 5c7ccfc96070 src/mail/ngx_mail_auth_http_module.c --- a/src/mail/ngx_mail_auth_http_module.c Thu Feb 20 13:48:40 2014 +0400 +++ b/src/mail/ngx_mail_auth_http_module.c Fri Jan 24 16:26:16 2014 +0100 @@ -1143,6 +1143,9 @@ ngx_mail_auth_http_create_request(ngx_ma size_t len; ngx_buf_t *b; ngx_str_t login, passwd; +#if (NGX_MAIL_SSL) + ngx_str_t cert, rawcert, verify, subject, issuer, serial; +#endif ngx_mail_core_srv_conf_t *cscf; if (ngx_mail_auth_http_escape(pool, &s->login, &login) != NGX_OK) { @@ -1155,6 +1158,45 @@ ngx_mail_auth_http_create_request(ngx_ma cscf = ngx_mail_get_module_srv_conf(s, ngx_mail_core_module); +#if (NGX_MAIL_SSL) + if (s->connection->ssl) { + if (ngx_ssl_get_client_verify(s->connection, pool, &verify) != NGX_OK) + { + return NULL; + } + + if (ngx_ssl_get_subject_dn(s->connection, pool, + &subject) != NGX_OK) { + return NULL; + } + + if (ngx_ssl_get_issuer_dn(s->connection, pool, + &issuer) != NGX_OK) { + return NULL; + } + + if (ngx_ssl_get_serial_number(s->connection, pool, + &serial) != NGX_OK) { + return NULL; + } + + if (ngx_ssl_get_raw_certificate(s->connection, pool, + &rawcert) != NGX_OK) { + return NULL; + } + + if (ngx_mail_auth_http_escape(pool, &rawcert, &cert) != NGX_OK) { + return NULL; + } + } else { + verify.len = 0; + issuer.len = 0; + subject.len = 0; + serial.len = 0; + cert.len = 0; + } +#endif + len = sizeof("GET ") - 1 + ahcf->uri.len + sizeof(" HTTP/1.0" CRLF) - 1 + sizeof("Host: ") - 1 + ahcf->host_header.len + sizeof(CRLF) - 1 + sizeof("Auth-Method: ") - 1 @@ -1163,6 +1205,14 @@ ngx_mail_auth_http_create_request(ngx_ma + sizeof("Auth-User: ") - 1 + login.len + sizeof(CRLF) - 1 + sizeof("Auth-Pass: ") - 1 + passwd.len + sizeof(CRLF) - 1 + sizeof("Auth-Salt: ") - 1 + s->salt.len +#if (NGX_MAIL_SSL) + + sizeof("Auth-Certificate: ") - 1 + cert.len + sizeof(CRLF) - 1 + + sizeof("Auth-Verify: ") - 1 + verify.len + sizeof(CRLF) - 1 + + sizeof("Auth-Issuer-DN: ") - 1 + issuer.len + sizeof(CRLF) - 1 + + sizeof("Auth-Subject-DN: ") - 1 + subject.len + sizeof(CRLF) - 1 + + sizeof("Auth-Subject-Serial: ") - 1 + serial.len + + sizeof(CRLF) - 1 +#endif + sizeof("Auth-Protocol: ") - 1 + cscf->protocol->name.len + sizeof(CRLF) - 1 + sizeof("Auth-Login-Attempt: ") - 1 + NGX_INT_T_LEN @@ -1213,6 +1263,44 @@ ngx_mail_auth_http_create_request(ngx_ma s->passwd.data = NULL; } +#if (NGX_MAIL_SSL) + if (cert.len) { + b->last = ngx_cpymem(b->last, "Auth-Certificate: ", + sizeof("Auth-Certificate: ") - 1); + b->last = ngx_copy(b->last, cert.data, cert.len); + *b->last++ = CR; *b->last++ = LF; + } + + if (verify.len) { + b->last = ngx_cpymem(b->last, "Auth-Verify: ", + sizeof("Auth-Verify: ") - 1); + b->last = ngx_copy(b->last, verify.data, verify.len); + *b->last++ = CR; *b->last++ = LF; + } + + if (issuer.len) { + b->last = ngx_cpymem(b->last, "Auth-Issuer-DN: ", + sizeof("Auth-Issuer-DN: ") - 1); + b->last = ngx_copy(b->last, issuer.data, issuer.len); + *b->last++ = CR; *b->last++ = LF; + } + + if (subject.len) { + b->last = ngx_cpymem(b->last, "Auth-Subject-DN: ", + sizeof("Auth-Subject-DN: ") - 1); + b->last = ngx_copy(b->last, subject.data, subject.len); + *b->last++ = CR; *b->last++ = LF; + } + + if (serial.len) { + b->last = ngx_cpymem(b->last, "Auth-Subject-Serial: ", + sizeof("Auth-Subject-Serial: ") - 1); + b->last = ngx_copy(b->last, serial.data, serial.len); + *b->last++ = CR; *b->last++ = LF; + } + +#endif + b->last = ngx_cpymem(b->last, "Auth-Protocol: ", sizeof("Auth-Protocol: ") - 1); b->last = ngx_cpymem(b->last, cscf->protocol->name.data, diff -r 4dee5ad51e9e -r 5c7ccfc96070 src/mail/ngx_mail_handler.c --- a/src/mail/ngx_mail_handler.c Thu Feb 20 13:48:40 2014 +0400 +++ b/src/mail/ngx_mail_handler.c Fri Jan 24 16:26:16 2014 +0100 @@ -236,11 +236,60 @@ ngx_mail_ssl_handshake_handler(ngx_conne { ngx_mail_session_t *s; ngx_mail_core_srv_conf_t *cscf; +#if (NGX_MAIL_SSL) + ngx_mail_ssl_conf_t *sslcf; +#endif + + ngx_log_debug1(NGX_LOG_DEBUG_MAIL, c->log, 0, + "ngx_mail_ssl_handshake_handler handshaked: %d", + c->ssl->handshaked); if (c->ssl->handshaked) { s = c->data; +#if (NGX_MAIL_SSL) + sslcf = ngx_mail_get_module_srv_conf(s, ngx_mail_ssl_module); + if (sslcf->verify) { + long rc; + + rc = SSL_get_verify_result(c->ssl->connection); + + if (rc != X509_V_OK + && (sslcf->verify != 3 || !ngx_ssl_verify_error_optional(rc))) + { + ngx_log_error(NGX_LOG_INFO, c->log, 0, + "client SSL certificate verify error: (%l:%s)", + rc, X509_verify_cert_error_string(rc)); + + ngx_ssl_remove_cached_session(sslcf->ssl.ctx, + (SSL_get0_session(c->ssl->connection))); + + ngx_mail_close_connection(c); + return; + } + + if (sslcf->verify == 1) { + X509 *cert; + cert = SSL_get_peer_certificate(c->ssl->connection); + + if (cert == NULL) { + ngx_log_error(NGX_LOG_INFO, c->log, 0, + "client sent no required SSL certificate"); + + ngx_ssl_remove_cached_session(sslcf->ssl.ctx, + (SSL_get0_session(c->ssl->connection))); + + ngx_mail_close_connection(c); + return; + } + + X509_free(cert); + } + } + +#endif + if (s->starttls) { cscf = ngx_mail_get_module_srv_conf(s, ngx_mail_core_module); diff -r 4dee5ad51e9e -r 5c7ccfc96070 src/mail/ngx_mail_ssl_module.c --- a/src/mail/ngx_mail_ssl_module.c Thu Feb 20 13:48:40 2014 +0400 +++ b/src/mail/ngx_mail_ssl_module.c Fri Jan 24 16:26:16 2014 +0100 @@ -43,6 +43,14 @@ static ngx_conf_bitmask_t ngx_mail_ssl_ { ngx_null_string, 0 } }; +static ngx_conf_enum_t ngx_mail_ssl_verify[] = { + { ngx_string("off"), 0 }, + { ngx_string("on"), 1 }, + { ngx_string("optional"), 2 }, + { ngx_string("optional_no_ca"), 3 }, + { ngx_null_string, 0 } +}; + static ngx_command_t ngx_mail_ssl_commands[] = { @@ -102,6 +110,34 @@ static ngx_command_t ngx_mail_ssl_comma offsetof(ngx_mail_ssl_conf_t, ciphers), NULL }, + { ngx_string("ssl_verify_client"), + NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, + ngx_conf_set_enum_slot, + NGX_MAIL_SRV_CONF_OFFSET, + offsetof(ngx_mail_ssl_conf_t, verify), + &ngx_mail_ssl_verify }, + + { ngx_string("ssl_verify_depth"), + NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, + ngx_conf_set_num_slot, + NGX_MAIL_SRV_CONF_OFFSET, + offsetof(ngx_mail_ssl_conf_t, verify_depth), + NULL }, + + { ngx_string("ssl_client_certificate"), + NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, + ngx_conf_set_str_slot, + NGX_MAIL_SRV_CONF_OFFSET, + offsetof(ngx_mail_ssl_conf_t, client_certificate), + NULL }, + + { ngx_string("ssl_trusted_certificate"), + NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, + ngx_conf_set_str_slot, + NGX_MAIL_SRV_CONF_OFFSET, + offsetof(ngx_mail_ssl_conf_t, trusted_certificate), + NULL }, + { ngx_string("ssl_prefer_server_ciphers"), NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_FLAG, ngx_conf_set_flag_slot, @@ -137,6 +173,13 @@ static ngx_command_t ngx_mail_ssl_comma offsetof(ngx_mail_ssl_conf_t, session_timeout), NULL }, + { ngx_string("ssl_crl"), + NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, + ngx_conf_set_str_slot, + NGX_MAIL_SRV_CONF_OFFSET, + offsetof(ngx_mail_ssl_conf_t, crl), + NULL }, + ngx_null_command }; @@ -189,6 +232,9 @@ ngx_mail_ssl_create_conf(ngx_conf_t *cf) * scf->certificate_key = { 0, NULL }; * scf->dhparam = { 0, NULL }; * scf->ecdh_curve = { 0, NULL }; + * scf->client_certificate = { 0, NULL }; + * scf->trusted_certificate = { 0, NULL }; + * scf->crl = { 0, NULL }; * scf->ciphers = { 0, NULL }; * scf->shm_zone = NULL; */ @@ -196,6 +242,8 @@ ngx_mail_ssl_create_conf(ngx_conf_t *cf) scf->enable = NGX_CONF_UNSET; scf->starttls = NGX_CONF_UNSET_UINT; scf->prefer_server_ciphers = NGX_CONF_UNSET; + scf->verify = NGX_CONF_UNSET_UINT; + scf->verify_depth = NGX_CONF_UNSET_UINT; scf->builtin_session_cache = NGX_CONF_UNSET; scf->session_timeout = NGX_CONF_UNSET; scf->session_tickets = NGX_CONF_UNSET; @@ -228,11 +276,20 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf, (NGX_CONF_BITMASK_SET|NGX_SSL_SSLv3|NGX_SSL_TLSv1 |NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2)); + ngx_conf_merge_uint_value(conf->verify, prev->verify, 0); + ngx_conf_merge_uint_value(conf->verify_depth, prev->verify_depth, 1); + ngx_conf_merge_str_value(conf->certificate, prev->certificate, ""); ngx_conf_merge_str_value(conf->certificate_key, prev->certificate_key, ""); ngx_conf_merge_str_value(conf->dhparam, prev->dhparam, ""); + ngx_conf_merge_str_value(conf->client_certificate, prev->client_certificate, + ""); + ngx_conf_merge_str_value(conf->trusted_certificate, + prev->trusted_certificate, ""); + ngx_conf_merge_str_value(conf->crl, prev->crl, ""); + ngx_conf_merge_str_value(conf->ecdh_curve, prev->ecdh_curve, NGX_DEFAULT_ECDH_CURVE); @@ -318,6 +375,35 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf, return NGX_CONF_ERROR; } + if (conf->verify) { + + if (conf->client_certificate.len == 0 && conf->verify != 3) { + ngx_log_error(NGX_LOG_EMERG, cf->log, 0, + "no ssl_client_certificate for ssl_client_verify"); + return NGX_CONF_ERROR; + } + + if (ngx_ssl_client_certificate(cf, &conf->ssl, + &conf->client_certificate, + conf->verify_depth) + != NGX_OK) + { + return NGX_CONF_ERROR; + } + } + + if (ngx_ssl_trusted_certificate(cf, &conf->ssl, + &conf->trusted_certificate, + conf->verify_depth) + != NGX_OK) + { + return NGX_CONF_ERROR; + } + + if (ngx_ssl_crl(cf, &conf->ssl, &conf->crl) != NGX_OK) { + return NGX_CONF_ERROR; + } + if (conf->prefer_server_ciphers) { SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); } diff -r 4dee5ad51e9e -r 5c7ccfc96070 src/mail/ngx_mail_ssl_module.h --- a/src/mail/ngx_mail_ssl_module.h Thu Feb 20 13:48:40 2014 +0400 +++ b/src/mail/ngx_mail_ssl_module.h Fri Jan 24 16:26:16 2014 +0100 @@ -28,6 +28,8 @@ typedef struct { ngx_uint_t starttls; ngx_uint_t protocols; + ngx_uint_t verify; + ngx_uint_t verify_depth; ssize_t builtin_session_cache; time_t session_timeout; @@ -36,6 +38,9 @@ typedef struct { ngx_str_t certificate_key; ngx_str_t dhparam; ngx_str_t ecdh_curve; + ngx_str_t client_certificate; + ngx_str_t trusted_certificate; + ngx_str_t crl; ngx_str_t ciphers; From flygoast at 126.com Fri Feb 21 16:40:35 2014 From: flygoast at 126.com (flygoast) Date: Sat, 22 Feb 2014 00:40:35 +0800 (CST) Subject: [PATCH]Fixed segmentation fault with error_page for 400 to named location Message-ID: <217839e1.12853.1445551e808.Coremail.flygoast@126.com> # HG changeset patch # User FengGu # Date 1392981015 -28800 # Fri Feb 21 19:10:15 2014 +0800 # Node ID 2dd8fd75f1646336b21cb2f4506f1d45b8771e56 # Parent 545a4d393e2fb8d5448dad89d25a110fa72e71d1 Fixed segmentation fault with error_page for 400 to named location When using error_page for code 400 to named location, the bad request's uri would be { 0, NULL }, it would result in segmentation fault in ngx_http_index_handler() and so on. diff -r 545a4d393e2f -r 2dd8fd75f164 src/http/ngx_http_core_module.c --- a/src/http/ngx_http_core_module.c Thu Feb 20 17:27:09 2014 +0400 +++ b/src/http/ngx_http_core_module.c Fri Feb 21 19:10:15 2014 +0800 @@ -2651,6 +2651,12 @@ "using location: %V \"%V?%V\"", name, &r->uri, &r->args); + if (r->uri.len == 0) { + ngx_log_error(NGX_LOG_INFO, r->connection->log, 0, + "using \"/\" as uri for bad request"); + ngx_str_set(&r->uri, "/"); + } + r->internal = 1; r->content_handler = NULL; r->uri_changed = 0; -------------- next part -------------- An HTML attachment was scrubbed... URL: From mdounin at mdounin.ru Fri Feb 21 17:37:54 2014 From: mdounin at mdounin.ru (Maxim Dounin) Date: Fri, 21 Feb 2014 21:37:54 +0400 Subject: [PATCH]Fixed segmentation fault with error_page for 400 to named location In-Reply-To: <217839e1.12853.1445551e808.Coremail.flygoast@126.com> References: <217839e1.12853.1445551e808.Coremail.flygoast@126.com> Message-ID: <20140221173753.GL33573@mdounin.ru> Hello! On Sat, Feb 22, 2014 at 12:40:35AM +0800, flygoast wrote: > # HG changeset patch > > # User FengGu > # Date 1392981015 -28800 > # Fri Feb 21 19:10:15 2014 +0800 > # Node ID 2dd8fd75f1646336b21cb2f4506f1d45b8771e56 > # Parent 545a4d393e2fb8d5448dad89d25a110fa72e71d1 > Fixed segmentation fault with error_page for 400 to named location > > > When using error_page for code 400 to named location, the bad request's uri > would be { 0, NULL }, it would result in segmentation fault in > ngx_http_index_handler() and so on. > > > diff -r 545a4d393e2f -r 2dd8fd75f164 src/http/ngx_http_core_module.c > --- a/src/http/ngx_http_core_module.c Thu Feb 20 17:27:09 2014 +0400 > +++ b/src/http/ngx_http_core_module.c Fri Feb 21 19:10:15 2014 +0800 > @@ -2651,6 +2651,12 @@ > "using location: %V \"%V?%V\"", > name, &r->uri, &r->args); > > > + if (r->uri.len == 0) { > + ngx_log_error(NGX_LOG_INFO, r->connection->log, 0, > + "using \"/\" as uri for bad request"); > + ngx_str_set(&r->uri, "/"); > + } > + > r->internal = 1; > r->content_handler = NULL; > r->uri_changed = 0; This doesn't looks like a good solution. I would rather return an error in such a case. -- Maxim Dounin http://nginx.org/ From ru at nginx.com Sat Feb 22 08:09:29 2014 From: ru at nginx.com (Ruslan Ermilov) Date: Sat, 22 Feb 2014 08:09:29 +0000 Subject: [nginx] Core: allocate enough memory to hold IPv6 text address p... Message-ID: details: http://hg.nginx.org/nginx/rev/f47c844acbd4 branches: changeset: 5583:f47c844acbd4 user: Ruslan Ermilov date: Sat Feb 22 12:08:31 2014 +0400 description: Core: allocate enough memory to hold IPv6 text address plus port. diffstat: src/core/ngx_connection.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diffs (12 lines): diff -r 545a4d393e2f -r f47c844acbd4 src/core/ngx_connection.c --- a/src/core/ngx_connection.c Thu Feb 20 17:27:09 2014 +0400 +++ b/src/core/ngx_connection.c Sat Feb 22 12:08:31 2014 +0400 @@ -129,7 +129,7 @@ ngx_set_inherited_sockets(ngx_cycle_t *c #if (NGX_HAVE_INET6) case AF_INET6: ls[i].addr_text_max_len = NGX_INET6_ADDRSTRLEN; - len = NGX_INET6_ADDRSTRLEN + sizeof(":65535") - 1; + len = NGX_INET6_ADDRSTRLEN + sizeof("[]:65535") - 1; break; #endif From flygoast at 126.com Mon Feb 24 03:10:50 2014 From: flygoast at 126.com (flygoast) Date: Mon, 24 Feb 2014 11:10:50 +0800 (CST) Subject: [PATCH]Fixed segmentation fault with error_page for 400 to named location In-Reply-To: <20140221173753.GL33573@mdounin.ru> References: <217839e1.12853.1445551e808.Coremail.flygoast@126.com> <20140221173753.GL33573@mdounin.ru> Message-ID: <4ff95b74.d3ae.14461dfa549.Coremail.flygoast@126.com> Is this ok? Or return a 500? # HG changeset patch # User FengGu # Date 1393211386 -28800 # Node ID 8f1937a9f3f632cf060d18053f153bbf6097f5ba # Parent f47c844acbd453c05174200af8df132c33171b35 Fixed segmentation fault with error_page for 400 to named location. When using error_page for code 400 to named location, the bad request's uri would be { 0, NULL }, it would result in segmentation fault in ngx_http_index_handler() and so on. diff -r f47c844acbd4 -r 8f1937a9f3f6 src/http/ngx_http_core_module.c --- a/src/http/ngx_http_core_module.c Sat Feb 22 12:08:31 2014 +0400 +++ b/src/http/ngx_http_core_module.c Mon Feb 24 11:09:46 2014 +0800 @@ -2647,6 +2647,11 @@ continue; } + if (r->uri.len == 0) { + ngx_http_finalize_request(r, NGX_HTTP_BAD_REQUEST); + return NGX_DONE; + } + ngx_log_debug3(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "using location: %V \"%V?%V\"", name, &r->uri, &r->args); At 2014-02-22 01:37:54,"Maxim Dounin" wrote: >Hello! > >On Sat, Feb 22, 2014 at 12:40:35AM +0800, flygoast wrote: > >> # HG changeset patch >> >> # User FengGu >> # Date 1392981015 -28800 >> # Fri Feb 21 19:10:15 2014 +0800 >> # Node ID 2dd8fd75f1646336b21cb2f4506f1d45b8771e56 >> # Parent 545a4d393e2fb8d5448dad89d25a110fa72e71d1 >> Fixed segmentation fault with error_page for 400 to named location >> >> >> When using error_page for code 400 to named location, the bad request's uri >> would be { 0, NULL }, it would result in segmentation fault in >> ngx_http_index_handler() and so on. >> >> >> diff -r 545a4d393e2f -r 2dd8fd75f164 src/http/ngx_http_core_module.c >> --- a/src/http/ngx_http_core_module.c Thu Feb 20 17:27:09 2014 +0400 >> +++ b/src/http/ngx_http_core_module.c Fri Feb 21 19:10:15 2014 +0800 >> @@ -2651,6 +2651,12 @@ >> "using location: %V \"%V?%V\"", >> name, &r->uri, &r->args); >> >> >> + if (r->uri.len == 0) { >> + ngx_log_error(NGX_LOG_INFO, r->connection->log, 0, >> + "using \"/\" as uri for bad request"); >> + ngx_str_set(&r->uri, "/"); >> + } >> + >> r->internal = 1; >> r->content_handler = NULL; >> r->uri_changed = 0; > >This doesn't looks like a good solution. >I would rather return an error in such a case. > >-- >Maxim Dounin >http://nginx.org/ > >_______________________________________________ >nginx-devel mailing list >nginx-devel at nginx.org >http://mailman.nginx.org/mailman/listinfo/nginx-devel -------------- next part -------------- An HTML attachment was scrubbed... URL: From mdounin at mdounin.ru Wed Feb 26 11:38:55 2014 From: mdounin at mdounin.ru (Maxim Dounin) Date: Wed, 26 Feb 2014 15:38:55 +0400 Subject: [PATCH]Fixed segmentation fault with error_page for 400 to named location In-Reply-To: <4ff95b74.d3ae.14461dfa549.Coremail.flygoast@126.com> References: <217839e1.12853.1445551e808.Coremail.flygoast@126.com> <20140221173753.GL33573@mdounin.ru> <4ff95b74.d3ae.14461dfa549.Coremail.flygoast@126.com> Message-ID: <20140226113855.GV91191@mdounin.ru> Hello! On Mon, Feb 24, 2014 at 11:10:50AM +0800, flygoast wrote: > Is this ok? Or return a 500? > > > # HG changeset patch > # User FengGu > # Date 1393211386 -28800 > # Node ID 8f1937a9f3f632cf060d18053f153bbf6097f5ba > # Parent f47c844acbd453c05174200af8df132c33171b35 > Fixed segmentation fault with error_page for 400 to named location. > > > When using error_page for code 400 to named location, the bad request's > uri would be { 0, NULL }, it would result in segmentation fault in > ngx_http_index_handler() and so on. > > > diff -r f47c844acbd4 -r 8f1937a9f3f6 src/http/ngx_http_core_module.c > --- a/src/http/ngx_http_core_module.c Sat Feb 22 12:08:31 2014 +0400 > +++ b/src/http/ngx_http_core_module.c Mon Feb 24 11:09:46 2014 +0800 > @@ -2647,6 +2647,11 @@ > continue; > } > > > + if (r->uri.len == 0) { > + ngx_http_finalize_request(r, NGX_HTTP_BAD_REQUEST); > + return NGX_DONE; > + } > + > ngx_log_debug3(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, > "using location: %V \"%V?%V\"", > name, &r->uri, &r->args); > This one doesn't looks good either. I would rather suggest something like this: --- a/src/http/ngx_http_core_module.c +++ b/src/http/ngx_http_core_module.c @@ -2632,6 +2632,14 @@ ngx_http_named_location(ngx_http_request return NGX_DONE; } + if (r->uri.len == 0) { + ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, + "empty URI in redirect to named location \"%V\"", name); + + ngx_http_finalize_request(r, NGX_HTTP_INTERNAL_SERVER_ERROR); + return NGX_DONE; + } + cscf = ngx_http_get_module_srv_conf(r, ngx_http_core_module); if (cscf->named_locations) { -- Maxim Dounin http://nginx.org/ From mdounin at mdounin.ru Thu Feb 27 16:55:08 2014 From: mdounin at mdounin.ru (Maxim Dounin) Date: Thu, 27 Feb 2014 16:55:08 +0000 Subject: [nginx] Disabled redirects to named locations if URI is not set. Message-ID: details: http://hg.nginx.org/nginx/rev/0251f2f1dc93 branches: changeset: 5584:0251f2f1dc93 user: Maxim Dounin date: Thu Feb 27 20:36:35 2014 +0400 description: Disabled redirects to named locations if URI is not set. If something like "error_page 400 @name" is used in a configuration, a request could be passed to a named location without URI set, and this in turn might result in segmentation faults or other bad effects as most of the code assumes URI is set. With this change nginx will catch such configuration problems in ngx_http_named_location() and will stop request processing if URI is not set, returning 500. diffstat: src/http/ngx_http_core_module.c | 8 ++++++++ 1 files changed, 8 insertions(+), 0 deletions(-) diffs (18 lines): diff --git a/src/http/ngx_http_core_module.c b/src/http/ngx_http_core_module.c --- a/src/http/ngx_http_core_module.c +++ b/src/http/ngx_http_core_module.c @@ -2632,6 +2632,14 @@ ngx_http_named_location(ngx_http_request return NGX_DONE; } + if (r->uri.len == 0) { + ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, + "empty URI in redirect to named location \"%V\"", name); + + ngx_http_finalize_request(r, NGX_HTTP_INTERNAL_SERVER_ERROR); + return NGX_DONE; + } + cscf = ngx_http_get_module_srv_conf(r, ngx_http_core_module); if (cscf->named_locations) { From seth.arnold at canonical.com Fri Feb 28 04:20:18 2014 From: seth.arnold at canonical.com (Seth Arnold) Date: Thu, 27 Feb 2014 20:20:18 -0800 Subject: ASCII NUL in certificate fields Message-ID: <20140228042018.GA8451@hunt> Hello, I'm curious if nginx has made the same mistake as CVE-2009-2408 in the ngx_ssl_get_subject_dn() and ngx_ssl_get_issuer_dn() functions: Note in the following copy-and-pastes the { /* void */ } for loops. That should find the end of an ASCII string but if a certificate has 0x00 bytes encoded in the fields, nginx may copy only a small portion of the string. Am I overlooking something? Thanks ngx_int_t ngx_ssl_get_subject_dn(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) { char *p; size_t len; X509 *cert; X509_NAME *name; s->len = 0; cert = SSL_get_peer_certificate(c->ssl->connection); if (cert == NULL) { return NGX_OK; } name = X509_get_subject_name(cert); if (name == NULL) { X509_free(cert); return NGX_ERROR; } p = X509_NAME_oneline(name, NULL, 0); for (len = 0; p[len]; len++) { /* void */ } s->len = len; s->data = ngx_pnalloc(pool, len); if (s->data == NULL) { OPENSSL_free(p); X509_free(cert); return NGX_ERROR; } ngx_memcpy(s->data, p, len); OPENSSL_free(p); X509_free(cert); return NGX_OK; } ngx_int_t ngx_ssl_get_issuer_dn(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) { char *p; size_t len; X509 *cert; X509_NAME *name; s->len = 0; cert = SSL_get_peer_certificate(c->ssl->connection); if (cert == NULL) { return NGX_OK; } name = X509_get_issuer_name(cert); if (name == NULL) { X509_free(cert); return NGX_ERROR; } p = X509_NAME_oneline(name, NULL, 0); for (len = 0; p[len]; len++) { /* void */ } s->len = len; s->data = ngx_pnalloc(pool, len); if (s->data == NULL) { OPENSSL_free(p); X509_free(cert); return NGX_ERROR; } ngx_memcpy(s->data, p, len); OPENSSL_free(p); X509_free(cert); return NGX_OK; } -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 490 bytes Desc: Digital signature URL: From mdounin at mdounin.ru Fri Feb 28 08:07:49 2014 From: mdounin at mdounin.ru (Maxim Dounin) Date: Fri, 28 Feb 2014 12:07:49 +0400 Subject: ASCII NUL in certificate fields In-Reply-To: <20140228042018.GA8451@hunt> References: <20140228042018.GA8451@hunt> Message-ID: <20140228080748.GG34696@mdounin.ru> Hello! On Thu, Feb 27, 2014 at 08:20:18PM -0800, Seth Arnold wrote: > Hello, I'm curious if nginx has made the same mistake as CVE-2009-2408 in > the ngx_ssl_get_subject_dn() and ngx_ssl_get_issuer_dn() functions: > > Note in the following copy-and-pastes the { /* void */ } for loops. That > should find the end of an ASCII string but if a certificate has 0x00 bytes > encoded in the fields, nginx may copy only a small portion of the string. > > Am I overlooking something? Special chars are escaped by X509_NAME_oneline(). -- Maxim Dounin http://nginx.org/ From mdounin at mdounin.ru Fri Feb 28 16:17:48 2014 From: mdounin at mdounin.ru (Maxim Dounin) Date: Fri, 28 Feb 2014 16:17:48 +0000 Subject: [nginx] Docs: switched from java XSLScript to xslscript.pl. Message-ID: details: http://hg.nginx.org/nginx/rev/f303f3e43f7b branches: changeset: 5585:f303f3e43f7b user: Maxim Dounin date: Fri Feb 28 20:17:00 2014 +0400 description: Docs: switched from java XSLScript to xslscript.pl. Latter is available from http://hg.nginx.org/xslscript. diffstat: docs/GNUmakefile | 12 +++--------- docs/xsls/dump.xsls | 29 ----------------------------- 2 files changed, 3 insertions(+), 38 deletions(-) diffs (61 lines): diff --git a/docs/GNUmakefile b/docs/GNUmakefile --- a/docs/GNUmakefile +++ b/docs/GNUmakefile @@ -3,7 +3,7 @@ VER= $(shell grep 'define NGINX_VERSION' | sed -e 's/^.*"\(.*\)".*/\1/') NGINX= nginx-$(VER) TEMP= tmp -CP= $(HOME)/java +XSLS?= xslscript.pl all: changes @@ -36,12 +36,6 @@ changes: $(TEMP)/$(NGINX)/CHANGES.ru -o $@ docs/xslt/changes.xslt docs/xml/nginx/changes.xml -docs/xslt/changes.xslt: docs/xsls/changes.xsls docs/xsls/dump.xsls +docs/xslt/changes.xslt: docs/xsls/changes.xsls - java -cp $(CP)/xsls/saxon.jar:$(CP)/xsls/xsls.jar \ - com.pault.StyleSheet \ - -x com.pault.XX -y com.pault.XX \ - $< docs/xsls/dump.xsls \ - | sed 's/ *$$//;/^ *$$/N;/\n *$$/D' > $@ - - if [ ! -s $@ ]; then rm $@; fi; test -s $@ + $(XSLS) -o $@ $< diff --git a/docs/xsls/dump.xsls b/docs/xsls/dump.xsls deleted file mode 100644 --- a/docs/xsls/dump.xsls +++ /dev/null @@ -1,29 +0,0 @@ -X:stylesheet { - -X:output method="xml" -X:param indent-increment="' '"; - -X:template noname(indent="' '") = "*" { - !{$indent} - - X:if "name()='xsl:template'" { - !{$indent} - } - - X:copy { - X:copy-of "@*" - !!( indent = "concat($indent, $indent-increment)" ); - X:if "./* " { !{$indent} } - } -} - - -X:template = "comment()|processing-instruction()" { - X:copy; -} - - - -} From mdounin at mdounin.ru Fri Feb 28 16:17:50 2014 From: mdounin at mdounin.ru (Maxim Dounin) Date: Fri, 28 Feb 2014 16:17:50 +0000 Subject: [nginx] Docs: xslt regenerated. Message-ID: details: http://hg.nginx.org/nginx/rev/db6d07dbef3c branches: changeset: 5586:db6d07dbef3c user: Maxim Dounin date: Fri Feb 28 20:17:01 2014 +0400 description: Docs: xslt regenerated. diffstat: docs/xslt/changes.xslt | 220 +++++++++++++++++------------------------------- 1 files changed, 80 insertions(+), 140 deletions(-) diffs (266 lines): diff --git a/docs/xslt/changes.xslt b/docs/xslt/changes.xslt --- a/docs/xslt/changes.xslt +++ b/docs/xslt/changes.xslt @@ -1,182 +1,122 @@ - + - + + - + + + + +<br> - - + + - - + + - <br> + - - - + - - - + + + + + - + - - + - + + - - - - + + - + : - + + - - - - + + - + - - - + - - + + + + + + + + + + + + 1 + + + - - - : - - + + - - - - + - - + - - - + - - + + - - - - - - - - - - - - - - + + - - - + + - + - + + + - - - - - - - - - 1 - - + + + - + + + + - - - - - - - +@ + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - @ - - - - - - - - From seth.arnold at canonical.com Fri Feb 28 21:28:28 2014 From: seth.arnold at canonical.com (Seth Arnold) Date: Fri, 28 Feb 2014 13:28:28 -0800 Subject: ASCII NUL in certificate fields In-Reply-To: <20140228080748.GG34696@mdounin.ru> References: <20140228042018.GA8451@hunt> <20140228080748.GG34696@mdounin.ru> Message-ID: <20140228212828.GA9971@hunt> On Fri, Feb 28, 2014 at 12:07:49PM +0400, Maxim Dounin wrote: > > Am I overlooking something? > > Special chars are escaped by X509_NAME_oneline(). Ah! Of course. This is perfect. Thanks -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 490 bytes Desc: Digital signature URL: