From mdounin at mdounin.ru Mon Apr 7 17:57:37 2025 From: mdounin at mdounin.ru (=?iso-8859-1?q?Maxim_Dounin?=) Date: Mon, 07 Apr 2025 20:57:37 +0300 Subject: [nginx] Support for Multipath TCP on Linux. Message-ID: details: http://freenginx.org/hg/nginx/rev/cb20978439c8 branches: changeset: 9337:cb20978439c8 user: Maxim Dounin date: Mon Apr 07 18:57:35 2025 +0300 description: Support for Multipath TCP on Linux. With this change, Multipath TCP on Linux can be activated with "listen ... multipath". The "listen ... multipath" option is supported in http, stream, and mail modules. Note that on Linux to activate Multipath TCP one should create a socket with the IPPROTO_MPTCP protocol explicitly specified, and it is not possible to change an existing socket. To make transition possible with minimal impact on client connections, if the multipath option is changed in the configuration, SO_REUSEPORT is set on the old socket, and the new socket is opened with IPPROTO_MPTCP. Note that this creates a race window, and connection requests which are assigned to the old socket will be lost. In particular, this might affect binary upgrade when the WINCH signal is used to preserve the old master process. Requires Linux kernel 5.6 or newer. Note though that some of the socket options might not be supported with Multipath TCP or only supported in new kernels. Most notably, TCP_NODELAY is only supported with kernel version 5.17 or newer. Based on patches by Maxime Dourov and Anthony Doeraene. diffstat: auto/unix | 11 ++++++++ src/core/ngx_connection.c | 50 ++++++++++++++++++++++++++++++++++-- src/core/ngx_connection.h | 2 + src/core/ngx_cycle.c | 6 ++++ src/http/ngx_http.c | 4 ++ src/http/ngx_http_core_module.c | 19 ++++++++++++++ src/http/ngx_http_core_module.h | 1 + src/mail/ngx_mail.c | 4 ++ src/mail/ngx_mail.h | 1 + src/mail/ngx_mail_core_module.c | 12 ++++++++ src/stream/ngx_stream.c | 4 ++ src/stream/ngx_stream.h | 1 + src/stream/ngx_stream_core_module.c | 18 +++++++++++++ 13 files changed, 129 insertions(+), 4 deletions(-) diffs (326 lines): diff --git a/auto/unix b/auto/unix --- a/auto/unix +++ b/auto/unix @@ -532,6 +532,17 @@ ngx_feature_test="socklen_t optlen = siz . auto/feature +ngx_feature="IPPROTO_MPTCP" +ngx_feature_name="NGX_HAVE_MULTIPATH" +ngx_feature_run=no +ngx_feature_incs="#include + #include " +ngx_feature_path= +ngx_feature_libs= +ngx_feature_test="socket(0, 0, IPPROTO_MPTCP)" +. auto/feature + + ngx_feature="accept4()" ngx_feature_name="NGX_HAVE_ACCEPT4" ngx_feature_run=no diff --git a/src/core/ngx_connection.c b/src/core/ngx_connection.c --- a/src/core/ngx_connection.c +++ b/src/core/ngx_connection.c @@ -150,6 +150,9 @@ ngx_set_inherited_sockets(ngx_cycle_t *c #if (NGX_HAVE_REUSEPORT) int reuseport; #endif +#if (NGX_HAVE_MULTIPATH) + int protocol; +#endif ls = cycle->listening.elts; for (i = 0; i < cycle->listening.nelts; i++) { @@ -338,6 +341,25 @@ ngx_set_inherited_sockets(ngx_cycle_t *c #endif +#if (NGX_HAVE_MULTIPATH) + + protocol = 0; + olen = sizeof(int); + + if (getsockopt(ls[i].fd, SOL_SOCKET, SO_PROTOCOL, + (void *) &protocol, &olen) + == -1) + { + ngx_log_error(NGX_LOG_ALERT, cycle->log, ngx_socket_errno, + "getsockopt(SO_PROTOCOL) %V failed, ignored", + &ls[i].addr_text); + + } else { + ls[i].multipath = (protocol == IPPROTO_MPTCP) ? 1 : 0; + } + +#endif + #if (NGX_HAVE_DEFERRED_ACCEPT && defined SO_ACCEPTFILTER) ngx_memzero(&af, sizeof(struct accept_filter_arg)); @@ -406,7 +428,7 @@ ngx_set_inherited_sockets(ngx_cycle_t *c ngx_int_t ngx_open_listening_sockets(ngx_cycle_t *cycle) { - int reuseaddr; + int reuseaddr, proto; ngx_uint_t i, tries, failed; ngx_err_t err; ngx_log_t *log; @@ -436,7 +458,7 @@ ngx_open_listening_sockets(ngx_cycle_t * #if (NGX_HAVE_REUSEPORT) - if (ls[i].add_reuseport) { + if (ls[i].add_reuseport || ls[i].reopen) { /* * to allow transition from a socket without SO_REUSEPORT @@ -472,6 +494,18 @@ ngx_open_listening_sockets(ngx_cycle_t * ls[i].add_reuseport = 0; } + + if (ls[i].reopen) { + + /* + * to allow transition to Multipath TCP we set SO_REUSEPORT + * on the old socket, and then open a new one + */ + + ls[i].fd = (ngx_socket_t) -1; + ls[i].inherited = 0; + ls[i].previous->remain = 0; + } #endif if (ls[i].fd != (ngx_socket_t) -1) { @@ -487,7 +521,15 @@ ngx_open_listening_sockets(ngx_cycle_t * continue; } - s = ngx_socket(ls[i].sockaddr->sa_family, ls[i].type, 0); + proto = 0; + +#if (NGX_HAVE_MULTIPATH) + if (ls[i].multipath) { + proto = IPPROTO_MPTCP; + } +#endif + + s = ngx_socket(ls[i].sockaddr->sa_family, ls[i].type, proto); if (s == (ngx_socket_t) -1) { ngx_log_error(NGX_LOG_EMERG, log, ngx_socket_errno, @@ -517,7 +559,7 @@ ngx_open_listening_sockets(ngx_cycle_t * #if (NGX_HAVE_REUSEPORT) - if (ls[i].reuseport && !ngx_test_config) { + if ((ls[i].reuseport || ls[i].reopen) && !ngx_test_config) { int reuseport; reuseport = 1; diff --git a/src/core/ngx_connection.h b/src/core/ngx_connection.h --- a/src/core/ngx_connection.h +++ b/src/core/ngx_connection.h @@ -57,6 +57,7 @@ struct ngx_listening_s { unsigned open:1; unsigned remain:1; unsigned ignore:1; + unsigned reopen:1; unsigned bound:1; /* already bound */ unsigned inherited:1; /* inherited from previous process */ @@ -72,6 +73,7 @@ struct ngx_listening_s { #endif unsigned reuseport:1; unsigned add_reuseport:1; + unsigned multipath:1; unsigned keepalive:2; unsigned quic:1; diff --git a/src/core/ngx_cycle.c b/src/core/ngx_cycle.c --- a/src/core/ngx_cycle.c +++ b/src/core/ngx_cycle.c @@ -581,6 +581,12 @@ ngx_init_cycle(ngx_cycle_t *old_cycle) } #endif +#if (NGX_HAVE_MULTIPATH) + if (ls[i].multipath != nls[n].multipath) { + nls[n].reopen = 1; + } +#endif + break; } } diff --git a/src/http/ngx_http.c b/src/http/ngx_http.c --- a/src/http/ngx_http.c +++ b/src/http/ngx_http.c @@ -1880,6 +1880,10 @@ ngx_http_add_listening(ngx_conf_t *cf, n ls->reuseport = addr->opt.reuseport; #endif +#if (NGX_HAVE_MULTIPATH) + ls->multipath = addr->opt.multipath; +#endif + ls->wildcard = addr->opt.wildcard; #if (NGX_HTTP_V3) diff --git a/src/http/ngx_http_core_module.c b/src/http/ngx_http_core_module.c --- a/src/http/ngx_http_core_module.c +++ b/src/http/ngx_http_core_module.c @@ -4179,6 +4179,19 @@ ngx_http_core_listen(ngx_conf_t *cf, ngx continue; } + if (ngx_strcmp(value[n].data, "multipath") == 0) { +#if (NGX_HAVE_MULTIPATH) + lsopt.multipath = 1; + lsopt.set = 1; + lsopt.bind = 1; +#else + ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, + "multipath is not supported " + "on this platform, ignored"); +#endif + continue; + } + if (ngx_strcmp(value[n].data, "ssl") == 0) { #if (NGX_HTTP_SSL) lsopt.ssl = 1; @@ -4345,6 +4358,12 @@ ngx_http_core_listen(ngx_conf_t *cf, ngx } #endif +#if (NGX_HAVE_MULTIPATH) + if (lsopt.multipath) { + return "\"multipath\" parameter is incompatible with \"quic\""; + } +#endif + #if (NGX_HTTP_SSL) if (lsopt.ssl) { return "\"ssl\" parameter is incompatible with \"quic\""; diff --git a/src/http/ngx_http_core_module.h b/src/http/ngx_http_core_module.h --- a/src/http/ngx_http_core_module.h +++ b/src/http/ngx_http_core_module.h @@ -81,6 +81,7 @@ typedef struct { #endif unsigned deferred_accept:1; unsigned reuseport:1; + unsigned multipath:1; unsigned so_keepalive:2; unsigned proxy_protocol:1; diff --git a/src/mail/ngx_mail.c b/src/mail/ngx_mail.c --- a/src/mail/ngx_mail.c +++ b/src/mail/ngx_mail.c @@ -347,6 +347,10 @@ ngx_mail_optimize_servers(ngx_conf_t *cf ls->ipv6only = addr[i].opt.ipv6only; #endif +#if (NGX_HAVE_MULTIPATH) + ls->multipath = addr[i].opt.multipath; +#endif + mport = ngx_palloc(cf->pool, sizeof(ngx_mail_port_t)); if (mport == NULL) { return NGX_CONF_ERROR; diff --git a/src/mail/ngx_mail.h b/src/mail/ngx_mail.h --- a/src/mail/ngx_mail.h +++ b/src/mail/ngx_mail.h @@ -40,6 +40,7 @@ typedef struct { #if (NGX_HAVE_INET6) unsigned ipv6only:1; #endif + unsigned multipath:1; unsigned so_keepalive:2; unsigned proxy_protocol:1; #if (NGX_HAVE_KEEPALIVE_TUNABLE) diff --git a/src/mail/ngx_mail_core_module.c b/src/mail/ngx_mail_core_module.c --- a/src/mail/ngx_mail_core_module.c +++ b/src/mail/ngx_mail_core_module.c @@ -456,6 +456,18 @@ ngx_mail_core_listen(ngx_conf_t *cf, ngx #endif } + if (ngx_strcmp(value[i].data, "multipath") == 0) { +#if (NGX_HAVE_MULTIPATH) + ls->multipath = 1; + ls->bind = 1; +#else + ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, + "multipath is not supported " + "on this platform, ignored"); +#endif + continue; + } + if (ngx_strcmp(value[i].data, "ssl") == 0) { #if (NGX_MAIL_SSL) ngx_mail_ssl_conf_t *sslcf; diff --git a/src/stream/ngx_stream.c b/src/stream/ngx_stream.c --- a/src/stream/ngx_stream.c +++ b/src/stream/ngx_stream.c @@ -518,6 +518,10 @@ ngx_stream_optimize_servers(ngx_conf_t * ls->reuseport = addr[i].opt.reuseport; #endif +#if (NGX_HAVE_MULTIPATH) + ls->multipath = addr[i].opt.multipath; +#endif + stport = ngx_palloc(cf->pool, sizeof(ngx_stream_port_t)); if (stport == NULL) { return NGX_CONF_ERROR; diff --git a/src/stream/ngx_stream.h b/src/stream/ngx_stream.h --- a/src/stream/ngx_stream.h +++ b/src/stream/ngx_stream.h @@ -55,6 +55,7 @@ typedef struct { unsigned ipv6only:1; #endif unsigned reuseport:1; + unsigned multipath:1; unsigned so_keepalive:2; unsigned proxy_protocol:1; #if (NGX_HAVE_KEEPALIVE_TUNABLE) diff --git a/src/stream/ngx_stream_core_module.c b/src/stream/ngx_stream_core_module.c --- a/src/stream/ngx_stream_core_module.c +++ b/src/stream/ngx_stream_core_module.c @@ -738,6 +738,18 @@ ngx_stream_core_listen(ngx_conf_t *cf, n continue; } + if (ngx_strcmp(value[i].data, "multipath") == 0) { +#if (NGX_HAVE_MULTIPATH) + ls->multipath = 1; + ls->bind = 1; +#else + ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, + "multipath is not supported " + "on this platform, ignored"); +#endif + continue; + } + if (ngx_strcmp(value[i].data, "ssl") == 0) { #if (NGX_STREAM_SSL) ngx_stream_ssl_conf_t *sslcf; @@ -884,6 +896,12 @@ ngx_stream_core_listen(ngx_conf_t *cf, n return "\"fastopen\" parameter is incompatible with \"udp\""; } #endif + +#if (NGX_HAVE_MULTIPATH) + if (ls->multipath) { + return "\"multipath\" parameter is incompatible with \"udp\""; + } +#endif } for (n = 0; n < u.naddrs; n++) { From mdounin at mdounin.ru Mon Apr 7 18:11:03 2025 From: mdounin at mdounin.ru (=?iso-8859-1?q?Maxim_Dounin?=) Date: Mon, 07 Apr 2025 21:11:03 +0300 Subject: [PATCH] Updated OpenSSL and PCRE used for win32 builds Message-ID: <13ff97040052cb1dd067.1744049463@1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa> # HG changeset patch # User Maxim Dounin # Date 1744048741 -10800 # Mon Apr 07 20:59:01 2025 +0300 # Node ID 13ff97040052cb1dd067ea45878d1771870d08fb # Parent cb20978439c819e71826c86dd860346d051a6127 Updated OpenSSL and PCRE used for win32 builds. diff -r cb20978439c8 -r 13ff97040052 auto/lib/pcre/make --- a/auto/lib/pcre/make Mon Apr 07 18:57:35 2025 +0300 +++ b/auto/lib/pcre/make Mon Apr 07 20:59:01 2025 +0300 @@ -37,6 +37,7 @@ if [ $PCRE_LIBRARY = PCRE2 ]; then pcre2_xclass.c" ngx_pcre_test="pcre2_chkdint.c \ + pcre2_compile_class.c \ pcre2_convert.c \ pcre2_extuni.c \ pcre2_find_bracket.c \ diff -r cb20978439c8 -r 13ff97040052 misc/GNUmakefile --- a/misc/GNUmakefile Mon Apr 07 18:57:35 2025 +0300 +++ b/misc/GNUmakefile Mon Apr 07 20:59:01 2025 +0300 @@ -6,9 +6,9 @@ TEMP = tmp CC = cl OBJS = objs.msvc8 -OPENSSL = openssl-3.0.14 +OPENSSL = openssl-3.0.16 ZLIB = zlib-1.3.1 -PCRE = pcre2-10.44 +PCRE = pcre2-10.45 release: export @@ -108,7 +108,7 @@ zip: export cp -p $(OBJS)/lib/$(OPENSSL)/LICENSE.txt \ $(TEMP)/$(NGINX)/docs/OpenSSL.LICENSE - cp -p $(OBJS)/lib/$(PCRE)/LICENCE \ + cp -p $(OBJS)/lib/$(PCRE)/LICENCE* \ $(TEMP)/$(NGINX)/docs/PCRE.LICENCE sed -ne '/^ (C) 1995-20/,/^ jloup at gzip\.org/p' \ From mdounin at mdounin.ru Tue Apr 8 00:21:42 2025 From: mdounin at mdounin.ru (Maxim Dounin) Date: Tue, 8 Apr 2025 03:21:42 +0300 Subject: freenginx-1.27.5 changes draft Message-ID: Hello! Below are CHANGES draft for the upcoming freenginx release, 1.27.5. Review and comments are welcome. Changes with freenginx 1.27.5 08 Apr 2025 *) Feature: the "multipath" parameter of the "listen" directive. Thanks to Maxime Dourov and Anthony Doeraene. *) Change: SSL session reuse is no longer allowed between servers with different certificates set by the "ssl_trusted_certificate" directive if client SSL certificate verification is enabled. *) Workaround: when using TLSv1.3 with OpenSSL 1.1.1e or newer, it was possible to reuse an SSL session in a different virtual server context, notably with different certificates set by the "ssl_client_certificate" directive. *) Workaround: "gzip filter failed to use preallocated memory" alerts appeared in logs when using zlib-ng. ????????? ? freenginx 1.27.5 08.04.2025 *) ??????????: ???????? multipath ????????? listen. ??????? Maxime Dourov ? Anthony Doeraene. *) ?????????: ?????? ??? ?????????? ???????? ?????????? SSL-???????????? ????????? ????????????? SSL-?????? ?? ??????????? ????? ?????????, ? ??????? ??????????? ???????????, ???????? ?????????? ssl_trusted_certificate. *) ?????????: ??? ????????????? TLSv1.3 ? OpenSSL 1.1.1e ? ????? ???? ???????? ????????? ????????????? ?????? ? ????????? ??????? ???????????? ???????, ? ??? ????? ? ??????? ?????????????, ????????? ?????????? ssl_client_certificate. *) ?????????: ??? ????????????? zlib-ng ? ????? ?????????? ????????? "gzip filter failed to use preallocated memory". -- Maxim Dounin http://mdounin.ru/ From mdounin at mdounin.ru Tue Apr 8 14:33:55 2025 From: mdounin at mdounin.ru (=?iso-8859-1?q?Maxim_Dounin?=) Date: Tue, 08 Apr 2025 17:33:55 +0300 Subject: [nginx-site] Documented "listen ... multipath". Message-ID: details: http://freenginx.org/hg/nginx-site/rev/bf72b138d64e branches: changeset: 3100:bf72b138d64e user: Maxim Dounin date: Tue Apr 08 08:03:06 2025 +0300 description: Documented "listen ... multipath". diffstat: xml/en/docs/http/ngx_http_core_module.xml | 13 ++++++++++++- xml/en/docs/mail/ngx_mail_core_module.xml | 12 +++++++++++- xml/en/docs/stream/ngx_stream_core_module.xml | 12 +++++++++++- xml/ru/docs/http/ngx_http_core_module.xml | 13 ++++++++++++- xml/ru/docs/mail/ngx_mail_core_module.xml | 12 +++++++++++- xml/ru/docs/stream/ngx_stream_core_module.xml | 12 +++++++++++- 6 files changed, 68 insertions(+), 6 deletions(-) diffs (232 lines): diff --git a/xml/en/docs/http/ngx_http_core_module.xml b/xml/en/docs/http/ngx_http_core_module.xml --- a/xml/en/docs/http/ngx_http_core_module.xml +++ b/xml/en/docs/http/ngx_http_core_module.xml @@ -10,7 +10,7 @@ + rev="109">
@@ -1279,6 +1279,7 @@ The ?wait-read-ignore? cycle is repeated, but no longer than specified by the [bind] [ipv6only=on|off] [reuseport] + [multipath] [so_keepalive=on|off|[keepidle]:[keepintvl]:[keepcnt]] port @@ -1297,6 +1298,7 @@ The ?wait-read-ignore? cycle is repeated, but no longer than specified by the [bind] [ipv6only=on|off] [reuseport] + [multipath] [so_keepalive=on|off|[keepidle]:[keepintvl]:[keepcnt]] unix:path @@ -1552,6 +1554,15 @@ Inappropriate use of this option may hav + +multipath + + +instructs to use +Multipath TCP +(the IPPROTO_MPTCP protocol) on Linux (1.27.5). + + so_keepalive=on|off|[keepidle]:[keepintvl]:[keepcnt] diff --git a/xml/en/docs/mail/ngx_mail_core_module.xml b/xml/en/docs/mail/ngx_mail_core_module.xml --- a/xml/en/docs/mail/ngx_mail_core_module.xml +++ b/xml/en/docs/mail/ngx_mail_core_module.xml @@ -10,7 +10,7 @@ + rev="24">
@@ -84,6 +84,7 @@ mail { [sndbuf=size] [bind] [ipv6only=on|off] + [multipath] [so_keepalive=on|off|[keepidle]:[keepintvl]:[keepcnt]] server @@ -200,6 +201,15 @@ This parameter is turned on by default. It can only be set once on start. + +multipath + + +instructs to use +Multipath TCP +(the IPPROTO_MPTCP protocol) on Linux (1.27.5). + + so_keepalive=on|off|[keepidle]:[keepintvl]:[keepcnt] diff --git a/xml/en/docs/stream/ngx_stream_core_module.xml b/xml/en/docs/stream/ngx_stream_core_module.xml --- a/xml/en/docs/stream/ngx_stream_core_module.xml +++ b/xml/en/docs/stream/ngx_stream_core_module.xml @@ -9,7 +9,7 @@ + rev="39">
@@ -89,6 +89,7 @@ stream { [bind] [ipv6only=on|off] [reuseport] + [multipath] [so_keepalive=on|off|[keepidle]:[keepintvl]:[keepcnt]] server @@ -251,6 +252,15 @@ Inappropriate use of this option may hav + +multipath + + +instructs to use +Multipath TCP +(the IPPROTO_MPTCP protocol) on Linux (1.27.5). + + so_keepalive=on|off|[keepidle]:[keepintvl]:[keepcnt] diff --git a/xml/ru/docs/http/ngx_http_core_module.xml b/xml/ru/docs/http/ngx_http_core_module.xml --- a/xml/ru/docs/http/ngx_http_core_module.xml +++ b/xml/ru/docs/http/ngx_http_core_module.xml @@ -10,7 +10,7 @@ + rev="109">
@@ -1273,6 +1273,7 @@ location /flv/ { [bind] [ipv6only=on|off] [reuseport] + [multipath] [so_keepalive=on|off|[keepidle]:[keepintvl]:[keepcnt]] ???? @@ -1291,6 +1292,7 @@ location /flv/ { [bind] [ipv6only=on|off] [reuseport] + [multipath] [so_keepalive=on|off|[keepidle]:[keepintvl]:[keepcnt]] unix:???? @@ -1544,6 +1546,15 @@ FreeBSD, DragonFly BSD ? macOS, ? 511 ??? ?????? ????????. + +multipath + + +????????? ???????????? +Multipath TCP +(???????? IPPROTO_MPTCP) ?? Linux (1.27.5). + + so_keepalive=on|off|[keepidle]:[keepintvl]:[keepcnt] diff --git a/xml/ru/docs/mail/ngx_mail_core_module.xml b/xml/ru/docs/mail/ngx_mail_core_module.xml --- a/xml/ru/docs/mail/ngx_mail_core_module.xml +++ b/xml/ru/docs/mail/ngx_mail_core_module.xml @@ -10,7 +10,7 @@ + rev="24">
@@ -84,6 +84,7 @@ mail { [sndbuf=??????] [bind] [ipv6only=on|off] + [multipath] [so_keepalive=on|off|[keepidle]:[keepintvl]:[keepcnt]] server @@ -201,6 +202,15 @@ FreeBSD, DragonFly BSD ? macOS, ? 511 ??? ?????? ????????. ?????????? ??? ????? ?????? ???? ??? ?? ??????. + +multipath + + +????????? ???????????? +Multipath TCP +(???????? IPPROTO_MPTCP) ?? Linux (1.27.5). + + so_keepalive=on|off|[keepidle]:[keepintvl]:[keepcnt] diff --git a/xml/ru/docs/stream/ngx_stream_core_module.xml b/xml/ru/docs/stream/ngx_stream_core_module.xml --- a/xml/ru/docs/stream/ngx_stream_core_module.xml +++ b/xml/ru/docs/stream/ngx_stream_core_module.xml @@ -9,7 +9,7 @@ + rev="39">
@@ -89,6 +89,7 @@ stream { [bind] [ipv6only=on|off] [reuseport] + [multipath] [so_keepalive=on|off|[keepidle]:[keepintvl]:[keepcnt]] server @@ -235,6 +236,15 @@ FreeBSD, DragonFly BSD ? macOS, ?????????? ??? ????? ?????? ???? ??? ?? ??????. + +multipath + + +????????? ???????????? +Multipath TCP +(???????? IPPROTO_MPTCP) ?? Linux (1.27.5). + + reuseport From mdounin at mdounin.ru Tue Apr 8 15:45:59 2025 From: mdounin at mdounin.ru (=?iso-8859-1?q?Maxim_Dounin?=) Date: Tue, 08 Apr 2025 18:45:59 +0300 Subject: [nginx] Updated OpenSSL and PCRE used for win32 builds. Message-ID: details: http://freenginx.org/hg/nginx/rev/13ff97040052 branches: changeset: 9338:13ff97040052 user: Maxim Dounin date: Mon Apr 07 20:59:01 2025 +0300 description: Updated OpenSSL and PCRE used for win32 builds. diffstat: auto/lib/pcre/make | 1 + misc/GNUmakefile | 6 +++--- 2 files changed, 4 insertions(+), 3 deletions(-) diffs (35 lines): diff --git a/auto/lib/pcre/make b/auto/lib/pcre/make --- a/auto/lib/pcre/make +++ b/auto/lib/pcre/make @@ -37,6 +37,7 @@ if [ $PCRE_LIBRARY = PCRE2 ]; then pcre2_xclass.c" ngx_pcre_test="pcre2_chkdint.c \ + pcre2_compile_class.c \ pcre2_convert.c \ pcre2_extuni.c \ pcre2_find_bracket.c \ diff --git a/misc/GNUmakefile b/misc/GNUmakefile --- a/misc/GNUmakefile +++ b/misc/GNUmakefile @@ -6,9 +6,9 @@ TEMP = tmp CC = cl OBJS = objs.msvc8 -OPENSSL = openssl-3.0.14 +OPENSSL = openssl-3.0.16 ZLIB = zlib-1.3.1 -PCRE = pcre2-10.44 +PCRE = pcre2-10.45 release: export @@ -108,7 +108,7 @@ zip: export cp -p $(OBJS)/lib/$(OPENSSL)/LICENSE.txt \ $(TEMP)/$(NGINX)/docs/OpenSSL.LICENSE - cp -p $(OBJS)/lib/$(PCRE)/LICENCE \ + cp -p $(OBJS)/lib/$(PCRE)/LICENCE* \ $(TEMP)/$(NGINX)/docs/PCRE.LICENCE sed -ne '/^ (C) 1995-20/,/^ jloup at gzip\.org/p' \ From mdounin at mdounin.ru Tue Apr 8 15:46:00 2025 From: mdounin at mdounin.ru (=?iso-8859-1?q?Maxim_Dounin?=) Date: Tue, 08 Apr 2025 18:46:00 +0300 Subject: [nginx] freenginx-1.27.5-RELEASE Message-ID: details: http://freenginx.org/hg/nginx/rev/e5a159b0c382 branches: changeset: 9339:e5a159b0c382 user: Maxim Dounin date: Tue Apr 08 18:42:07 2025 +0300 description: freenginx-1.27.5-RELEASE diffstat: docs/xml/nginx/changes.xml | 57 ++++++++++++++++++++++++++++++++++++++++++++++ 1 files changed, 57 insertions(+), 0 deletions(-) diffs (67 lines): diff --git a/docs/xml/nginx/changes.xml b/docs/xml/nginx/changes.xml --- a/docs/xml/nginx/changes.xml +++ b/docs/xml/nginx/changes.xml @@ -7,6 +7,63 @@
+ + + + +???????? multipath ????????? listen.
+??????? Maxime Dourov ? Anthony Doeraene. + + +the "multipath" parameter of the "listen" directive.
+Thanks to Maxime Dourov and Anthony Doeraene. + + + + + +?????? ??? ?????????? ???????? ?????????? SSL-???????????? +????????? ????????????? SSL-?????? ?? ??????????? ????? ?????????, +? ??????? ??????????? ???????????, ???????? ?????????? ssl_trusted_certificate. + + +SSL session reuse is no longer allowed between servers +with different certificates set by the "ssl_trusted_certificate" directive +if client SSL certificate verification is enabled. + + + + + +??? ????????????? TLSv1.3 ? OpenSSL 1.1.1e ? ????? +???? ???????? ????????? ????????????? ?????? +? ????????? ??????? ???????????? ???????, +? ??? ????? ? ??????? ?????????????, +????????? ?????????? ssl_client_certificate. + + +when using TLSv1.3 with OpenSSL 1.1.1e or newer, +it was possible to reuse an SSL session +in a different virtual server context, +notably with different certificates +set by the "ssl_client_certificate" directive. + + + + + +??? ????????????? zlib-ng +? ????? ?????????? ????????? "gzip filter failed to use preallocated memory". + + +"gzip filter failed to use preallocated memory" alerts appeared in logs +when using zlib-ng. + + + + + + From mdounin at mdounin.ru Tue Apr 8 15:46:00 2025 From: mdounin at mdounin.ru (=?iso-8859-1?q?Maxim_Dounin?=) Date: Tue, 08 Apr 2025 18:46:00 +0300 Subject: [nginx] release-1.27.5 tag Message-ID: details: http://freenginx.org/hg/nginx/rev/8e674d7e1a1a branches: changeset: 9340:8e674d7e1a1a user: Maxim Dounin date: Tue Apr 08 18:42:09 2025 +0300 description: release-1.27.5 tag diffstat: .hgtags | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) diffs (8 lines): diff --git a/.hgtags b/.hgtags --- a/.hgtags +++ b/.hgtags @@ -483,3 +483,4 @@ ee3eb2b9705f0c913a1bf4b9fe74def31411e8bf 91d77cc29d3336b1df25fe42d6c5ad4ca24b72b9 release-1.27.2 665f7a7675cf4620c5d05cbcabdf72e6afe18b80 release-1.27.3 3e58802df709d487e366809eef77f6424433d187 release-1.27.4 +e5a159b0c3821bf4e93b8e9ee34604238c93fd2a release-1.27.5 From mdounin at mdounin.ru Tue Apr 8 16:49:37 2025 From: mdounin at mdounin.ru (=?iso-8859-1?q?Maxim_Dounin?=) Date: Tue, 08 Apr 2025 19:49:37 +0300 Subject: [nginx-site] freenginx-1.27.5 Message-ID: details: http://freenginx.org/hg/nginx-site/rev/f6587510bd8e branches: changeset: 3101:f6587510bd8e user: Maxim Dounin date: Tue Apr 08 18:45:31 2025 +0300 description: freenginx-1.27.5 diffstat: text/en/CHANGES | 18 ++++++++++++++++++ text/ru/CHANGES.ru | 19 +++++++++++++++++++ xml/index.xml | 10 ++++++++++ xml/versions.xml | 1 + 4 files changed, 48 insertions(+), 0 deletions(-) diffs (84 lines): diff --git a/text/en/CHANGES b/text/en/CHANGES --- a/text/en/CHANGES +++ b/text/en/CHANGES @@ -1,4 +1,22 @@ +Changes with freenginx 1.27.5 08 Apr 2025 + + *) Feature: the "multipath" parameter of the "listen" directive. + Thanks to Maxime Dourov and Anthony Doeraene. + + *) Change: SSL session reuse is no longer allowed between servers with + different certificates set by the "ssl_trusted_certificate" directive + if client SSL certificate verification is enabled. + + *) Workaround: when using TLSv1.3 with OpenSSL 1.1.1e or newer, it was + possible to reuse an SSL session in a different virtual server + context, notably with different certificates set by the + "ssl_client_certificate" directive. + + *) Workaround: "gzip filter failed to use preallocated memory" alerts + appeared in logs when using zlib-ng. + + Changes with freenginx 1.27.4 03 Sep 2024 *) Feature: the $ssl_client_fingerprint_sha256 variable. diff --git a/text/ru/CHANGES.ru b/text/ru/CHANGES.ru --- a/text/ru/CHANGES.ru +++ b/text/ru/CHANGES.ru @@ -1,4 +1,23 @@ +????????? ? freenginx 1.27.5 08.04.2025 + + *) ??????????: ???????? multipath ????????? listen. + ??????? Maxime Dourov ? Anthony Doeraene. + + *) ?????????: ?????? ??? ?????????? ???????? ?????????? SSL-???????????? + ????????? ????????????? SSL-?????? ?? ??????????? ????? ?????????, ? + ??????? ??????????? ???????????, ???????? ?????????? + ssl_trusted_certificate. + + *) ?????????: ??? ????????????? TLSv1.3 ? OpenSSL 1.1.1e ? ????? ???? + ???????? ????????? ????????????? ?????? ? ????????? ??????? + ???????????? ???????, ? ??? ????? ? ??????? ?????????????, ????????? + ?????????? ssl_client_certificate. + + *) ?????????: ??? ????????????? zlib-ng ? ????? ?????????? ????????? + "gzip filter failed to use preallocated memory". + + ????????? ? freenginx 1.27.4 03.09.2024 *) ??????????: ?????????? $ssl_client_fingerprint_sha256. diff --git a/xml/index.xml b/xml/index.xml --- a/xml/index.xml +++ b/xml/index.xml @@ -8,6 +8,16 @@ + + +freenginx-1.27.5 +mainline version has been released, +featuring +Multipath +TCP support on Linux. + + + freenginx-1.27.4 diff --git a/xml/versions.xml b/xml/versions.xml --- a/xml/versions.xml +++ b/xml/versions.xml @@ -9,6 +9,7 @@ + From mdounin at mdounin.ru Sun Apr 13 02:16:47 2025 From: mdounin at mdounin.ru (=?utf-8?q?Maxim_Dounin?=) Date: Sun, 13 Apr 2025 05:16:47 +0300 Subject: [PATCH 1 of 2] Upstream: fixed passwords usage for certificates with variables Message-ID: # HG changeset patch # User Maxim Dounin # Date 1744509644 -10800 # Sun Apr 13 05:00:44 2025 +0300 # Node ID d154c555af30dc07a5a5d9bffa559fb1be0da019 # Parent 8e674d7e1a1ad3648498d0cba2c9b2a9da5d3777 Upstream: fixed passwords usage for certificates with variables. SSL certificate passwords are stored separately from the SSL context created for SSL proxying, yet modified when the context is created if certificates with variables are used (to ensure passwords will be available at run time). Optimizations introduced in 8053:9d98d524bd02 (1.23.1) did not take this into account, and might end up using at run time passwords which weren't preserved to be usable at run time, such as in the following configuration: server { proxy_ssl_certificate $crt; proxy_ssl_certificate_key $key; proxy_ssl_password_file foo; location /1/ { proxy_pass https://u; } location /2/ { proxy_pass https://u; } } Fix is to preserve passwords if needed when using an inherited SSL context. diff --git a/src/http/modules/ngx_http_grpc_module.c b/src/http/modules/ngx_http_grpc_module.c --- a/src/http/modules/ngx_http_grpc_module.c +++ b/src/http/modules/ngx_http_grpc_module.c @@ -4935,6 +4935,19 @@ ngx_http_grpc_set_ssl(ngx_conf_t *cf, ng ngx_pool_cleanup_t *cln; if (glcf->upstream.ssl->ctx) { + + if (glcf->upstream.ssl_certificate + && glcf->upstream.ssl_certificate->value.len + && (glcf->upstream.ssl_certificate->lengths + || glcf->upstream.ssl_certificate_key->lengths)) + { + glcf->upstream.ssl_passwords = + ngx_ssl_preserve_passwords(cf, glcf->upstream.ssl_passwords); + if (glcf->upstream.ssl_passwords == NULL) { + return NGX_ERROR; + } + } + return NGX_OK; } diff --git a/src/http/modules/ngx_http_proxy_module.c b/src/http/modules/ngx_http_proxy_module.c --- a/src/http/modules/ngx_http_proxy_module.c +++ b/src/http/modules/ngx_http_proxy_module.c @@ -4987,6 +4987,19 @@ ngx_http_proxy_set_ssl(ngx_conf_t *cf, n ngx_pool_cleanup_t *cln; if (plcf->upstream.ssl->ctx) { + + if (plcf->upstream.ssl_certificate + && plcf->upstream.ssl_certificate->value.len + && (plcf->upstream.ssl_certificate->lengths + || plcf->upstream.ssl_certificate_key->lengths)) + { + plcf->upstream.ssl_passwords = + ngx_ssl_preserve_passwords(cf, plcf->upstream.ssl_passwords); + if (plcf->upstream.ssl_passwords == NULL) { + return NGX_ERROR; + } + } + return NGX_OK; } diff --git a/src/http/modules/ngx_http_uwsgi_module.c b/src/http/modules/ngx_http_uwsgi_module.c --- a/src/http/modules/ngx_http_uwsgi_module.c +++ b/src/http/modules/ngx_http_uwsgi_module.c @@ -2519,6 +2519,19 @@ ngx_http_uwsgi_set_ssl(ngx_conf_t *cf, n ngx_pool_cleanup_t *cln; if (uwcf->upstream.ssl->ctx) { + + if (uwcf->upstream.ssl_certificate + && uwcf->upstream.ssl_certificate->value.len + && (uwcf->upstream.ssl_certificate->lengths + || uwcf->upstream.ssl_certificate_key->lengths)) + { + uwcf->upstream.ssl_passwords = + ngx_ssl_preserve_passwords(cf, uwcf->upstream.ssl_passwords); + if (uwcf->upstream.ssl_passwords == NULL) { + return NGX_ERROR; + } + } + return NGX_OK; } From mdounin at mdounin.ru Sun Apr 13 02:16:48 2025 From: mdounin at mdounin.ru (=?utf-8?q?Maxim_Dounin?=) Date: Sun, 13 Apr 2025 05:16:48 +0300 Subject: [PATCH 2 of 2] Upstream: fixed SSL certificate password prompt in complex configs In-Reply-To: References: Message-ID: <0a8083b7093e88a56b6b.1744510608@vm-bsd.mdounin.ru> # HG changeset patch # User Maxim Dounin # Date 1744509743 -10800 # Sun Apr 13 05:02:23 2025 +0300 # Node ID 0a8083b7093e88a56b6b06d534b52c367728d005 # Parent d154c555af30dc07a5a5d9bffa559fb1be0da019 Upstream: fixed SSL certificate password prompt in complex configs. Variables support in certificates introduced in 7833:3ab8e1e2f0f7 (1.21.0) inadvertently broke password prompt for static SSL certificates, such as in the following configuration: location / { proxy_ssl_certificate $foo.crt; proxy_ssl_certificate_key $foo.key; proxy_pass https://u; location /static/ { proxy_ssl_certificate static.crt; proxy_ssl_certificate_key static.key; proxy_pass https://u; } } Fix is to restore the conf->ssl_passwords field as previously used for initial password reading and configuration inheritance, and only use the conf->upstream.ssl_passwords field for passwords preserved for run time usage. diff --git a/src/http/modules/ngx_http_grpc_module.c b/src/http/modules/ngx_http_grpc_module.c --- a/src/http/modules/ngx_http_grpc_module.c +++ b/src/http/modules/ngx_http_grpc_module.c @@ -37,6 +37,7 @@ typedef struct { ngx_uint_t ssl_verify_depth; ngx_str_t ssl_trusted_certificate; ngx_str_t ssl_crl; + ngx_array_t *ssl_passwords; ngx_array_t *ssl_conf_commands; #endif } ngx_http_grpc_loc_conf_t; @@ -4383,7 +4384,7 @@ ngx_http_grpc_create_loc_conf(ngx_conf_t conf->ssl_verify_depth = NGX_CONF_UNSET_UINT; conf->upstream.ssl_certificate = NGX_CONF_UNSET_PTR; conf->upstream.ssl_certificate_key = NGX_CONF_UNSET_PTR; - conf->upstream.ssl_passwords = NGX_CONF_UNSET_PTR; + conf->ssl_passwords = NGX_CONF_UNSET_PTR; conf->ssl_conf_commands = NGX_CONF_UNSET_PTR; #endif @@ -4496,8 +4497,8 @@ ngx_http_grpc_merge_loc_conf(ngx_conf_t prev->upstream.ssl_certificate, NULL); ngx_conf_merge_ptr_value(conf->upstream.ssl_certificate_key, prev->upstream.ssl_certificate_key, NULL); - ngx_conf_merge_ptr_value(conf->upstream.ssl_passwords, - prev->upstream.ssl_passwords, NULL); + ngx_conf_merge_ptr_value(conf->ssl_passwords, + prev->ssl_passwords, NULL); ngx_conf_merge_ptr_value(conf->ssl_conf_commands, prev->ssl_conf_commands, NULL); @@ -4853,15 +4854,15 @@ ngx_http_grpc_ssl_password_file(ngx_conf ngx_str_t *value; - if (glcf->upstream.ssl_passwords != NGX_CONF_UNSET_PTR) { + if (glcf->ssl_passwords != NGX_CONF_UNSET_PTR) { return "is duplicate"; } value = cf->args->elts; - glcf->upstream.ssl_passwords = ngx_ssl_read_password_file(cf, &value[1]); - - if (glcf->upstream.ssl_passwords == NULL) { + glcf->ssl_passwords = ngx_ssl_read_password_file(cf, &value[1]); + + if (glcf->ssl_passwords == NULL) { return NGX_CONF_ERROR; } @@ -4890,7 +4891,7 @@ ngx_http_grpc_merge_ssl(ngx_conf_t *cf, && conf->ssl_ciphers.data == NULL && conf->upstream.ssl_certificate == NGX_CONF_UNSET_PTR && conf->upstream.ssl_certificate_key == NGX_CONF_UNSET_PTR - && conf->upstream.ssl_passwords == NGX_CONF_UNSET_PTR + && conf->ssl_passwords == NGX_CONF_UNSET_PTR && conf->upstream.ssl_verify == NGX_CONF_UNSET && conf->ssl_verify_depth == NGX_CONF_UNSET_UINT && conf->ssl_trusted_certificate.data == NULL @@ -4942,7 +4943,7 @@ ngx_http_grpc_set_ssl(ngx_conf_t *cf, ng || glcf->upstream.ssl_certificate_key->lengths)) { glcf->upstream.ssl_passwords = - ngx_ssl_preserve_passwords(cf, glcf->upstream.ssl_passwords); + ngx_ssl_preserve_passwords(cf, glcf->ssl_passwords); if (glcf->upstream.ssl_passwords == NULL) { return NGX_ERROR; } @@ -4987,7 +4988,7 @@ ngx_http_grpc_set_ssl(ngx_conf_t *cf, ng || glcf->upstream.ssl_certificate_key->lengths) { glcf->upstream.ssl_passwords = - ngx_ssl_preserve_passwords(cf, glcf->upstream.ssl_passwords); + ngx_ssl_preserve_passwords(cf, glcf->ssl_passwords); if (glcf->upstream.ssl_passwords == NULL) { return NGX_ERROR; } @@ -4996,7 +4997,7 @@ ngx_http_grpc_set_ssl(ngx_conf_t *cf, ng if (ngx_ssl_certificate(cf, glcf->upstream.ssl, &glcf->upstream.ssl_certificate->value, &glcf->upstream.ssl_certificate_key->value, - glcf->upstream.ssl_passwords) + glcf->ssl_passwords) != NGX_OK) { return NGX_ERROR; diff --git a/src/http/modules/ngx_http_proxy_module.c b/src/http/modules/ngx_http_proxy_module.c --- a/src/http/modules/ngx_http_proxy_module.c +++ b/src/http/modules/ngx_http_proxy_module.c @@ -124,6 +124,7 @@ typedef struct { ngx_uint_t ssl_verify_depth; ngx_str_t ssl_trusted_certificate; ngx_str_t ssl_crl; + ngx_array_t *ssl_passwords; ngx_array_t *ssl_conf_commands; #endif } ngx_http_proxy_loc_conf_t; @@ -3410,7 +3411,7 @@ ngx_http_proxy_create_loc_conf(ngx_conf_ conf->upstream.ssl_verify = NGX_CONF_UNSET; conf->upstream.ssl_certificate = NGX_CONF_UNSET_PTR; conf->upstream.ssl_certificate_key = NGX_CONF_UNSET_PTR; - conf->upstream.ssl_passwords = NGX_CONF_UNSET_PTR; + conf->ssl_passwords = NGX_CONF_UNSET_PTR; conf->ssl_verify_depth = NGX_CONF_UNSET_UINT; conf->ssl_conf_commands = NGX_CONF_UNSET_PTR; #endif @@ -3760,8 +3761,8 @@ ngx_http_proxy_merge_loc_conf(ngx_conf_t prev->upstream.ssl_certificate, NULL); ngx_conf_merge_ptr_value(conf->upstream.ssl_certificate_key, prev->upstream.ssl_certificate_key, NULL); - ngx_conf_merge_ptr_value(conf->upstream.ssl_passwords, - prev->upstream.ssl_passwords, NULL); + ngx_conf_merge_ptr_value(conf->ssl_passwords, + prev->ssl_passwords, NULL); ngx_conf_merge_ptr_value(conf->ssl_conf_commands, prev->ssl_conf_commands, NULL); @@ -4872,15 +4873,15 @@ ngx_http_proxy_ssl_password_file(ngx_con ngx_str_t *value; - if (plcf->upstream.ssl_passwords != NGX_CONF_UNSET_PTR) { + if (plcf->ssl_passwords != NGX_CONF_UNSET_PTR) { return "is duplicate"; } value = cf->args->elts; - plcf->upstream.ssl_passwords = ngx_ssl_read_password_file(cf, &value[1]); - - if (plcf->upstream.ssl_passwords == NULL) { + plcf->ssl_passwords = ngx_ssl_read_password_file(cf, &value[1]); + + if (plcf->ssl_passwords == NULL) { return NGX_CONF_ERROR; } @@ -4942,7 +4943,7 @@ ngx_http_proxy_merge_ssl(ngx_conf_t *cf, && conf->ssl_ciphers.data == NULL && conf->upstream.ssl_certificate == NGX_CONF_UNSET_PTR && conf->upstream.ssl_certificate_key == NGX_CONF_UNSET_PTR - && conf->upstream.ssl_passwords == NGX_CONF_UNSET_PTR + && conf->ssl_passwords == NGX_CONF_UNSET_PTR && conf->upstream.ssl_verify == NGX_CONF_UNSET && conf->ssl_verify_depth == NGX_CONF_UNSET_UINT && conf->ssl_trusted_certificate.data == NULL @@ -4994,7 +4995,7 @@ ngx_http_proxy_set_ssl(ngx_conf_t *cf, n || plcf->upstream.ssl_certificate_key->lengths)) { plcf->upstream.ssl_passwords = - ngx_ssl_preserve_passwords(cf, plcf->upstream.ssl_passwords); + ngx_ssl_preserve_passwords(cf, plcf->ssl_passwords); if (plcf->upstream.ssl_passwords == NULL) { return NGX_ERROR; } @@ -5039,7 +5040,7 @@ ngx_http_proxy_set_ssl(ngx_conf_t *cf, n || plcf->upstream.ssl_certificate_key->lengths) { plcf->upstream.ssl_passwords = - ngx_ssl_preserve_passwords(cf, plcf->upstream.ssl_passwords); + ngx_ssl_preserve_passwords(cf, plcf->ssl_passwords); if (plcf->upstream.ssl_passwords == NULL) { return NGX_ERROR; } @@ -5048,7 +5049,7 @@ ngx_http_proxy_set_ssl(ngx_conf_t *cf, n if (ngx_ssl_certificate(cf, plcf->upstream.ssl, &plcf->upstream.ssl_certificate->value, &plcf->upstream.ssl_certificate_key->value, - plcf->upstream.ssl_passwords) + plcf->ssl_passwords) != NGX_OK) { return NGX_ERROR; diff --git a/src/http/modules/ngx_http_uwsgi_module.c b/src/http/modules/ngx_http_uwsgi_module.c --- a/src/http/modules/ngx_http_uwsgi_module.c +++ b/src/http/modules/ngx_http_uwsgi_module.c @@ -54,6 +54,7 @@ typedef struct { ngx_uint_t ssl_verify_depth; ngx_str_t ssl_trusted_certificate; ngx_str_t ssl_crl; + ngx_array_t *ssl_passwords; ngx_array_t *ssl_conf_commands; #endif } ngx_http_uwsgi_loc_conf_t; @@ -1568,7 +1569,7 @@ ngx_http_uwsgi_create_loc_conf(ngx_conf_ conf->ssl_verify_depth = NGX_CONF_UNSET_UINT; conf->upstream.ssl_certificate = NGX_CONF_UNSET_PTR; conf->upstream.ssl_certificate_key = NGX_CONF_UNSET_PTR; - conf->upstream.ssl_passwords = NGX_CONF_UNSET_PTR; + conf->ssl_passwords = NGX_CONF_UNSET_PTR; conf->ssl_conf_commands = NGX_CONF_UNSET_PTR; #endif @@ -1901,8 +1902,8 @@ ngx_http_uwsgi_merge_loc_conf(ngx_conf_t prev->upstream.ssl_certificate, NULL); ngx_conf_merge_ptr_value(conf->upstream.ssl_certificate_key, prev->upstream.ssl_certificate_key, NULL); - ngx_conf_merge_ptr_value(conf->upstream.ssl_passwords, - prev->upstream.ssl_passwords, NULL); + ngx_conf_merge_ptr_value(conf->ssl_passwords, + prev->ssl_passwords, NULL); ngx_conf_merge_ptr_value(conf->ssl_conf_commands, prev->ssl_conf_commands, NULL); @@ -2437,15 +2438,15 @@ ngx_http_uwsgi_ssl_password_file(ngx_con ngx_str_t *value; - if (uwcf->upstream.ssl_passwords != NGX_CONF_UNSET_PTR) { + if (uwcf->ssl_passwords != NGX_CONF_UNSET_PTR) { return "is duplicate"; } value = cf->args->elts; - uwcf->upstream.ssl_passwords = ngx_ssl_read_password_file(cf, &value[1]); - - if (uwcf->upstream.ssl_passwords == NULL) { + uwcf->ssl_passwords = ngx_ssl_read_password_file(cf, &value[1]); + + if (uwcf->ssl_passwords == NULL) { return NGX_CONF_ERROR; } @@ -2474,7 +2475,7 @@ ngx_http_uwsgi_merge_ssl(ngx_conf_t *cf, && conf->ssl_ciphers.data == NULL && conf->upstream.ssl_certificate == NGX_CONF_UNSET_PTR && conf->upstream.ssl_certificate_key == NGX_CONF_UNSET_PTR - && conf->upstream.ssl_passwords == NGX_CONF_UNSET_PTR + && conf->ssl_passwords == NGX_CONF_UNSET_PTR && conf->upstream.ssl_verify == NGX_CONF_UNSET && conf->ssl_verify_depth == NGX_CONF_UNSET_UINT && conf->ssl_trusted_certificate.data == NULL @@ -2526,7 +2527,7 @@ ngx_http_uwsgi_set_ssl(ngx_conf_t *cf, n || uwcf->upstream.ssl_certificate_key->lengths)) { uwcf->upstream.ssl_passwords = - ngx_ssl_preserve_passwords(cf, uwcf->upstream.ssl_passwords); + ngx_ssl_preserve_passwords(cf, uwcf->ssl_passwords); if (uwcf->upstream.ssl_passwords == NULL) { return NGX_ERROR; } @@ -2571,7 +2572,7 @@ ngx_http_uwsgi_set_ssl(ngx_conf_t *cf, n || uwcf->upstream.ssl_certificate_key->lengths) { uwcf->upstream.ssl_passwords = - ngx_ssl_preserve_passwords(cf, uwcf->upstream.ssl_passwords); + ngx_ssl_preserve_passwords(cf, uwcf->ssl_passwords); if (uwcf->upstream.ssl_passwords == NULL) { return NGX_ERROR; } @@ -2580,7 +2581,7 @@ ngx_http_uwsgi_set_ssl(ngx_conf_t *cf, n if (ngx_ssl_certificate(cf, uwcf->upstream.ssl, &uwcf->upstream.ssl_certificate->value, &uwcf->upstream.ssl_certificate_key->value, - uwcf->upstream.ssl_passwords) + uwcf->ssl_passwords) != NGX_OK) { return NGX_ERROR; From mdounin at mdounin.ru Sun Apr 13 02:17:52 2025 From: mdounin at mdounin.ru (=?utf-8?q?Maxim_Dounin?=) Date: Sun, 13 Apr 2025 05:17:52 +0300 Subject: [PATCH] Tests: tests for proxy_ssl_password_file issue Message-ID: <0a913a10945b996bcdac.1744510672@vm-bsd.mdounin.ru> # HG changeset patch # User Maxim Dounin # Date 1744510422 -10800 # Sun Apr 13 05:13:42 2025 +0300 # Node ID 0a913a10945b996bcdac073467bf7bc957ef716e # Parent a23ab99972ae28e2bd2ce9badfaa2e52c6a03e24 Tests: tests for proxy_ssl_password_file issue. diff --git a/proxy_ssl_certificate_vars.t b/proxy_ssl_certificate_vars.t --- a/proxy_ssl_certificate_vars.t +++ b/proxy_ssl_certificate_vars.t @@ -61,6 +61,20 @@ http { proxy_ssl_certificate $arg_cert; proxy_ssl_certificate_key $arg_cert; } + + location /complex/ { + proxy_ssl_certificate $arg_cert.example.com.crt; + proxy_ssl_certificate_key $arg_cert.example.com.key; + proxy_ssl_password_file password; + + location /complex/1 { + proxy_pass https://127.0.0.1:8082/; + } + + location /complex/2 { + proxy_pass https://127.0.0.1:8082/; + } + } } server { @@ -133,7 +147,7 @@ sleep 1 if $^O eq 'MSWin32'; $t->write_file('password', '3.example.com'); $t->write_file('index.html', ''); -$t->run()->plan(4); +$t->run()->plan(6); ############################################################################### @@ -146,4 +160,15 @@ like(http_get('/encrypted?cert=3'), like(http_get('/none'), qr/X-Verify: NONE/ms, 'variable - no certificate'); +like(http_get('/complex/1?cert=3'), + qr/X-Verify: SUCCESS/ms, 'variable - inherited encrypted key 1st'); + +SKIP: { +skip 'leaves coredump', 1 unless $t->has_version('1.27.6') + or $ENV{TEST_NGINX_UNSAFE}; + +like(http_get('/complex/2?cert=3'), + qr/X-Verify: SUCCESS/ms, 'variable - inherited encrypted key 2nd'); +} + ############################################################################### From mdounin at mdounin.ru Mon Apr 14 23:10:32 2025 From: mdounin at mdounin.ru (=?iso-8859-1?q?Maxim_Dounin?=) Date: Tue, 15 Apr 2025 02:10:32 +0300 Subject: [nginx] SSL: improved handling of $ssl_curve and $ssl_curves var... Message-ID: details: http://freenginx.org/hg/nginx/rev/22e6a225f605 branches: changeset: 9341:22e6a225f605 user: Maxim Dounin date: Tue Apr 15 02:09:29 2025 +0300 description: SSL: improved handling of $ssl_curve and $ssl_curves variables. Now both $ssl_curve and $ssl_curves try to use SSL_group_to_name() if available and no NID is found. Notably, this makes it possible to see the name of the X25519MLKEM768 group as supported by OpenSSL 3.5.0. diffstat: src/event/ngx_event_openssl.c | 72 ++++++++++++++++++++++++++++++++++++------ 1 files changed, 61 insertions(+), 11 deletions(-) diffs (108 lines): diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c --- a/src/event/ngx_event_openssl.c +++ b/src/event/ngx_event_openssl.c @@ -5270,6 +5270,26 @@ ngx_ssl_get_curve(ngx_connection_t *c, n return NGX_OK; } +#if OPENSSL_VERSION_NUMBER >= 0x30000000L + { + u_char *name; + + name = (u_char *) SSL_group_to_name(c->ssl->connection, nid); + + if (name) { + s->len = ngx_strlen(name); + + s->data = ngx_pnalloc(pool, s->len); + if (s->data == NULL) { + return NGX_ERROR; + } + + ngx_memcpy(s->data, name, s->len); + return NGX_OK; + } + } +#endif + s->len = sizeof("0x0000") - 1; s->data = ngx_pnalloc(pool, s->len); @@ -5292,10 +5312,13 @@ ngx_ssl_get_curve(ngx_connection_t *c, n ngx_int_t ngx_ssl_get_curves(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) { -#ifdef SSL_CTRL_GET_CURVES +#ifdef SSL_get1_curves int *curves, n, i, nid; u_char *p; +#if OPENSSL_VERSION_NUMBER >= 0x30000000L + u_char *name; +#endif size_t len; n = SSL_get1_curves(c->ssl->connection, NULL); @@ -5316,12 +5339,25 @@ ngx_ssl_get_curves(ngx_connection_t *c, for (i = 0; i < n; i++) { nid = curves[i]; - if (nid & TLSEXT_nid_unknown) { - len += sizeof("0x0000") - 1; - - } else { + if ((nid & TLSEXT_nid_unknown) == 0) { len += ngx_strlen(OBJ_nid2sn(nid)); - } + goto next_length; + } + +#if OPENSSL_VERSION_NUMBER >= 0x30000000L + + name = (u_char *) SSL_group_to_name(c->ssl->connection, nid); + + if (name) { + len += ngx_strlen(name); + goto next_length; + } + +#endif + + len += sizeof("0x0000") - 1; + + next_length: len += sizeof(":") - 1; } @@ -5336,12 +5372,26 @@ ngx_ssl_get_curves(ngx_connection_t *c, for (i = 0; i < n; i++) { nid = curves[i]; - if (nid & TLSEXT_nid_unknown) { - p = ngx_sprintf(p, "0x%04xd", nid & 0xffff); - - } else { + if ((nid & TLSEXT_nid_unknown) == 0) { p = ngx_sprintf(p, "%s", OBJ_nid2sn(nid)); - } + goto next_value; + + } + +#if OPENSSL_VERSION_NUMBER >= 0x30000000L + + name = (u_char *) SSL_group_to_name(c->ssl->connection, nid); + + if (name) { + p = ngx_sprintf(p, "%s", name); + goto next_value; + } + +#endif + + p = ngx_sprintf(p, "0x%04xd", nid & 0xffff); + + next_value: *p++ = ':'; } From mdounin at mdounin.ru Mon Apr 14 23:19:34 2025 From: mdounin at mdounin.ru (=?iso-8859-1?q?Maxim_Dounin?=) Date: Tue, 15 Apr 2025 02:19:34 +0300 Subject: [nginx] Version bump. Message-ID: details: http://freenginx.org/hg/nginx/rev/aeaee7ffdb78 branches: changeset: 9342:aeaee7ffdb78 user: Maxim Dounin date: Tue Apr 15 02:19:07 2025 +0300 description: Version bump. diffstat: src/core/nginx.h | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diffs (14 lines): diff --git a/src/core/nginx.h b/src/core/nginx.h --- a/src/core/nginx.h +++ b/src/core/nginx.h @@ -9,8 +9,8 @@ #define _NGINX_H_INCLUDED_ -#define nginx_version 1027005 -#define NGINX_VERSION "1.27.5" +#define nginx_version 1027006 +#define NGINX_VERSION "1.27.6" #define NGINX_NAME "freenginx" #define NGINX_VER NGINX_NAME "/" NGINX_VERSION From mdounin at mdounin.ru Mon Apr 14 23:23:45 2025 From: mdounin at mdounin.ru (=?iso-8859-1?q?Maxim_Dounin?=) Date: Tue, 15 Apr 2025 02:23:45 +0300 Subject: [nginx] Upstream: fixed passwords usage for certificates with va... Message-ID: details: http://freenginx.org/hg/nginx/rev/4f20c52c5f1b branches: changeset: 9343:4f20c52c5f1b user: Maxim Dounin date: Tue Apr 15 02:20:08 2025 +0300 description: Upstream: fixed passwords usage for certificates with variables. SSL certificate passwords are stored separately from the SSL context created for SSL proxying, yet modified when the context is created if certificates with variables are used (to ensure passwords will be available at run time). Optimizations introduced in 8053:9d98d524bd02 (1.23.1) did not take this into account, and might end up using at run time passwords which weren't preserved to be usable at run time, such as in the following configuration: server { proxy_ssl_certificate $crt; proxy_ssl_certificate_key $key; proxy_ssl_password_file foo; location /1/ { proxy_pass https://u; } location /2/ { proxy_pass https://u; } } Fix is to preserve passwords if needed when using an inherited SSL context. diffstat: src/http/modules/ngx_http_grpc_module.c | 13 +++++++++++++ src/http/modules/ngx_http_proxy_module.c | 13 +++++++++++++ src/http/modules/ngx_http_uwsgi_module.c | 13 +++++++++++++ 3 files changed, 39 insertions(+), 0 deletions(-) diffs (69 lines): diff --git a/src/http/modules/ngx_http_grpc_module.c b/src/http/modules/ngx_http_grpc_module.c --- a/src/http/modules/ngx_http_grpc_module.c +++ b/src/http/modules/ngx_http_grpc_module.c @@ -4935,6 +4935,19 @@ ngx_http_grpc_set_ssl(ngx_conf_t *cf, ng ngx_pool_cleanup_t *cln; if (glcf->upstream.ssl->ctx) { + + if (glcf->upstream.ssl_certificate + && glcf->upstream.ssl_certificate->value.len + && (glcf->upstream.ssl_certificate->lengths + || glcf->upstream.ssl_certificate_key->lengths)) + { + glcf->upstream.ssl_passwords = + ngx_ssl_preserve_passwords(cf, glcf->upstream.ssl_passwords); + if (glcf->upstream.ssl_passwords == NULL) { + return NGX_ERROR; + } + } + return NGX_OK; } diff --git a/src/http/modules/ngx_http_proxy_module.c b/src/http/modules/ngx_http_proxy_module.c --- a/src/http/modules/ngx_http_proxy_module.c +++ b/src/http/modules/ngx_http_proxy_module.c @@ -4987,6 +4987,19 @@ ngx_http_proxy_set_ssl(ngx_conf_t *cf, n ngx_pool_cleanup_t *cln; if (plcf->upstream.ssl->ctx) { + + if (plcf->upstream.ssl_certificate + && plcf->upstream.ssl_certificate->value.len + && (plcf->upstream.ssl_certificate->lengths + || plcf->upstream.ssl_certificate_key->lengths)) + { + plcf->upstream.ssl_passwords = + ngx_ssl_preserve_passwords(cf, plcf->upstream.ssl_passwords); + if (plcf->upstream.ssl_passwords == NULL) { + return NGX_ERROR; + } + } + return NGX_OK; } diff --git a/src/http/modules/ngx_http_uwsgi_module.c b/src/http/modules/ngx_http_uwsgi_module.c --- a/src/http/modules/ngx_http_uwsgi_module.c +++ b/src/http/modules/ngx_http_uwsgi_module.c @@ -2519,6 +2519,19 @@ ngx_http_uwsgi_set_ssl(ngx_conf_t *cf, n ngx_pool_cleanup_t *cln; if (uwcf->upstream.ssl->ctx) { + + if (uwcf->upstream.ssl_certificate + && uwcf->upstream.ssl_certificate->value.len + && (uwcf->upstream.ssl_certificate->lengths + || uwcf->upstream.ssl_certificate_key->lengths)) + { + uwcf->upstream.ssl_passwords = + ngx_ssl_preserve_passwords(cf, uwcf->upstream.ssl_passwords); + if (uwcf->upstream.ssl_passwords == NULL) { + return NGX_ERROR; + } + } + return NGX_OK; } From mdounin at mdounin.ru Mon Apr 14 23:23:45 2025 From: mdounin at mdounin.ru (=?iso-8859-1?q?Maxim_Dounin?=) Date: Tue, 15 Apr 2025 02:23:45 +0300 Subject: [nginx] Upstream: fixed SSL certificate password prompt in compl... Message-ID: details: http://freenginx.org/hg/nginx/rev/1fc37359eb2b branches: changeset: 9344:1fc37359eb2b user: Maxim Dounin date: Tue Apr 15 02:20:14 2025 +0300 description: Upstream: fixed SSL certificate password prompt in complex configs. Variables support in certificates introduced in 7833:3ab8e1e2f0f7 (1.21.0) inadvertently broke password prompt for static SSL certificates, such as in the following configuration: location / { proxy_ssl_certificate $foo.crt; proxy_ssl_certificate_key $foo.key; proxy_pass https://u; location /static/ { proxy_ssl_certificate static.crt; proxy_ssl_certificate_key static.key; proxy_pass https://u; } } Fix is to restore the conf->ssl_passwords field as previously used for initial password reading and configuration inheritance, and only use the conf->upstream.ssl_passwords field for passwords preserved for run time usage. diffstat: src/http/modules/ngx_http_grpc_module.c | 23 ++++++++++++----------- src/http/modules/ngx_http_proxy_module.c | 23 ++++++++++++----------- src/http/modules/ngx_http_uwsgi_module.c | 23 ++++++++++++----------- 3 files changed, 36 insertions(+), 33 deletions(-) diffs (261 lines): diff --git a/src/http/modules/ngx_http_grpc_module.c b/src/http/modules/ngx_http_grpc_module.c --- a/src/http/modules/ngx_http_grpc_module.c +++ b/src/http/modules/ngx_http_grpc_module.c @@ -37,6 +37,7 @@ typedef struct { ngx_uint_t ssl_verify_depth; ngx_str_t ssl_trusted_certificate; ngx_str_t ssl_crl; + ngx_array_t *ssl_passwords; ngx_array_t *ssl_conf_commands; #endif } ngx_http_grpc_loc_conf_t; @@ -4383,7 +4384,7 @@ ngx_http_grpc_create_loc_conf(ngx_conf_t conf->ssl_verify_depth = NGX_CONF_UNSET_UINT; conf->upstream.ssl_certificate = NGX_CONF_UNSET_PTR; conf->upstream.ssl_certificate_key = NGX_CONF_UNSET_PTR; - conf->upstream.ssl_passwords = NGX_CONF_UNSET_PTR; + conf->ssl_passwords = NGX_CONF_UNSET_PTR; conf->ssl_conf_commands = NGX_CONF_UNSET_PTR; #endif @@ -4496,8 +4497,8 @@ ngx_http_grpc_merge_loc_conf(ngx_conf_t prev->upstream.ssl_certificate, NULL); ngx_conf_merge_ptr_value(conf->upstream.ssl_certificate_key, prev->upstream.ssl_certificate_key, NULL); - ngx_conf_merge_ptr_value(conf->upstream.ssl_passwords, - prev->upstream.ssl_passwords, NULL); + ngx_conf_merge_ptr_value(conf->ssl_passwords, + prev->ssl_passwords, NULL); ngx_conf_merge_ptr_value(conf->ssl_conf_commands, prev->ssl_conf_commands, NULL); @@ -4853,15 +4854,15 @@ ngx_http_grpc_ssl_password_file(ngx_conf ngx_str_t *value; - if (glcf->upstream.ssl_passwords != NGX_CONF_UNSET_PTR) { + if (glcf->ssl_passwords != NGX_CONF_UNSET_PTR) { return "is duplicate"; } value = cf->args->elts; - glcf->upstream.ssl_passwords = ngx_ssl_read_password_file(cf, &value[1]); - - if (glcf->upstream.ssl_passwords == NULL) { + glcf->ssl_passwords = ngx_ssl_read_password_file(cf, &value[1]); + + if (glcf->ssl_passwords == NULL) { return NGX_CONF_ERROR; } @@ -4890,7 +4891,7 @@ ngx_http_grpc_merge_ssl(ngx_conf_t *cf, && conf->ssl_ciphers.data == NULL && conf->upstream.ssl_certificate == NGX_CONF_UNSET_PTR && conf->upstream.ssl_certificate_key == NGX_CONF_UNSET_PTR - && conf->upstream.ssl_passwords == NGX_CONF_UNSET_PTR + && conf->ssl_passwords == NGX_CONF_UNSET_PTR && conf->upstream.ssl_verify == NGX_CONF_UNSET && conf->ssl_verify_depth == NGX_CONF_UNSET_UINT && conf->ssl_trusted_certificate.data == NULL @@ -4942,7 +4943,7 @@ ngx_http_grpc_set_ssl(ngx_conf_t *cf, ng || glcf->upstream.ssl_certificate_key->lengths)) { glcf->upstream.ssl_passwords = - ngx_ssl_preserve_passwords(cf, glcf->upstream.ssl_passwords); + ngx_ssl_preserve_passwords(cf, glcf->ssl_passwords); if (glcf->upstream.ssl_passwords == NULL) { return NGX_ERROR; } @@ -4987,7 +4988,7 @@ ngx_http_grpc_set_ssl(ngx_conf_t *cf, ng || glcf->upstream.ssl_certificate_key->lengths) { glcf->upstream.ssl_passwords = - ngx_ssl_preserve_passwords(cf, glcf->upstream.ssl_passwords); + ngx_ssl_preserve_passwords(cf, glcf->ssl_passwords); if (glcf->upstream.ssl_passwords == NULL) { return NGX_ERROR; } @@ -4996,7 +4997,7 @@ ngx_http_grpc_set_ssl(ngx_conf_t *cf, ng if (ngx_ssl_certificate(cf, glcf->upstream.ssl, &glcf->upstream.ssl_certificate->value, &glcf->upstream.ssl_certificate_key->value, - glcf->upstream.ssl_passwords) + glcf->ssl_passwords) != NGX_OK) { return NGX_ERROR; diff --git a/src/http/modules/ngx_http_proxy_module.c b/src/http/modules/ngx_http_proxy_module.c --- a/src/http/modules/ngx_http_proxy_module.c +++ b/src/http/modules/ngx_http_proxy_module.c @@ -124,6 +124,7 @@ typedef struct { ngx_uint_t ssl_verify_depth; ngx_str_t ssl_trusted_certificate; ngx_str_t ssl_crl; + ngx_array_t *ssl_passwords; ngx_array_t *ssl_conf_commands; #endif } ngx_http_proxy_loc_conf_t; @@ -3410,7 +3411,7 @@ ngx_http_proxy_create_loc_conf(ngx_conf_ conf->upstream.ssl_verify = NGX_CONF_UNSET; conf->upstream.ssl_certificate = NGX_CONF_UNSET_PTR; conf->upstream.ssl_certificate_key = NGX_CONF_UNSET_PTR; - conf->upstream.ssl_passwords = NGX_CONF_UNSET_PTR; + conf->ssl_passwords = NGX_CONF_UNSET_PTR; conf->ssl_verify_depth = NGX_CONF_UNSET_UINT; conf->ssl_conf_commands = NGX_CONF_UNSET_PTR; #endif @@ -3760,8 +3761,8 @@ ngx_http_proxy_merge_loc_conf(ngx_conf_t prev->upstream.ssl_certificate, NULL); ngx_conf_merge_ptr_value(conf->upstream.ssl_certificate_key, prev->upstream.ssl_certificate_key, NULL); - ngx_conf_merge_ptr_value(conf->upstream.ssl_passwords, - prev->upstream.ssl_passwords, NULL); + ngx_conf_merge_ptr_value(conf->ssl_passwords, + prev->ssl_passwords, NULL); ngx_conf_merge_ptr_value(conf->ssl_conf_commands, prev->ssl_conf_commands, NULL); @@ -4872,15 +4873,15 @@ ngx_http_proxy_ssl_password_file(ngx_con ngx_str_t *value; - if (plcf->upstream.ssl_passwords != NGX_CONF_UNSET_PTR) { + if (plcf->ssl_passwords != NGX_CONF_UNSET_PTR) { return "is duplicate"; } value = cf->args->elts; - plcf->upstream.ssl_passwords = ngx_ssl_read_password_file(cf, &value[1]); - - if (plcf->upstream.ssl_passwords == NULL) { + plcf->ssl_passwords = ngx_ssl_read_password_file(cf, &value[1]); + + if (plcf->ssl_passwords == NULL) { return NGX_CONF_ERROR; } @@ -4942,7 +4943,7 @@ ngx_http_proxy_merge_ssl(ngx_conf_t *cf, && conf->ssl_ciphers.data == NULL && conf->upstream.ssl_certificate == NGX_CONF_UNSET_PTR && conf->upstream.ssl_certificate_key == NGX_CONF_UNSET_PTR - && conf->upstream.ssl_passwords == NGX_CONF_UNSET_PTR + && conf->ssl_passwords == NGX_CONF_UNSET_PTR && conf->upstream.ssl_verify == NGX_CONF_UNSET && conf->ssl_verify_depth == NGX_CONF_UNSET_UINT && conf->ssl_trusted_certificate.data == NULL @@ -4994,7 +4995,7 @@ ngx_http_proxy_set_ssl(ngx_conf_t *cf, n || plcf->upstream.ssl_certificate_key->lengths)) { plcf->upstream.ssl_passwords = - ngx_ssl_preserve_passwords(cf, plcf->upstream.ssl_passwords); + ngx_ssl_preserve_passwords(cf, plcf->ssl_passwords); if (plcf->upstream.ssl_passwords == NULL) { return NGX_ERROR; } @@ -5039,7 +5040,7 @@ ngx_http_proxy_set_ssl(ngx_conf_t *cf, n || plcf->upstream.ssl_certificate_key->lengths) { plcf->upstream.ssl_passwords = - ngx_ssl_preserve_passwords(cf, plcf->upstream.ssl_passwords); + ngx_ssl_preserve_passwords(cf, plcf->ssl_passwords); if (plcf->upstream.ssl_passwords == NULL) { return NGX_ERROR; } @@ -5048,7 +5049,7 @@ ngx_http_proxy_set_ssl(ngx_conf_t *cf, n if (ngx_ssl_certificate(cf, plcf->upstream.ssl, &plcf->upstream.ssl_certificate->value, &plcf->upstream.ssl_certificate_key->value, - plcf->upstream.ssl_passwords) + plcf->ssl_passwords) != NGX_OK) { return NGX_ERROR; diff --git a/src/http/modules/ngx_http_uwsgi_module.c b/src/http/modules/ngx_http_uwsgi_module.c --- a/src/http/modules/ngx_http_uwsgi_module.c +++ b/src/http/modules/ngx_http_uwsgi_module.c @@ -54,6 +54,7 @@ typedef struct { ngx_uint_t ssl_verify_depth; ngx_str_t ssl_trusted_certificate; ngx_str_t ssl_crl; + ngx_array_t *ssl_passwords; ngx_array_t *ssl_conf_commands; #endif } ngx_http_uwsgi_loc_conf_t; @@ -1568,7 +1569,7 @@ ngx_http_uwsgi_create_loc_conf(ngx_conf_ conf->ssl_verify_depth = NGX_CONF_UNSET_UINT; conf->upstream.ssl_certificate = NGX_CONF_UNSET_PTR; conf->upstream.ssl_certificate_key = NGX_CONF_UNSET_PTR; - conf->upstream.ssl_passwords = NGX_CONF_UNSET_PTR; + conf->ssl_passwords = NGX_CONF_UNSET_PTR; conf->ssl_conf_commands = NGX_CONF_UNSET_PTR; #endif @@ -1901,8 +1902,8 @@ ngx_http_uwsgi_merge_loc_conf(ngx_conf_t prev->upstream.ssl_certificate, NULL); ngx_conf_merge_ptr_value(conf->upstream.ssl_certificate_key, prev->upstream.ssl_certificate_key, NULL); - ngx_conf_merge_ptr_value(conf->upstream.ssl_passwords, - prev->upstream.ssl_passwords, NULL); + ngx_conf_merge_ptr_value(conf->ssl_passwords, + prev->ssl_passwords, NULL); ngx_conf_merge_ptr_value(conf->ssl_conf_commands, prev->ssl_conf_commands, NULL); @@ -2437,15 +2438,15 @@ ngx_http_uwsgi_ssl_password_file(ngx_con ngx_str_t *value; - if (uwcf->upstream.ssl_passwords != NGX_CONF_UNSET_PTR) { + if (uwcf->ssl_passwords != NGX_CONF_UNSET_PTR) { return "is duplicate"; } value = cf->args->elts; - uwcf->upstream.ssl_passwords = ngx_ssl_read_password_file(cf, &value[1]); - - if (uwcf->upstream.ssl_passwords == NULL) { + uwcf->ssl_passwords = ngx_ssl_read_password_file(cf, &value[1]); + + if (uwcf->ssl_passwords == NULL) { return NGX_CONF_ERROR; } @@ -2474,7 +2475,7 @@ ngx_http_uwsgi_merge_ssl(ngx_conf_t *cf, && conf->ssl_ciphers.data == NULL && conf->upstream.ssl_certificate == NGX_CONF_UNSET_PTR && conf->upstream.ssl_certificate_key == NGX_CONF_UNSET_PTR - && conf->upstream.ssl_passwords == NGX_CONF_UNSET_PTR + && conf->ssl_passwords == NGX_CONF_UNSET_PTR && conf->upstream.ssl_verify == NGX_CONF_UNSET && conf->ssl_verify_depth == NGX_CONF_UNSET_UINT && conf->ssl_trusted_certificate.data == NULL @@ -2526,7 +2527,7 @@ ngx_http_uwsgi_set_ssl(ngx_conf_t *cf, n || uwcf->upstream.ssl_certificate_key->lengths)) { uwcf->upstream.ssl_passwords = - ngx_ssl_preserve_passwords(cf, uwcf->upstream.ssl_passwords); + ngx_ssl_preserve_passwords(cf, uwcf->ssl_passwords); if (uwcf->upstream.ssl_passwords == NULL) { return NGX_ERROR; } @@ -2571,7 +2572,7 @@ ngx_http_uwsgi_set_ssl(ngx_conf_t *cf, n || uwcf->upstream.ssl_certificate_key->lengths) { uwcf->upstream.ssl_passwords = - ngx_ssl_preserve_passwords(cf, uwcf->upstream.ssl_passwords); + ngx_ssl_preserve_passwords(cf, uwcf->ssl_passwords); if (uwcf->upstream.ssl_passwords == NULL) { return NGX_ERROR; } @@ -2580,7 +2581,7 @@ ngx_http_uwsgi_set_ssl(ngx_conf_t *cf, n if (ngx_ssl_certificate(cf, uwcf->upstream.ssl, &uwcf->upstream.ssl_certificate->value, &uwcf->upstream.ssl_certificate_key->value, - uwcf->upstream.ssl_passwords) + uwcf->ssl_passwords) != NGX_OK) { return NGX_ERROR; From mdounin at mdounin.ru Mon Apr 14 23:24:16 2025 From: mdounin at mdounin.ru (=?iso-8859-1?q?Maxim_Dounin?=) Date: Tue, 15 Apr 2025 02:24:16 +0300 Subject: [nginx-tests] Tests: tests for proxy_ssl_password_file issue. Message-ID: details: http://freenginx.org/hg/nginx-tests/rev/0a913a10945b branches: changeset: 2007:0a913a10945b user: Maxim Dounin date: Sun Apr 13 05:13:42 2025 +0300 description: Tests: tests for proxy_ssl_password_file issue. diffstat: proxy_ssl_certificate_vars.t | 27 ++++++++++++++++++++++++++- 1 files changed, 26 insertions(+), 1 deletions(-) diffs (49 lines): diff --git a/proxy_ssl_certificate_vars.t b/proxy_ssl_certificate_vars.t --- a/proxy_ssl_certificate_vars.t +++ b/proxy_ssl_certificate_vars.t @@ -61,6 +61,20 @@ http { proxy_ssl_certificate $arg_cert; proxy_ssl_certificate_key $arg_cert; } + + location /complex/ { + proxy_ssl_certificate $arg_cert.example.com.crt; + proxy_ssl_certificate_key $arg_cert.example.com.key; + proxy_ssl_password_file password; + + location /complex/1 { + proxy_pass https://127.0.0.1:8082/; + } + + location /complex/2 { + proxy_pass https://127.0.0.1:8082/; + } + } } server { @@ -133,7 +147,7 @@ sleep 1 if $^O eq 'MSWin32'; $t->write_file('password', '3.example.com'); $t->write_file('index.html', ''); -$t->run()->plan(4); +$t->run()->plan(6); ############################################################################### @@ -146,4 +160,15 @@ like(http_get('/encrypted?cert=3'), like(http_get('/none'), qr/X-Verify: NONE/ms, 'variable - no certificate'); +like(http_get('/complex/1?cert=3'), + qr/X-Verify: SUCCESS/ms, 'variable - inherited encrypted key 1st'); + +SKIP: { +skip 'leaves coredump', 1 unless $t->has_version('1.27.6') + or $ENV{TEST_NGINX_UNSAFE}; + +like(http_get('/complex/2?cert=3'), + qr/X-Verify: SUCCESS/ms, 'variable - inherited encrypted key 2nd'); +} + ############################################################################### From mdounin at mdounin.ru Tue Apr 15 01:41:15 2025 From: mdounin at mdounin.ru (Maxim Dounin) Date: Tue, 15 Apr 2025 04:41:15 +0300 Subject: freenginx-1.27.6 changes draft Message-ID: Hello! Below are CHANGES draft for the upcoming freenginx release, 1.27.6. Review and comments are welcome. Changes with freenginx 1.27.6 15 Apr 2025 *) Workaround: the X25519MLKEM768 group name was not shown in the $ssl_curve and $ssl_curves variables when using OpenSSL 3.5. *) Bugfix: a segmentation fault might occur in a worker process if the "proxy_ssl_password_file" directive was used along with variables in the "proxy_ssl_certificate" or "proxy_ssl_certificate_key" directives; the bug had appeared in 1.23.1. ????????? ? freenginx 1.27.6 15.04.2025 *) ?????????: ??? ????????????? OpenSSL 3.5 ? ?????????? $ssl_curve ? $ssl_curves ?? ???????????? ???????? ?????? X25519MLKEM768. *) ???????????: ? ??????? ???????? ??? ????????? segmentation fault, ???? ?????????????? ????????? proxy_ssl_password_file, ? ? ?????????? proxy_ssl_certificate ??? proxy_ssl_certificate_key ?????????????? ??????????; ?????? ????????? ? 1.23.1. -- Maxim Dounin http://mdounin.ru/ From mdounin at mdounin.ru Tue Apr 15 18:04:32 2025 From: mdounin at mdounin.ru (=?iso-8859-1?q?Maxim_Dounin?=) Date: Tue, 15 Apr 2025 21:04:32 +0300 Subject: [nginx] freenginx-1.27.6-RELEASE Message-ID: details: http://freenginx.org/hg/nginx/rev/6731069e4b63 branches: changeset: 9345:6731069e4b63 user: Maxim Dounin date: Tue Apr 15 21:01:53 2025 +0300 description: freenginx-1.27.6-RELEASE diffstat: docs/xml/nginx/changes.xml | 33 +++++++++++++++++++++++++++++++++ 1 files changed, 33 insertions(+), 0 deletions(-) diffs (43 lines): diff --git a/docs/xml/nginx/changes.xml b/docs/xml/nginx/changes.xml --- a/docs/xml/nginx/changes.xml +++ b/docs/xml/nginx/changes.xml @@ -7,6 +7,39 @@
+ + + + +??? ????????????? OpenSSL 3.5 ? ?????????? $ssl_curve ? $ssl_curves +?? ???????????? ???????? ?????? X25519MLKEM768. + + +the X25519MLKEM768 group name was not shown +in the $ssl_curve and $ssl_curves variables when using OpenSSL 3.5. + + + + + +? ??????? ???????? ??? ????????? segmentation fault, +???? ?????????????? ????????? proxy_ssl_password_file, +? ? ?????????? proxy_ssl_certificate ??? proxy_ssl_certificate_key +?????????????? ??????????; +?????? ????????? ? 1.23.1. + + +a segmentation fault might occur in a worker process +if the "proxy_ssl_password_file" directive was used +along with variables +in the "proxy_ssl_certificate" or "proxy_ssl_certificate_key" directives; +the bug had appeared in 1.23.1. + + + + + + From mdounin at mdounin.ru Tue Apr 15 18:04:32 2025 From: mdounin at mdounin.ru (=?iso-8859-1?q?Maxim_Dounin?=) Date: Tue, 15 Apr 2025 21:04:32 +0300 Subject: [nginx] release-1.27.6 tag Message-ID: details: http://freenginx.org/hg/nginx/rev/b325ee44215f branches: changeset: 9346:b325ee44215f user: Maxim Dounin date: Tue Apr 15 21:01:54 2025 +0300 description: release-1.27.6 tag diffstat: .hgtags | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) diffs (8 lines): diff --git a/.hgtags b/.hgtags --- a/.hgtags +++ b/.hgtags @@ -484,3 +484,4 @@ 91d77cc29d3336b1df25fe42d6c5ad4ca24b72b9 665f7a7675cf4620c5d05cbcabdf72e6afe18b80 release-1.27.3 3e58802df709d487e366809eef77f6424433d187 release-1.27.4 e5a159b0c3821bf4e93b8e9ee34604238c93fd2a release-1.27.5 +6731069e4b635d9dca49d6de04f0241cf3d856dd release-1.27.6 From mdounin at mdounin.ru Tue Apr 15 18:11:16 2025 From: mdounin at mdounin.ru (=?iso-8859-1?q?Maxim_Dounin?=) Date: Tue, 15 Apr 2025 21:11:16 +0300 Subject: [nginx-site] freenginx-1.27.6 Message-ID: details: http://freenginx.org/hg/nginx-site/rev/a64156ff24c7 branches: changeset: 3102:a64156ff24c7 user: Maxim Dounin date: Tue Apr 15 21:09:19 2025 +0300 description: freenginx-1.27.6 diffstat: text/en/CHANGES | 11 +++++++++++ text/ru/CHANGES.ru | 11 +++++++++++ xml/index.xml | 7 +++++++ xml/versions.xml | 1 + 4 files changed, 30 insertions(+), 0 deletions(-) diffs (66 lines): diff --git a/text/en/CHANGES b/text/en/CHANGES --- a/text/en/CHANGES +++ b/text/en/CHANGES @@ -1,4 +1,15 @@ +Changes with freenginx 1.27.6 15 Apr 2025 + + *) Workaround: the X25519MLKEM768 group name was not shown in the + $ssl_curve and $ssl_curves variables when using OpenSSL 3.5. + + *) Bugfix: a segmentation fault might occur in a worker process if the + "proxy_ssl_password_file" directive was used along with variables in + the "proxy_ssl_certificate" or "proxy_ssl_certificate_key" + directives; the bug had appeared in 1.23.1. + + Changes with freenginx 1.27.5 08 Apr 2025 *) Feature: the "multipath" parameter of the "listen" directive. diff --git a/text/ru/CHANGES.ru b/text/ru/CHANGES.ru --- a/text/ru/CHANGES.ru +++ b/text/ru/CHANGES.ru @@ -1,4 +1,15 @@ +????????? ? freenginx 1.27.6 15.04.2025 + + *) ?????????: ??? ????????????? OpenSSL 3.5 ? ?????????? $ssl_curve ? + $ssl_curves ?? ???????????? ???????? ?????? X25519MLKEM768. + + *) ???????????: ? ??????? ???????? ??? ????????? segmentation fault, + ???? ?????????????? ????????? proxy_ssl_password_file, ? ? ?????????? + proxy_ssl_certificate ??? proxy_ssl_certificate_key ?????????????? + ??????????; ?????? ????????? ? 1.23.1. + + ????????? ? freenginx 1.27.5 08.04.2025 *) ??????????: ???????? multipath ????????? listen. diff --git a/xml/index.xml b/xml/index.xml --- a/xml/index.xml +++ b/xml/index.xml @@ -8,6 +8,13 @@ + + +freenginx-1.27.6 +mainline version has been released. + + + freenginx-1.27.5 diff --git a/xml/versions.xml b/xml/versions.xml --- a/xml/versions.xml +++ b/xml/versions.xml @@ -9,6 +9,7 @@ + From mdounin at mdounin.ru Tue Apr 22 08:57:36 2025 From: mdounin at mdounin.ru (=?iso-8859-1?q?Maxim_Dounin?=) Date: Tue, 22 Apr 2025 11:57:36 +0300 Subject: [nginx] Stable branch. Message-ID: details: http://freenginx.org/hg/nginx/rev/31eada666ae5 branches: stable-1.28 changeset: 9347:31eada666ae5 user: Maxim Dounin date: Tue Apr 22 10:54:43 2025 +0300 description: Stable branch. diffstat: src/core/nginx.h | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diffs (14 lines): diff --git a/src/core/nginx.h b/src/core/nginx.h --- a/src/core/nginx.h +++ b/src/core/nginx.h @@ -9,8 +9,8 @@ #define _NGINX_H_INCLUDED_ -#define nginx_version 1027006 -#define NGINX_VERSION "1.27.6" +#define nginx_version 1028000 +#define NGINX_VERSION "1.28.0" #define NGINX_NAME "freenginx" #define NGINX_VER NGINX_NAME "/" NGINX_VERSION From mdounin at mdounin.ru Tue Apr 22 08:57:36 2025 From: mdounin at mdounin.ru (=?iso-8859-1?q?Maxim_Dounin?=) Date: Tue, 22 Apr 2025 11:57:36 +0300 Subject: [nginx] freenginx-1.28.0-RELEASE Message-ID: details: http://freenginx.org/hg/nginx/rev/1b3a80a99013 branches: stable-1.28 changeset: 9348:1b3a80a99013 user: Maxim Dounin date: Tue Apr 22 11:53:53 2025 +0300 description: freenginx-1.28.0-RELEASE diffstat: docs/xml/nginx/changes.xml | 13 +++++++++++++ 1 files changed, 13 insertions(+), 0 deletions(-) diffs (23 lines): diff --git a/docs/xml/nginx/changes.xml b/docs/xml/nginx/changes.xml --- a/docs/xml/nginx/changes.xml +++ b/docs/xml/nginx/changes.xml @@ -7,6 +7,19 @@
+ + + + +?????????? ????? 1.28.x. + + +1.28.x stable branch. + + + + + From mdounin at mdounin.ru Tue Apr 22 08:57:36 2025 From: mdounin at mdounin.ru (=?iso-8859-1?q?Maxim_Dounin?=) Date: Tue, 22 Apr 2025 11:57:36 +0300 Subject: [nginx] release-1.28.0 tag Message-ID: details: http://freenginx.org/hg/nginx/rev/849b8f2b7fe3 branches: stable-1.28 changeset: 9349:849b8f2b7fe3 user: Maxim Dounin date: Tue Apr 22 11:53:54 2025 +0300 description: release-1.28.0 tag diffstat: .hgtags | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) diffs (8 lines): diff --git a/.hgtags b/.hgtags --- a/.hgtags +++ b/.hgtags @@ -485,3 +485,4 @@ 665f7a7675cf4620c5d05cbcabdf72e6afe18b80 3e58802df709d487e366809eef77f6424433d187 release-1.27.4 e5a159b0c3821bf4e93b8e9ee34604238c93fd2a release-1.27.5 6731069e4b635d9dca49d6de04f0241cf3d856dd release-1.27.6 +1b3a80a99013ebb72871a65ae0256366aec09c06 release-1.28.0 From mdounin at mdounin.ru Tue Apr 22 09:00:41 2025 From: mdounin at mdounin.ru (=?iso-8859-1?q?Maxim_Dounin?=) Date: Tue, 22 Apr 2025 12:00:41 +0300 Subject: [nginx-site] freenginx-1.28.0 Message-ID: details: http://freenginx.org/hg/nginx-site/rev/7c3d7c4768e8 branches: changeset: 3103:7c3d7c4768e8 user: Maxim Dounin date: Tue Apr 22 11:58:42 2025 +0300 description: freenginx-1.28.0 diffstat: text/en/CHANGES-1.28 | 5 +++++ text/ru/CHANGES.ru-1.28 | 5 +++++ xml/index.xml | 21 +++++++++++++++++++++ xml/versions.xml | 10 +++++++++- 4 files changed, 40 insertions(+), 1 deletions(-) diffs (88 lines): diff --git a/text/en/CHANGES b/text/en/CHANGES-1.28 copy from text/en/CHANGES copy to text/en/CHANGES-1.28 --- a/text/en/CHANGES +++ b/text/en/CHANGES-1.28 @@ -1,4 +1,9 @@ +Changes with freenginx 1.28.0 22 Apr 2025 + + *) 1.28.x stable branch. + + Changes with freenginx 1.27.6 15 Apr 2025 *) Workaround: the X25519MLKEM768 group name was not shown in the diff --git a/text/ru/CHANGES.ru b/text/ru/CHANGES.ru-1.28 copy from text/ru/CHANGES.ru copy to text/ru/CHANGES.ru-1.28 --- a/text/ru/CHANGES.ru +++ b/text/ru/CHANGES.ru-1.28 @@ -1,4 +1,9 @@ +????????? ? freenginx 1.28.0 22.04.2025 + + *) ?????????? ????? 1.28.x. + + ????????? ? freenginx 1.27.6 15.04.2025 *) ?????????: ??? ????????????? OpenSSL 3.5 ? ?????????? $ssl_curve ? diff --git a/xml/index.xml b/xml/index.xml --- a/xml/index.xml +++ b/xml/index.xml @@ -8,6 +8,27 @@ + + +freenginx-1.28.0 +stable version has been released, +incorporating new features and bug fixes from the 1.27.x mainline branch — +including +better handling of errors during reading request bodies, +PID file +writing improvements, +the XOAUTH2 and OAUTHBEARER authentication methods +in the mail proxy module, +rate limiting +for error logs, +Age +header support in cache, +Multipath +TCP support on Linux, +and more. + + + freenginx-1.27.6 diff --git a/xml/versions.xml b/xml/versions.xml --- a/xml/versions.xml +++ b/xml/versions.xml @@ -10,6 +10,14 @@ + + + + + + + + @@ -20,7 +28,7 @@ - +