From mdounin at mdounin.ru  Tue Jul  8 11:40:32 2025
From: mdounin at mdounin.ru (Maxim Dounin)
Date: Tue, 8 Jul 2025 14:40:32 +0300
Subject: freenginx-1.29.0
Message-ID: <aG0DsE6tlP4LkPfl@mdounin.ru>

Changes with freenginx 1.29.0                                    08 Jul 2025

    *) Change: the "directio" directive now works when returning responses
       from cache.

    *) Change: the "limit_rate" directive now uses the leaky bucket
       algorithm, allowing more accurate enforcement of the specified rate;
       the "limit_rate_after" directive specifies the allowed size of
       traffic bursts.

    *) Change: the $request_time variable now remains correct on system time
       changes.

    *) Feature: the "send_min_rate" and "client_body_min_rate" directives.

    *) Feature: the "limit_rate" and "limit_rate_after" directives in the
       mail proxy module.

    *) Feature: the "lingering_close", "lingering_time", and
       "lingering_timeout" directives in the mail proxy module.

    *) Feature: connection limiting in the mail proxy module.

    *) Workaround: the "send_timeout" directive might not work when the
       kernel TCP memory limit was reached on Linux.

    *) Workaround: gcc 15.1 compatibility.

    *) Bugfix: a segmentation fault might occur in a worker process if the
       "proxy_ssl_password_file" directive was used in the stream module;
       the bug had appeared in 1.23.1.

    *) Bugfix: a segmentation fault might occur in a worker process on
       shutdown; the bug had appeared in 1.27.2.

    *) Bugfix: in the "open_file_cache" directive.


-- 
Maxim Dounin
http://freenginx.org/

From christoph at liebender.dev  Tue Jul  8 16:43:46 2025
From: christoph at liebender.dev (Christoph Liebender)
Date: Tue, 8 Jul 2025 18:43:46 +0200
Subject: Tests failing with LibreSSL 4.1.0
Message-ID: <3526b1e7-1c42-45af-9e70-542fce4e89d7@liebender.dev>

Hello,

I am the maintainer of the somewhat niche Arch Linux PKGBUILD of 
freenginx-libressl [1], and the upgrade to 1.29.0 causes tests to fail 
when built against LibreSSL 4.1.0:

===(    5030;59   3/11   1/11  4/7  5/8  4/8  0/9  1/8  0/? )===========
#   Failed test 'ssl server name empty'
#   at ./stream_ssl_variables.t line 137.
#          got: undef
#     expected: ''
./stream_ssl_realip.t ...................... ok
===(    5043;59   3/11   1/11  5/7  5/8  1/9  8/8  0/? 
)================# Looks like you failed 1 test of 8.
./stream_ssl_variables.t ................... Dubious, test returned 1 
(wstat 256, 0x100)
Failed 1/8 subtests
./stream_proxy.t ........................... ok
===(    5048;59   3/11   1/11  5/8  3/9   1/12  0/?  0/?  0/? )=========
#   Failed test 'no cert'
#   at ./stream_ssl_verify_client.t line 114.
#          got: undef
#     expected: ''

#   Failed test 'bad optional cert'
#   at ./stream_ssl_verify_client.t line 115.
#          got: undef
#     expected: ''
===(    5060;59   3/11   1/11  5/8  6/9   9/12  0/8  1/4   0/11 
)=======# Looks like you failed 2 tests of 12.
./stream_ssl_verify_client.t ............... Dubious, test returned 2 
(wstat 512, 0x200)
Failed 2/12 subtests

Do these errors tell you anything? I don't have the PKGBUILD for 1.29.0 
commited, but the respective diff only increments the version as well as 
the tests' commit.

- Christoph

[1]: https://aur.archlinux.org/packages/freenginx-libressl

From mdounin at mdounin.ru  Tue Jul  8 20:50:53 2025
From: mdounin at mdounin.ru (Maxim Dounin)
Date: Tue, 8 Jul 2025 23:50:53 +0300
Subject: Tests failing with LibreSSL 4.1.0
In-Reply-To: <3526b1e7-1c42-45af-9e70-542fce4e89d7@liebender.dev>
References: <3526b1e7-1c42-45af-9e70-542fce4e89d7@liebender.dev>
Message-ID: <aG2ErRs29VRz5Utc@mdounin.ru>

Hello!

On Tue, Jul 08, 2025 at 06:43:46PM +0200, Christoph Liebender via nginx wrote:

> Hello,
> 
> I am the maintainer of the somewhat niche Arch Linux PKGBUILD of
> freenginx-libressl [1], and the upgrade to 1.29.0 causes tests to fail when
> built against LibreSSL 4.1.0:
> 
> ===(    5030;59   3/11   1/11  4/7  5/8  4/8  0/9  1/8  0/? )===========
> #   Failed test 'ssl server name empty'
> #   at ./stream_ssl_variables.t line 137.
> #          got: undef
> #     expected: ''
> ./stream_ssl_realip.t ...................... ok
> ===(    5043;59   3/11   1/11  5/7  5/8  1/9  8/8  0/? )================#
> Looks like you failed 1 test of 8.
> ./stream_ssl_variables.t ................... Dubious, test returned 1 (wstat
> 256, 0x100)
> Failed 1/8 subtests
> ./stream_proxy.t ........................... ok
> ===(    5048;59   3/11   1/11  5/8  3/9   1/12  0/?  0/?  0/? )=========
> #   Failed test 'no cert'
> #   at ./stream_ssl_verify_client.t line 114.
> #          got: undef
> #     expected: ''
> 
> #   Failed test 'bad optional cert'
> #   at ./stream_ssl_verify_client.t line 115.
> #          got: undef
> #     expected: ''
> ===(    5060;59   3/11   1/11  5/8  6/9   9/12  0/8  1/4   0/11 )=======#
> Looks like you failed 2 tests of 12.
> ./stream_ssl_verify_client.t ............... Dubious, test returned 2 (wstat
> 512, 0x200)
> Failed 2/12 subtests
> 
> Do these errors tell you anything? I don't have the PKGBUILD for 1.29.0
> commited, but the respective diff only increments the version as well as the
> tests' commit.

All the errors seems to be reported for test cases when an SSL 
connection is closed by the server without sending anything.  
The client is expected to see a clean connection close, yet 
instead an error is returned (hence "undef").

I'm able to reproduce exactly the same errors on Arch Linux with 
previous freenginx mainline version, 1.27.6 (which is exactly the 
same as stable 1.28.0).

And I don't see such errors with LibreSSL 4.1.0 neither on FreeBSD 
nor on Alpine Linux.

Further, I observe exactly the same errors on Arch Linux with 
freenginx compiled with OpenSSL library, OpenSSL 3.5.1.

That is, LibreSSL is certainly not the problem here.

And likely it's something in IO::Socket::SSL (2.094) and/or 
Net::SSLeay (1.94) and/or OpenSSL 3.5.1 it uses.

Given IO::Socket::SSL changes, I tend to think it's IO::Socket::SSL
(https://metacpan.org/dist/IO-Socket-SSL/changes):

2.094 2025/06/18
- fixed memory leak introduced in 2.092
2.093 2025/06/17
- Another rework for one-sided SSL shutdown, to a) implement a useful and secure
  behavior and b) without affecting existing applications. 2.092 had still
  unwanted side effects
2.092 2025/06/16
- rework implementation and behavior for one-sided SSL shutdown. Implementation
  in 2.091 lead to some problems with Net::FTP and others.
2.091 2025/06/11
- fix behavior on one-sided SSL shutdown. If the application continued
  to read after half-closing the SSL connection this could result in reading
  encrypted data (i.e. close notify, SSL session tickets ...).
  See documentation of stop_SSL for detailed description of handling
  half-closed SSL connections.

Both on FreeBSD and Alpine IO::Socket::SSL is at version 2.089, 
which predates all this "one-sided SSL shutdown" hassle.

Quick test with IO::Socket::SSL manually downgraded to 2.089 
suggests it's indeed the case: with IO::Socket::SSL 2.089 
everything works.

Hope this helps.

-- 
Maxim Dounin
http://mdounin.ru/

From mdounin at mdounin.ru  Wed Jul  9 03:06:11 2025
From: mdounin at mdounin.ru (Maxim Dounin)
Date: Wed, 9 Jul 2025 06:06:11 +0300
Subject: Tests failing with LibreSSL 4.1.0
In-Reply-To: <aG2ErRs29VRz5Utc@mdounin.ru>
References: <3526b1e7-1c42-45af-9e70-542fce4e89d7@liebender.dev>
 <aG2ErRs29VRz5Utc@mdounin.ru>
Message-ID: <aG3cow9FseoDAFEZ@mdounin.ru>

Hello!

On Tue, Jul 08, 2025 at 11:50:53PM +0300, Maxim Dounin wrote:

> Hello!
> 
> On Tue, Jul 08, 2025 at 06:43:46PM +0200, Christoph Liebender via nginx wrote:
> 
> > Hello,
> > 
> > I am the maintainer of the somewhat niche Arch Linux PKGBUILD of
> > freenginx-libressl [1], and the upgrade to 1.29.0 causes tests to fail when
> > built against LibreSSL 4.1.0:
> > 
> > ===(    5030;59   3/11   1/11  4/7  5/8  4/8  0/9  1/8  0/? )===========
> > #   Failed test 'ssl server name empty'
> > #   at ./stream_ssl_variables.t line 137.
> > #          got: undef
> > #     expected: ''
> > ./stream_ssl_realip.t ...................... ok
> > ===(    5043;59   3/11   1/11  5/7  5/8  1/9  8/8  0/? )================#
> > Looks like you failed 1 test of 8.
> > ./stream_ssl_variables.t ................... Dubious, test returned 1 (wstat
> > 256, 0x100)
> > Failed 1/8 subtests
> > ./stream_proxy.t ........................... ok
> > ===(    5048;59   3/11   1/11  5/8  3/9   1/12  0/?  0/?  0/? )=========
> > #   Failed test 'no cert'
> > #   at ./stream_ssl_verify_client.t line 114.
> > #          got: undef
> > #     expected: ''
> > 
> > #   Failed test 'bad optional cert'
> > #   at ./stream_ssl_verify_client.t line 115.
> > #          got: undef
> > #     expected: ''
> > ===(    5060;59   3/11   1/11  5/8  6/9   9/12  0/8  1/4   0/11 )=======#
> > Looks like you failed 2 tests of 12.
> > ./stream_ssl_verify_client.t ............... Dubious, test returned 2 (wstat
> > 512, 0x200)
> > Failed 2/12 subtests
> > 
> > Do these errors tell you anything? I don't have the PKGBUILD for 1.29.0
> > commited, but the respective diff only increments the version as well as the
> > tests' commit.
> 
> All the errors seems to be reported for test cases when an SSL 
> connection is closed by the server without sending anything.  
> The client is expected to see a clean connection close, yet 
> instead an error is returned (hence "undef").
> 
> I'm able to reproduce exactly the same errors on Arch Linux with 
> previous freenginx mainline version, 1.27.6 (which is exactly the 
> same as stable 1.28.0).
> 
> And I don't see such errors with LibreSSL 4.1.0 neither on FreeBSD 
> nor on Alpine Linux.
> 
> Further, I observe exactly the same errors on Arch Linux with 
> freenginx compiled with OpenSSL library, OpenSSL 3.5.1.
> 
> That is, LibreSSL is certainly not the problem here.
> 
> And likely it's something in IO::Socket::SSL (2.094) and/or 
> Net::SSLeay (1.94) and/or OpenSSL 3.5.1 it uses.
> 
> Given IO::Socket::SSL changes, I tend to think it's IO::Socket::SSL
> (https://metacpan.org/dist/IO-Socket-SSL/changes):
> 
> 2.094 2025/06/18
> - fixed memory leak introduced in 2.092
> 2.093 2025/06/17
> - Another rework for one-sided SSL shutdown, to a) implement a useful and secure
>   behavior and b) without affecting existing applications. 2.092 had still
>   unwanted side effects
> 2.092 2025/06/16
> - rework implementation and behavior for one-sided SSL shutdown. Implementation
>   in 2.091 lead to some problems with Net::FTP and others.
> 2.091 2025/06/11
> - fix behavior on one-sided SSL shutdown. If the application continued
>   to read after half-closing the SSL connection this could result in reading
>   encrypted data (i.e. close notify, SSL session tickets ...).
>   See documentation of stop_SSL for detailed description of handling
>   half-closed SSL connections.
> 
> Both on FreeBSD and Alpine IO::Socket::SSL is at version 2.089, 
> which predates all this "one-sided SSL shutdown" hassle.
> 
> Quick test with IO::Socket::SSL manually downgraded to 2.089 
> suggests it's indeed the case: with IO::Socket::SSL 2.089 
> everything works.

For the record:
https://github.com/noxxi/p5-io-socket-ssl/issues/171

-- 
Maxim Dounin
http://mdounin.ru/

From christoph at liebender.dev  Fri Jul 11 16:25:54 2025
From: christoph at liebender.dev (Christoph Liebender)
Date: Fri, 11 Jul 2025 18:25:54 +0200
Subject: Tests failing with LibreSSL 4.1.0
In-Reply-To: <aG3cow9FseoDAFEZ@mdounin.ru>
References: <3526b1e7-1c42-45af-9e70-542fce4e89d7@liebender.dev>
 <aG2ErRs29VRz5Utc@mdounin.ru> <aG3cow9FseoDAFEZ@mdounin.ru>
Message-ID: <a9e6d105-b945-4842-8209-2fa5334c7c88@liebender.dev>

Am 09.07.25 um 05:06 schrieb Maxim Dounin:
> On Tue, Jul 08, 2025 at 11:50:53PM +0300, Maxim Dounin wrote:
>> Quick test with IO::Socket::SSL manually downgraded to 2.089
>> suggests it's indeed the case: with IO::Socket::SSL 2.089
>> everything works.
> 
> For the record:
> https://github.com/noxxi/p5-io-socket-ssl/issues/171

Taking my hat off for your quick responsiveness and help by resolving 
this for me. Thanks!

- Christoph