BBlack has submitted this change and it was merged. (
https://gerrit.wikimedia.org/r/348586 )
Change subject: debian patches: forward-port WMF patches and quilt refresh
......................................................................
debian patches: forward-port WMF patches and quilt refresh
This forward-ports the WMF-specific debian patches from wmf-1.11.4
and quilt refreshes all patches.
Change-Id: Icf63c6b220cf9c33eb462eb109e1956fce3d3fb3
---
M debian/patches/0002-Make-sure-signature-stays-the-same-in-all-nginx-buil.patch
A debian/patches/0100-dynamic-tls-records.patch
A debian/patches/0500-ssl-curve.patch
A debian/patches/0600-stapling-multi-file.patch
A debian/patches/0660-version-too-low.patch
M debian/patches/series
6 files changed, 729 insertions(+), 3 deletions(-)
Approvals:
BBlack: Looks good to me, approved
jenkins-bot: Verified
diff --git
a/debian/patches/0002-Make-sure-signature-stays-the-same-in-all-nginx-buil.patch
b/debian/patches/0002-Make-sure-signature-stays-the-same-in-all-nginx-buil.patch
index 9cc3962..9e27e1a 100644
---
a/debian/patches/0002-Make-sure-signature-stays-the-same-in-all-nginx-buil.patch
+++
b/debian/patches/0002-Make-sure-signature-stays-the-same-in-all-nginx-buil.patch
@@ -13,11 +13,9 @@
configure | 4 ++++
1 file changed, 4 insertions(+)
-diff --git a/configure b/configure
-index ceff15e..3816fa1 100755
--- a/configure
+++ b/configure
-@@ -58,6 +58,10 @@ if [ "$NGX_PLATFORM" != win32 ]; then
+@@ -58,6 +58,10 @@
. auto/unix
fi
diff --git a/debian/patches/0100-dynamic-tls-records.patch
b/debian/patches/0100-dynamic-tls-records.patch
new file mode 100644
index 0000000..012239e
--- /dev/null
+++ b/debian/patches/0100-dynamic-tls-records.patch
@@ -0,0 +1,249 @@
+What we do now:
+We use a static record size of 4K. This gives a good balance of latency and
+throughput.
+
+Optimize latency:
+By initialy sending small (1 TCP segment) sized records, we are able to avoid
+HoL blocking of the first byte. This means TTFB is sometime lower by a whole
+RTT.
+
+Optimizing throughput:
+By sending increasingly larger records later in the connection, when HoL is not
+a problem, we reduce the overhead of TLS record (29 bytes per record with
+GCM/CHACHA-POLY).
+
+Logic:
+Start each connection with small records (1369 byte default, change with
+ssl_dyn_rec_size_lo). After a given number of records (40, change with
+ssl_dyn_rec_threshold) start sending larger records (4229,
ssl_dyn_rec_size_hi).
+Eventually after the same number of records, start sending the largest records
+(ssl_buffer_size).
+In case the connection idles for a given amount of time (1s,
+ssl_dyn_rec_timeout), the process repeats itself (i.e. begin sending small
+records again).
+
+--- a/src/event/ngx_event_openssl.c
++++ b/src/event/ngx_event_openssl.c
+@@ -1165,6 +1165,7 @@
+
+ sc->buffer = ((flags & NGX_SSL_BUFFER) != 0);
+ sc->buffer_size = ssl->buffer_size;
++ sc->dyn_rec = ssl->dyn_rec;
+
+ sc->session_ctx = ssl->ctx;
+
+@@ -1703,6 +1704,41 @@
+
+ for ( ;; ) {
+
++ /* Dynamic record resizing:
++ We want the initial records to fit into one TCP segment
++ so we don't get TCP HoL blocking due to TCP Slow Start.
++ A connection always starts with small records, but after
++ a given amount of records sent, we make the records larger
++ to reduce header overhead.
++ After a connection has idled for a given timeout, begin
++ the process from the start. The actual parameters are
++ configurable. If dyn_rec_timeout is 0, we assume dyn_rec is off. */
++
++ if (c->ssl->dyn_rec.timeout > 0 ) {
++
++ if (ngx_current_msec - c->ssl->dyn_rec_last_write >
++ c->ssl->dyn_rec.timeout)
++ {
++ buf->end = buf->start + c->ssl->dyn_rec.size_lo;
++ c->ssl->dyn_rec_records_sent = 0;
++
++ } else {
++ if (c->ssl->dyn_rec_records_sent >
++ c->ssl->dyn_rec.threshold * 2)
++ {
++ buf->end = buf->start + c->ssl->buffer_size;
++
++ } else if (c->ssl->dyn_rec_records_sent >
++ c->ssl->dyn_rec.threshold)
++ {
++ buf->end = buf->start + c->ssl->dyn_rec.size_hi;
++
++ } else {
++ buf->end = buf->start + c->ssl->dyn_rec.size_lo;
++ }
++ }
++ }
++
+ while (in && buf->last < buf->end && send < limit) {
+ if (in->buf->last_buf || in->buf->flush) {
+ flush = 1;
+@@ -1804,6 +1840,9 @@
+
+ if (n > 0) {
+
++ c->ssl->dyn_rec_records_sent++;
++ c->ssl->dyn_rec_last_write = ngx_current_msec;
++
+ if (c->ssl->saved_read_handler) {
+
+ c->read->handler = c->ssl->saved_read_handler;
+--- a/src/event/ngx_event_openssl.h
++++ b/src/event/ngx_event_openssl.h
+@@ -54,10 +54,19 @@
+ #define ngx_ssl_conn_t SSL
+
+
++typedef struct {
++ ngx_msec_t timeout;
++ ngx_uint_t threshold;
++ size_t size_lo;
++ size_t size_hi;
++} ngx_ssl_dyn_rec_t;
++
++
+ struct ngx_ssl_s {
+ SSL_CTX *ctx;
+ ngx_log_t *log;
+ size_t buffer_size;
++ ngx_ssl_dyn_rec_t dyn_rec;
+ };
+
+
+@@ -80,6 +89,10 @@
+ unsigned no_wait_shutdown:1;
+ unsigned no_send_shutdown:1;
+ unsigned handshake_buffer_set:1;
++
++ ngx_ssl_dyn_rec_t dyn_rec;
++ ngx_msec_t dyn_rec_last_write;
++ ngx_uint_t dyn_rec_records_sent;
+ };
+
+
+@@ -89,7 +102,7 @@
+ #define NGX_SSL_DFLT_BUILTIN_SCACHE -5
+
+
+-#define NGX_SSL_MAX_SESSION_SIZE 4096
++#define NGX_SSL_MAX_SESSION_SIZE 16384
+
+ typedef struct ngx_ssl_sess_id_s ngx_ssl_sess_id_t;
+
+--- a/src/http/modules/ngx_http_ssl_module.c
++++ b/src/http/modules/ngx_http_ssl_module.c
+@@ -233,6 +233,41 @@
+ offsetof(ngx_http_ssl_srv_conf_t, stapling_verify),
+ NULL },
+
++ { ngx_string("ssl_dyn_rec_enable"),
++ NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
++ ngx_conf_set_flag_slot,
++ NGX_HTTP_SRV_CONF_OFFSET,
++ offsetof(ngx_http_ssl_srv_conf_t, dyn_rec_enable),
++ NULL },
++
++ { ngx_string("ssl_dyn_rec_timeout"),
++ NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
++ ngx_conf_set_msec_slot,
++ NGX_HTTP_SRV_CONF_OFFSET,
++ offsetof(ngx_http_ssl_srv_conf_t, dyn_rec_timeout),
++ NULL },
++
++ { ngx_string("ssl_dyn_rec_size_lo"),
++ NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
++ ngx_conf_set_size_slot,
++ NGX_HTTP_SRV_CONF_OFFSET,
++ offsetof(ngx_http_ssl_srv_conf_t, dyn_rec_size_lo),
++ NULL },
++
++ { ngx_string("ssl_dyn_rec_size_hi"),
++ NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
++ ngx_conf_set_size_slot,
++ NGX_HTTP_SRV_CONF_OFFSET,
++ offsetof(ngx_http_ssl_srv_conf_t, dyn_rec_size_hi),
++ NULL },
++
++ { ngx_string("ssl_dyn_rec_threshold"),
++ NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
++ ngx_conf_set_num_slot,
++ NGX_HTTP_SRV_CONF_OFFSET,
++ offsetof(ngx_http_ssl_srv_conf_t, dyn_rec_threshold),
++ NULL },
++
+ ngx_null_command
+ };
+
+@@ -554,6 +589,11 @@
+ sscf->session_ticket_keys = NGX_CONF_UNSET_PTR;
+ sscf->stapling = NGX_CONF_UNSET;
+ sscf->stapling_verify = NGX_CONF_UNSET;
++ sscf->dyn_rec_enable = NGX_CONF_UNSET;
++ sscf->dyn_rec_timeout = NGX_CONF_UNSET_MSEC;
++ sscf->dyn_rec_size_lo = NGX_CONF_UNSET_SIZE;
++ sscf->dyn_rec_size_hi = NGX_CONF_UNSET_SIZE;
++ sscf->dyn_rec_threshold = NGX_CONF_UNSET_UINT;
+
+ return sscf;
+ }
+@@ -619,6 +659,20 @@
+ ngx_conf_merge_str_value(conf->stapling_responder,
+ prev->stapling_responder, "");
+
++ ngx_conf_merge_value(conf->dyn_rec_enable, prev->dyn_rec_enable, 0);
++ ngx_conf_merge_msec_value(conf->dyn_rec_timeout, prev->dyn_rec_timeout,
++ 1000);
++ /* Default sizes for the dynamic record sizes are defined to fit maximal
++ TLS + IPv6 overhead in a single TCP segment for lo and 3 segments for
hi:
++ 1369 = 1500 - 40 (IP) - 20 (TCP) - 10 (Time) - 61 (Max TLS overhead) */
++ ngx_conf_merge_size_value(conf->dyn_rec_size_lo, prev->dyn_rec_size_lo,
++ 1369);
++ /* 4229 = (1500 - 40 - 20 - 10) * 3 - 61 */
++ ngx_conf_merge_size_value(conf->dyn_rec_size_hi, prev->dyn_rec_size_hi,
++ 4229);
++ ngx_conf_merge_uint_value(conf->dyn_rec_threshold,
prev->dyn_rec_threshold,
++ 40);
++
+ conf->ssl.log = cf->log;
+
+ if (conf->enable) {
+@@ -799,6 +853,28 @@
+
+ }
+
++ if (conf->dyn_rec_enable) {
++ conf->ssl.dyn_rec.timeout = conf->dyn_rec_timeout;
++ conf->ssl.dyn_rec.threshold = conf->dyn_rec_threshold;
++
++ if (conf->buffer_size > conf->dyn_rec_size_lo) {
++ conf->ssl.dyn_rec.size_lo = conf->dyn_rec_size_lo;
++
++ } else {
++ conf->ssl.dyn_rec.size_lo = conf->buffer_size;
++ }
++
++ if (conf->buffer_size > conf->dyn_rec_size_hi) {
++ conf->ssl.dyn_rec.size_hi = conf->dyn_rec_size_hi;
++
++ } else {
++ conf->ssl.dyn_rec.size_hi = conf->buffer_size;
++ }
++
++ } else {
++ conf->ssl.dyn_rec.timeout = 0;
++ }
++
+ return NGX_CONF_OK;
+ }
+
+--- a/src/http/modules/ngx_http_ssl_module.h
++++ b/src/http/modules/ngx_http_ssl_module.h
+@@ -57,6 +57,12 @@
+
+ u_char *file;
+ ngx_uint_t line;
++
++ ngx_flag_t dyn_rec_enable;
++ ngx_msec_t dyn_rec_timeout;
++ size_t dyn_rec_size_lo;
++ size_t dyn_rec_size_hi;
++ ngx_uint_t dyn_rec_threshold;
+ } ngx_http_ssl_srv_conf_t;
+
+
diff --git a/debian/patches/0500-ssl-curve.patch
b/debian/patches/0500-ssl-curve.patch
new file mode 100644
index 0000000..e40688c
--- /dev/null
+++ b/debian/patches/0500-ssl-curve.patch
@@ -0,0 +1,129 @@
+commit c26c048aa84f7cc5398150c3a2de796086d27275
+Author: Brandon Black <[email protected]>
+Date: Wed Nov 9 18:22:20 2016 +0000
+
+ XXX temp patch for curve to test
+
+ Change-Id: I51f2cd62f66d058a773103d3317b531900fe495c
+
+--- a/src/event/ngx_event_openssl.c
++++ b/src/event/ngx_event_openssl.c
+@@ -8,6 +8,7 @@
+ #include <ngx_config.h>
+ #include <ngx_core.h>
+ #include <ngx_event.h>
++#include <openssl/objects.h>
+
+
+ #define NGX_SSL_PASSWORD_BUFFER_SIZE 4096
+@@ -1274,7 +1275,6 @@
+ ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
+ "SSL reused session");
+ }
+-
+ } else {
+ ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
+ "SSL no shared ciphers");
+@@ -2486,6 +2486,7 @@
+ ngx_ssl_sess_id_t *sess_id;
+ ngx_ssl_session_cache_t *cache;
+ u_char buf[NGX_SSL_MAX_SESSION_SIZE];
++ const char *ciph;
+
+ len = i2d_SSL_SESSION(sess, NULL);
+
+@@ -2500,6 +2501,12 @@
+
+ c = ngx_ssl_get_connection(ssl_conn);
+
++ ciph = SSL_get_cipher_name(ssl_conn);
++ if (ciph && !strncmp("ECDHE-", ciph, 6))
++ c->ssl->curve_nid = SSL_get_shared_curve(c->ssl->connection, 0);
++ else
++ c->ssl->curve_nid = NID_undef;
++
+ ssl_ctx = c->ssl->session_ctx;
+ shm_zone = SSL_CTX_get_ex_data(ssl_ctx, ngx_ssl_session_cache_index);
+
+@@ -2591,6 +2598,7 @@
+ sess_id->id = id;
+ sess_id->len = len;
+ sess_id->session = cached_sess;
++ sess_id->curve_nid = c->ssl->curve_nid;
+
+ sess_id->expire = ngx_time() + SSL_CTX_get_timeout(ssl_ctx);
+
+@@ -2688,6 +2696,7 @@
+
+ if (sess_id->expire > ngx_time()) {
+ ngx_memcpy(buf, sess_id->session, sess_id->len);
++ c->ssl->curve_nid = sess_id->curve_nid;
+
+ ngx_shmtx_unlock(&shpool->mutex);
+
+@@ -3523,6 +3532,14 @@
+ return NGX_OK;
+ }
+
++
++ngx_int_t
++ngx_ssl_get_ecdhe_curve_name(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t
*s)
++{
++ s->data = (u_char *) OBJ_nid2sn(c->ssl->curve_nid);
++ return NGX_OK;
++}
++
+
+ ngx_int_t
+ ngx_ssl_get_session_id(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
+--- a/src/event/ngx_event_openssl.h
++++ b/src/event/ngx_event_openssl.h
+@@ -77,6 +77,7 @@
+ ngx_int_t last;
+ ngx_buf_t *buf;
+ size_t buffer_size;
++ int curve_nid;
+
+ ngx_connection_handler_pt handler;
+
+@@ -113,6 +114,7 @@
+ u_char *session;
+ ngx_queue_t queue;
+ time_t expire;
++ int curve_nid;
+ #if (NGX_PTR_SIZE == 8)
+ void *stub;
+ u_char sess_id[32];
+@@ -209,6 +211,8 @@
+ ngx_str_t *s);
+ ngx_int_t ngx_ssl_get_curves(ngx_connection_t *c, ngx_pool_t *pool,
+ ngx_str_t *s);
++ngx_int_t ngx_ssl_get_ecdhe_curve_name(ngx_connection_t *c, ngx_pool_t *pool,
++ ngx_str_t *s);
+ ngx_int_t ngx_ssl_get_session_id(ngx_connection_t *c, ngx_pool_t *pool,
+ ngx_str_t *s);
+ ngx_int_t ngx_ssl_get_session_reused(ngx_connection_t *c, ngx_pool_t *pool,
+--- a/src/http/modules/ngx_http_ssl_module.c
++++ b/src/http/modules/ngx_http_ssl_module.c
+@@ -317,6 +317,9 @@
+ { ngx_string("ssl_curves"), NULL, ngx_http_ssl_variable,
+ (uintptr_t) ngx_ssl_get_curves, NGX_HTTP_VAR_CHANGEABLE, 0 },
+
++ { ngx_string("ssl_ecdhe_curve"), NULL, ngx_http_ssl_static_variable,
++ (uintptr_t) ngx_ssl_get_ecdhe_curve_name, NGX_HTTP_VAR_CHANGEABLE, 0 },
++
+ { ngx_string("ssl_session_id"), NULL, ngx_http_ssl_variable,
+ (uintptr_t) ngx_ssl_get_session_id, NGX_HTTP_VAR_CHANGEABLE, 0 },
+
+--- a/src/stream/ngx_stream_ssl_module.c
++++ b/src/stream/ngx_stream_ssl_module.c
+@@ -232,6 +232,9 @@
+ { ngx_string("ssl_curves"), NULL, ngx_stream_ssl_variable,
+ (uintptr_t) ngx_ssl_get_curves, NGX_STREAM_VAR_CHANGEABLE, 0 },
+
++ { ngx_string("ssl_ecdhe_curve"), NULL, ngx_stream_ssl_static_variable,
++ (uintptr_t) ngx_ssl_get_ecdhe_curve_name, NGX_STREAM_VAR_CHANGEABLE, 0
},
++
+ { ngx_string("ssl_session_id"), NULL, ngx_stream_ssl_variable,
+ (uintptr_t) ngx_ssl_get_session_id, NGX_STREAM_VAR_CHANGEABLE, 0 },
+
diff --git a/debian/patches/0600-stapling-multi-file.patch
b/debian/patches/0600-stapling-multi-file.patch
new file mode 100644
index 0000000..c9fec21
--- /dev/null
+++ b/debian/patches/0600-stapling-multi-file.patch
@@ -0,0 +1,336 @@
+--- a/src/event/ngx_event_openssl.c
++++ b/src/event/ngx_event_openssl.c
+@@ -347,30 +347,39 @@
+
+ ngx_int_t
+ ngx_ssl_certificates(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_array_t *certs,
+- ngx_array_t *keys, ngx_array_t *passwords)
++ ngx_array_t *keys, ngx_array_t *passwords, ngx_flag_t stapling,
++ ngx_array_t *stapling_files, ngx_str_t *stapling_responder,
++ ngx_uint_t stapling_verify)
+ {
+- ngx_str_t *cert, *key;
++ ngx_str_t *cert, *key, *staple_file;
+ ngx_uint_t i;
+
+ cert = certs->elts;
+ key = keys->elts;
++ staple_file = stapling_files ? stapling_files->elts : NULL;
+
+ for (i = 0; i < certs->nelts; i++) {
+-
+- if (ngx_ssl_certificate(cf, ssl, &cert[i], &key[i], passwords)
+- != NGX_OK)
++ if (ngx_ssl_certificate(cf, ssl, &cert[i], &key[i], passwords,
++ stapling, staple_file ? &staple_file[i] :
NULL,
++ stapling_responder, stapling_verify) !=
NGX_OK)
+ {
+ return NGX_ERROR;
+ }
+ }
+
++ if (stapling) {
++ SSL_CTX_set_tlsext_status_cb(ssl->ctx,
++ ngx_ssl_certificate_status_callback);
++ }
++
+ return NGX_OK;
+ }
+
+-
+ ngx_int_t
+ ngx_ssl_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert,
+- ngx_str_t *key, ngx_array_t *passwords)
++ ngx_str_t *key, ngx_array_t *passwords, ngx_flag_t stapling,
++ ngx_str_t* staple_file, ngx_str_t* stapling_responder,
++ ngx_uint_t stapling_verify)
+ {
+ BIO *bio;
+ X509 *x509;
+@@ -430,6 +439,15 @@
+ return NGX_ERROR;
+ }
+
++ if (stapling) {
++ if (ngx_ssl_stapling_certificate(cf, ssl, x509, staple_file,
++ stapling_responder, stapling_verify)
++ != NGX_OK)
++ {
++ return NGX_ERROR;
++ }
++ }
++
+ if (SSL_CTX_set_ex_data(ssl->ctx, ngx_ssl_certificate_index, x509)
+ == 0)
+ {
+--- a/src/event/ngx_event_openssl.h
++++ b/src/event/ngx_event_openssl.h
+@@ -157,9 +157,13 @@
+ ngx_int_t ngx_ssl_init(ngx_log_t *log);
+ ngx_int_t ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data);
+ ngx_int_t ngx_ssl_certificates(ngx_conf_t *cf, ngx_ssl_t *ssl,
+- ngx_array_t *certs, ngx_array_t *keys, ngx_array_t *passwords);
++ ngx_array_t *certs, ngx_array_t *keys, ngx_array_t *passwords,
++ ngx_flag_t stapling, ngx_array_t *stapling_files,
++ ngx_str_t *stapling_responder, ngx_uint_t stapling_verify);
+ ngx_int_t ngx_ssl_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl,
+- ngx_str_t *cert, ngx_str_t *key, ngx_array_t *passwords);
++ ngx_str_t *cert, ngx_str_t *key, ngx_array_t *passwords,
++ ngx_flag_t stapling, ngx_str_t* staple_file,
++ ngx_str_t* stapling_responder, ngx_uint_t stapling_verify);
+ ngx_int_t ngx_ssl_ciphers(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *ciphers,
+ ngx_uint_t prefer_server_ciphers);
+ ngx_int_t ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl,
+@@ -167,10 +171,12 @@
+ ngx_int_t ngx_ssl_trusted_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl,
+ ngx_str_t *cert, ngx_int_t depth);
+ ngx_int_t ngx_ssl_crl(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *crl);
+-ngx_int_t ngx_ssl_stapling(ngx_conf_t *cf, ngx_ssl_t *ssl,
+- ngx_str_t *file, ngx_str_t *responder, ngx_uint_t verify);
++ngx_int_t ngx_ssl_stapling_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl,
++ X509 *cert, ngx_str_t *file, ngx_str_t *responder, ngx_uint_t verify);
+ ngx_int_t ngx_ssl_stapling_resolver(ngx_conf_t *cf, ngx_ssl_t *ssl,
+ ngx_resolver_t *resolver, ngx_msec_t resolver_timeout);
++int ngx_ssl_certificate_status_callback(ngx_ssl_conn_t *ssl_conn,
++ void *data);
+ RSA *ngx_ssl_rsa512_key_callback(ngx_ssl_conn_t *ssl_conn, int is_export,
+ int key_length);
+ ngx_array_t *ngx_ssl_read_password_file(ngx_conf_t *cf, ngx_str_t *file);
+--- a/src/event/ngx_event_openssl_stapling.c
++++ b/src/event/ngx_event_openssl_stapling.c
+@@ -87,8 +87,6 @@
+ };
+
+
+-static ngx_int_t ngx_ssl_stapling_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl,
+- X509 *cert, ngx_str_t *file, ngx_str_t *responder, ngx_uint_t verify);
+ static ngx_int_t ngx_ssl_stapling_file(ngx_conf_t *cf, ngx_ssl_t *ssl,
+ ngx_ssl_stapling_t *staple, ngx_str_t *file);
+ static ngx_int_t ngx_ssl_stapling_issuer(ngx_conf_t *cf, ngx_ssl_t *ssl,
+@@ -96,8 +94,6 @@
+ static ngx_int_t ngx_ssl_stapling_responder(ngx_conf_t *cf, ngx_ssl_t *ssl,
+ ngx_ssl_stapling_t *staple, ngx_str_t *responder);
+
+-static int ngx_ssl_certificate_status_callback(ngx_ssl_conn_t *ssl_conn,
+- void *data);
+ static void ngx_ssl_stapling_update(ngx_ssl_stapling_t *staple);
+ static void ngx_ssl_stapling_ocsp_handler(ngx_ssl_ocsp_ctx_t *ctx);
+
+@@ -125,29 +121,6 @@
+
+
+ ngx_int_t
+-ngx_ssl_stapling(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file,
+- ngx_str_t *responder, ngx_uint_t verify)
+-{
+- X509 *cert;
+-
+- for (cert = SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_certificate_index);
+- cert;
+- cert = X509_get_ex_data(cert, ngx_ssl_next_certificate_index))
+- {
+- if (ngx_ssl_stapling_certificate(cf, ssl, cert, file, responder,
verify)
+- != NGX_OK)
+- {
+- return NGX_ERROR;
+- }
+- }
+-
+- SSL_CTX_set_tlsext_status_cb(ssl->ctx,
ngx_ssl_certificate_status_callback);
+-
+- return NGX_OK;
+-}
+-
+-
+-static ngx_int_t
+ ngx_ssl_stapling_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, X509 *cert,
+ ngx_str_t *file, ngx_str_t *responder, ngx_uint_t verify)
+ {
+@@ -494,7 +467,7 @@
+ }
+
+
+-static int
++int
+ ngx_ssl_certificate_status_callback(ngx_ssl_conn_t *ssl_conn, void *data)
+ {
+ int rc;
+--- a/src/http/modules/ngx_http_proxy_module.c
++++ b/src/http/modules/ngx_http_proxy_module.c
+@@ -4351,7 +4351,8 @@
+ }
+
+ if (ngx_ssl_certificate(cf, plcf->upstream.ssl,
&plcf->ssl_certificate,
+- &plcf->ssl_certificate_key,
plcf->ssl_passwords)
++ &plcf->ssl_certificate_key,
plcf->ssl_passwords,
++ 0, NULL, NULL, 0)
+ != NGX_OK)
+ {
+ return NGX_ERROR;
+--- a/src/http/modules/ngx_http_ssl_module.c
++++ b/src/http/modules/ngx_http_ssl_module.c
+@@ -214,9 +214,9 @@
+
+ { ngx_string("ssl_stapling_file"),
+ NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
+- ngx_conf_set_str_slot,
++ ngx_conf_set_str_array_slot,
+ NGX_HTTP_SRV_CONF_OFFSET,
+- offsetof(ngx_http_ssl_srv_conf_t, stapling_file),
++ offsetof(ngx_http_ssl_srv_conf_t, stapling_files),
+ NULL },
+
+ { ngx_string("ssl_stapling_responder"),
+@@ -574,7 +574,6 @@
+ * sscf->crl = { 0, NULL };
+ * sscf->ciphers = { 0, NULL };
+ * sscf->shm_zone = NULL;
+- * sscf->stapling_file = { 0, NULL };
+ * sscf->stapling_responder = { 0, NULL };
+ */
+
+@@ -591,6 +590,7 @@
+ sscf->session_tickets = NGX_CONF_UNSET;
+ sscf->session_ticket_keys = NGX_CONF_UNSET_PTR;
+ sscf->stapling = NGX_CONF_UNSET;
++ sscf->stapling_files = NGX_CONF_UNSET_PTR;
+ sscf->stapling_verify = NGX_CONF_UNSET;
+ sscf->dyn_rec_enable = NGX_CONF_UNSET;
+ sscf->dyn_rec_timeout = NGX_CONF_UNSET_MSEC;
+@@ -607,6 +607,8 @@
+ {
+ ngx_http_ssl_srv_conf_t *prev = parent;
+ ngx_http_ssl_srv_conf_t *conf = child;
++ ngx_str_t *temp_str;
++ ngx_uint_t i;
+
+ ngx_pool_cleanup_t *cln;
+
+@@ -658,7 +660,7 @@
+
+ ngx_conf_merge_value(conf->stapling, prev->stapling, 0);
+ ngx_conf_merge_value(conf->stapling_verify, prev->stapling_verify, 0);
+- ngx_conf_merge_str_value(conf->stapling_file, prev->stapling_file, "");
++ ngx_conf_merge_ptr_value(conf->stapling_files, prev->stapling_files,
NULL);
+ ngx_conf_merge_str_value(conf->stapling_responder,
+ prev->stapling_responder, "");
+
+@@ -707,6 +709,30 @@
+ return NGX_CONF_ERROR;
+ }
+
++ if (conf->stapling && conf->stapling_files
++ && conf->stapling_files->nelts < conf->certificates->nelts) {
++ ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
++ "no \"ssl_stapling_file\" is defined "
++ "for certificate \"%V\" and "
++ "the \"ssl\" directive in %s:%ui",
++ ((ngx_str_t *) conf->certificates->elts)
++ + conf->certificates->nelts - 1,
++ conf->file, conf->line);
++ /*
++ * Should "return NGX_CONF_ERROR;" here universally, but instead
++ * this patch allows a singular "ssl_stapling_file" to apply to
all
++ * certs (but still with the log output above), preserving
existing
++ * beahvior while config files are migrated.
++ */
++ if (conf->stapling_files->nelts > 1)
++ return NGX_CONF_ERROR;
++ i = conf->certificates->nelts;
++ while (--i) {
++ temp_str = ngx_array_push(conf->stapling_files);
++ *temp_str = *((ngx_str_t*)conf->stapling_files->elts);
++ }
++ }
++
+ } else {
+
+ if (conf->certificates == NULL) {
+@@ -761,7 +787,9 @@
+ cln->data = &conf->ssl;
+
+ if (ngx_ssl_certificates(cf, &conf->ssl, conf->certificates,
+- conf->certificate_keys, conf->passwords)
++ conf->certificate_keys, conf->passwords,
++ conf->stapling, conf->stapling_files,
++ &conf->stapling_responder, conf->stapling_verify)
+ != NGX_OK)
+ {
+ return NGX_CONF_ERROR;
+@@ -845,17 +873,6 @@
+ return NGX_CONF_ERROR;
+ }
+
+- if (conf->stapling) {
+-
+- if (ngx_ssl_stapling(cf, &conf->ssl, &conf->stapling_file,
+- &conf->stapling_responder, conf->stapling_verify)
+- != NGX_OK)
+- {
+- return NGX_CONF_ERROR;
+- }
+-
+- }
+-
+ if (conf->dyn_rec_enable) {
+ conf->ssl.dyn_rec.timeout = conf->dyn_rec_timeout;
+ conf->ssl.dyn_rec.threshold = conf->dyn_rec_threshold;
+--- a/src/http/modules/ngx_http_ssl_module.h
++++ b/src/http/modules/ngx_http_ssl_module.h
+@@ -52,7 +52,7 @@
+
+ ngx_flag_t stapling;
+ ngx_flag_t stapling_verify;
+- ngx_str_t stapling_file;
++ ngx_array_t *stapling_files;
+ ngx_str_t stapling_responder;
+
+ u_char *file;
+--- a/src/http/modules/ngx_http_uwsgi_module.c
++++ b/src/http/modules/ngx_http_uwsgi_module.c
+@@ -2354,7 +2354,8 @@
+ }
+
+ if (ngx_ssl_certificate(cf, uwcf->upstream.ssl,
&uwcf->ssl_certificate,
+- &uwcf->ssl_certificate_key,
uwcf->ssl_passwords)
++ &uwcf->ssl_certificate_key,
uwcf->ssl_passwords,
++ 0, NULL, NULL, 0)
+ != NGX_OK)
+ {
+ return NGX_ERROR;
+--- a/src/mail/ngx_mail_ssl_module.c
++++ b/src/mail/ngx_mail_ssl_module.c
+@@ -387,7 +387,8 @@
+ cln->data = &conf->ssl;
+
+ if (ngx_ssl_certificates(cf, &conf->ssl, conf->certificates,
+- conf->certificate_keys, conf->passwords)
++ conf->certificate_keys, conf->passwords,
++ 0, NULL, NULL, 0)
+ != NGX_OK)
+ {
+ return NGX_CONF_ERROR;
+--- a/src/stream/ngx_stream_proxy_module.c
++++ b/src/stream/ngx_stream_proxy_module.c
+@@ -1983,7 +1983,8 @@
+ }
+
+ if (ngx_ssl_certificate(cf, pscf->ssl, &pscf->ssl_certificate,
+- &pscf->ssl_certificate_key,
pscf->ssl_passwords)
++ &pscf->ssl_certificate_key,
pscf->ssl_passwords,
++ 0, NULL, NULL, 0)
+ != NGX_OK)
+ {
+ return NGX_ERROR;
+--- a/src/stream/ngx_stream_ssl_module.c
++++ b/src/stream/ngx_stream_ssl_module.c
+@@ -601,7 +601,8 @@
+ cln->data = &conf->ssl;
+
+ if (ngx_ssl_certificates(cf, &conf->ssl, conf->certificates,
+- conf->certificate_keys, conf->passwords)
++ conf->certificate_keys, conf->passwords,
++ 0, NULL, NULL, 0)
+ != NGX_OK)
+ {
+ return NGX_CONF_ERROR;
diff --git a/debian/patches/0660-version-too-low.patch
b/debian/patches/0660-version-too-low.patch
new file mode 100644
index 0000000..e34f164
--- /dev/null
+++ b/debian/patches/0660-version-too-low.patch
@@ -0,0 +1,10 @@
+--- a/src/event/ngx_event_openssl.c
++++ b/src/event/ngx_event_openssl.c
+@@ -2142,6 +2142,7 @@
+ #ifdef SSL_R_INAPPROPRIATE_FALLBACK
+ || n == SSL_R_INAPPROPRIATE_FALLBACK /* 373
*/
+ #endif
++ || n == SSL_R_VERSION_TOO_LOW /* 396
*/
+ || n == 1000 /* SSL_R_SSLV3_ALERT_CLOSE_NOTIFY */
+ #ifdef SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE
+ || n == SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE /* 1010
*/
diff --git a/debian/patches/series b/debian/patches/series
index ae0cb1a..985913f 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,7 @@
0000-master-src-1.11.13.patch
0002-Make-sure-signature-stays-the-same-in-all-nginx-buil.patch
0003-define_gnu_source-on-other-glibc-based-platforms.patch
+0100-dynamic-tls-records.patch
+0500-ssl-curve.patch
+0600-stapling-multi-file.patch
+0660-version-too-low.patch
--
To view, visit https://gerrit.wikimedia.org/r/348586
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: Icf63c6b220cf9c33eb462eb109e1956fce3d3fb3
Gerrit-PatchSet: 2
Gerrit-Project: operations/software/nginx
Gerrit-Branch: wmf-1.11.10
Gerrit-Owner: BBlack <[email protected]>
Gerrit-Reviewer: BBlack <[email protected]>
Gerrit-Reviewer: jenkins-bot <>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
