Hello community, here is the log from the commit of package nginx for openSUSE:Factory checked in at 2018-07-31 16:03:10 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/nginx (Old) and /work/SRC/openSUSE:Factory/.nginx.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "nginx" Tue Jul 31 16:03:10 2018 rev:27 rq:626497 version:1.15.2 Changes: -------- --- /work/SRC/openSUSE:Factory/nginx/nginx.changes 2018-07-25 16:13:32.561973708 +0200 +++ /work/SRC/openSUSE:Factory/.nginx.new/nginx.changes 2018-07-31 16:03:16.535941760 +0200 @@ -1,0 +2,23 @@ +Mon Jul 30 12:21:26 UTC 2018 - mrueck...@suse.de + +- update to 1.15.2 + - Feature: the $ssl_preread_protocol variable in the + ngx_stream_ssl_preread_module. + - Feature: now when using the "reset_timedout_connection" + directive nginx will reset connections being closed with the + 444 code. + - Change: a logging level of the "http request", "https proxy + request", "unsupported protocol", and "version too low" SSL + errors has been lowered from "crit" to "info". + - Bugfix: DNS requests were not resent if initial sending of a + request failed. + - Bugfix: the "reuseport" parameter of the "listen" directive was + ignored if the number of worker processes was specified after + the "listen" directive. + - Bugfix: when using OpenSSL 1.1.0 or newer it was not possible + to switch off "ssl_prefer_server_ciphers" in a virtual server + if it was switched on in the default server. + - Bugfix: SSL session reuse with upstream servers did not work + with the TLS 1.3 protocol. + +------------------------------------------------------------------- @@ -4 +27 @@ -- update 1.15.1 +- update to 1.15.1 Old: ---- nginx-1.15.1.tar.gz nginx-1.15.1.tar.gz.asc New: ---- nginx-1.15.2.tar.gz nginx-1.15.2.tar.gz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ nginx.spec ++++++ --- /var/tmp/diff_new_pack.eUOwvh/_old 2018-07-31 16:03:17.535943462 +0200 +++ /var/tmp/diff_new_pack.eUOwvh/_new 2018-07-31 16:03:17.539943470 +0200 @@ -70,7 +70,7 @@ %define ngx_doc_dir %{_datadir}/doc/packages/%{name} # Name: nginx -Version: 1.15.1 +Version: 1.15.2 Release: 0 %define ngx_fancyindex_version 0.4.2 %define ngx_fancyindex_module_path ngx-fancyindex-%{ngx_fancyindex_version} ++++++ nginx-1.15.1.tar.gz -> nginx-1.15.2.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.15.1/CHANGES new/nginx-1.15.2/CHANGES --- old/nginx-1.15.1/CHANGES 2018-07-03 17:07:51.000000000 +0200 +++ new/nginx-1.15.2/CHANGES 2018-07-24 15:11:08.000000000 +0200 @@ -1,4 +1,31 @@ +Changes with nginx 1.15.2 24 Jul 2018 + + *) Feature: the $ssl_preread_protocol variable in the + ngx_stream_ssl_preread_module. + + *) Feature: now when using the "reset_timedout_connection" directive + nginx will reset connections being closed with the 444 code. + + *) Change: a logging level of the "http request", "https proxy request", + "unsupported protocol", and "version too low" SSL errors has been + lowered from "crit" to "info". + + *) Bugfix: DNS requests were not resent if initial sending of a request + failed. + + *) Bugfix: the "reuseport" parameter of the "listen" directive was + ignored if the number of worker processes was specified after the + "listen" directive. + + *) Bugfix: when using OpenSSL 1.1.0 or newer it was not possible to + switch off "ssl_prefer_server_ciphers" in a virtual server if it was + switched on in the default server. + + *) Bugfix: SSL session reuse with upstream servers did not work with the + TLS 1.3 protocol. + + Changes with nginx 1.15.1 03 Jul 2018 *) Feature: the "random" directive inside the "upstream" block. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.15.1/CHANGES.ru new/nginx-1.15.2/CHANGES.ru --- old/nginx-1.15.1/CHANGES.ru 2018-07-03 17:07:49.000000000 +0200 +++ new/nginx-1.15.2/CHANGES.ru 2018-07-24 15:11:05.000000000 +0200 @@ -1,4 +1,31 @@ +Изменения в nginx 1.15.2 24.07.2018 + + *) Добавление: переменная $ssl_preread_protocol в модуле + ngx_stream_ssl_preread_module. + + *) Добавление: теперь при использовании директивы + reset_timedout_connection nginx сбрасывает соединения, закрываемые с + кодом 444. + + *) Изменение: уровень логгирования ошибок SSL "http request", "https + proxy request", "unsupported protocol" и "version too low" понижен с + уровня crit до info. + + *) Исправление: запросы к DNS-серверу не отправлялись повторно, если при + первой попытке отправки происходила ошибка. + + *) Исправление: параметр reuseport директивы listen игнорировался, если + количество рабочих процессов было задано после директивы listen. + + *) Исправление: при использовании OpenSSL 1.1.0 и новее директиву + ssl_prefer_server_ciphers нельзя было выключить в виртуальном + сервере, если она была включена в сервере по умолчанию. + + *) Исправление: повторное использование SSL-сессий к бэкендам не + работало с протоколом TLS 1.3. + + Изменения в nginx 1.15.1 03.07.2018 *) Добавление: директива random в блоке upstream. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.15.1/src/core/nginx.h new/nginx-1.15.2/src/core/nginx.h --- old/nginx-1.15.1/src/core/nginx.h 2018-07-03 17:07:44.000000000 +0200 +++ new/nginx-1.15.2/src/core/nginx.h 2018-07-24 15:11:00.000000000 +0200 @@ -9,8 +9,8 @@ #define _NGINX_H_INCLUDED_ -#define nginx_version 1015001 -#define NGINX_VERSION "1.15.1" +#define nginx_version 1015002 +#define NGINX_VERSION "1.15.2" #define NGINX_VER "nginx/" NGINX_VERSION #ifdef NGX_BUILD diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.15.1/src/core/ngx_connection.c new/nginx-1.15.2/src/core/ngx_connection.c --- old/nginx-1.15.1/src/core/ngx_connection.c 2018-07-03 17:07:44.000000000 +0200 +++ new/nginx-1.15.2/src/core/ngx_connection.c 2018-07-24 15:11:00.000000000 +0200 @@ -96,7 +96,7 @@ ngx_int_t -ngx_clone_listening(ngx_conf_t *cf, ngx_listening_t *ls) +ngx_clone_listening(ngx_cycle_t *cycle, ngx_listening_t *ls) { #if (NGX_HAVE_REUSEPORT) @@ -104,20 +104,19 @@ ngx_core_conf_t *ccf; ngx_listening_t ols; - if (!ls->reuseport) { + if (!ls->reuseport || ls->worker != 0) { return NGX_OK; } ols = *ls; - ccf = (ngx_core_conf_t *) ngx_get_conf(cf->cycle->conf_ctx, - ngx_core_module); + ccf = (ngx_core_conf_t *) ngx_get_conf(cycle->conf_ctx, ngx_core_module); for (n = 1; n < ccf->worker_processes; n++) { /* create a socket for each worker process */ - ls = ngx_array_push(&cf->cycle->listening); + ls = ngx_array_push(&cycle->listening); if (ls == NULL) { return NGX_ERROR; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.15.1/src/core/ngx_connection.h new/nginx-1.15.2/src/core/ngx_connection.h --- old/nginx-1.15.1/src/core/ngx_connection.h 2018-07-03 17:07:44.000000000 +0200 +++ new/nginx-1.15.2/src/core/ngx_connection.h 2018-07-24 15:11:00.000000000 +0200 @@ -210,7 +210,7 @@ ngx_listening_t *ngx_create_listening(ngx_conf_t *cf, struct sockaddr *sockaddr, socklen_t socklen); -ngx_int_t ngx_clone_listening(ngx_conf_t *cf, ngx_listening_t *ls); +ngx_int_t ngx_clone_listening(ngx_cycle_t *cycle, ngx_listening_t *ls); ngx_int_t ngx_set_inherited_sockets(ngx_cycle_t *cycle); ngx_int_t ngx_open_listening_sockets(ngx_cycle_t *cycle); void ngx_configure_listening_sockets(ngx_cycle_t *cycle); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.15.1/src/core/ngx_resolver.c new/nginx-1.15.2/src/core/ngx_resolver.c --- old/nginx-1.15.1/src/core/ngx_resolver.c 2018-07-03 17:07:44.000000000 +0200 +++ new/nginx-1.15.2/src/core/ngx_resolver.c 2018-07-24 15:11:00.000000000 +0200 @@ -847,7 +847,15 @@ rn->nsrvs = 0; if (ngx_resolver_send_query(r, rn) != NGX_OK) { - goto failed; + + /* immediately retry once on failure */ + + rn->last_connection++; + if (rn->last_connection == r->connections.nelts) { + rn->last_connection = 0; + } + + (void) ngx_resolver_send_query(r, rn); } if (ngx_resolver_set_timeout(r, ctx) != NGX_OK) { @@ -1051,7 +1059,15 @@ rn->nsrvs = 0; if (ngx_resolver_send_query(r, rn) != NGX_OK) { - goto failed; + + /* immediately retry once on failure */ + + rn->last_connection++; + if (rn->last_connection == r->connections.nelts) { + rn->last_connection = 0; + } + + (void) ngx_resolver_send_query(r, rn); } if (ngx_resolver_set_timeout(r, ctx) != NGX_OK) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.15.1/src/event/ngx_event.c new/nginx-1.15.2/src/event/ngx_event.c --- old/nginx-1.15.1/src/event/ngx_event.c 2018-07-03 17:07:44.000000000 +0200 +++ new/nginx-1.15.2/src/event/ngx_event.c 2018-07-24 15:11:00.000000000 +0200 @@ -410,12 +410,52 @@ static char * ngx_event_init_conf(ngx_cycle_t *cycle, void *conf) { +#if (NGX_HAVE_REUSEPORT) + ngx_uint_t i; + ngx_listening_t *ls; +#endif + if (ngx_get_conf(cycle->conf_ctx, ngx_events_module) == NULL) { ngx_log_error(NGX_LOG_EMERG, cycle->log, 0, "no \"events\" section in configuration"); return NGX_CONF_ERROR; } + if (cycle->connection_n < cycle->listening.nelts + 1) { + + /* + * there should be at least one connection for each listening + * socket, plus an additional connection for channel + */ + + ngx_log_error(NGX_LOG_EMERG, cycle->log, 0, + "%ui worker_connections are not enough " + "for %ui listening sockets", + cycle->connection_n, cycle->listening.nelts); + + return NGX_CONF_ERROR; + } + +#if (NGX_HAVE_REUSEPORT) + + ls = cycle->listening.elts; + for (i = 0; i < cycle->listening.nelts; i++) { + + if (!ls[i].reuseport || ls[i].worker != 0) { + continue; + } + + if (ngx_clone_listening(cycle, &ls[i]) != NGX_OK) { + return NGX_CONF_ERROR; + } + + /* cloning may change cycle->listening.elts */ + + ls = cycle->listening.elts; + } + +#endif + return NGX_CONF_OK; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.15.1/src/event/ngx_event_openssl.c new/nginx-1.15.2/src/event/ngx_event_openssl.c --- old/nginx-1.15.1/src/event/ngx_event_openssl.c 2018-07-03 17:07:44.000000000 +0200 +++ new/nginx-1.15.2/src/event/ngx_event_openssl.c 2018-07-24 15:11:00.000000000 +0200 @@ -24,6 +24,8 @@ static void ngx_ssl_info_callback(const ngx_ssl_conn_t *ssl_conn, int where, int ret); static void ngx_ssl_passwords_cleanup(void *data); +static int ngx_ssl_new_client_session(ngx_ssl_conn_t *ssl_conn, + ngx_ssl_session_t *sess); static void ngx_ssl_handshake_handler(ngx_event_t *ev); static ngx_int_t ngx_ssl_handle_recv(ngx_connection_t *c, int n); static void ngx_ssl_write_handler(ngx_event_t *wev); @@ -295,7 +297,7 @@ SSL_CTX_set_options(ssl->ctx, SSL_OP_SINGLE_DH_USE); -#ifdef SSL_CTRL_CLEAR_OPTIONS +#if OPENSSL_VERSION_NUMBER >= 0x009080dfL /* only in 0.9.8m+ */ SSL_CTX_clear_options(ssl->ctx, SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1); @@ -1162,6 +1164,42 @@ ngx_int_t +ngx_ssl_client_session_cache(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_uint_t enable) +{ + if (!enable) { + return NGX_OK; + } + + SSL_CTX_set_session_cache_mode(ssl->ctx, + SSL_SESS_CACHE_CLIENT + |SSL_SESS_CACHE_NO_INTERNAL); + + SSL_CTX_sess_set_new_cb(ssl->ctx, ngx_ssl_new_client_session); + + return NGX_OK; +} + + +static int +ngx_ssl_new_client_session(ngx_ssl_conn_t *ssl_conn, ngx_ssl_session_t *sess) +{ + ngx_connection_t *c; + + c = ngx_ssl_get_connection(ssl_conn); + + if (c->ssl->save_session) { + c->ssl->session = sess; + + c->ssl->save_session(c); + + c->ssl->session = NULL; + } + + return 0; +} + + +ngx_int_t ngx_ssl_create_connection(ngx_ssl_t *ssl, ngx_connection_t *c, ngx_uint_t flags) { ngx_ssl_connection_t *sc; @@ -1193,6 +1231,10 @@ } else { SSL_set_accept_state(sc->connection); + +#ifdef SSL_OP_NO_RENEGOTIATION + SSL_set_options(sc->connection, SSL_OP_NO_RENEGOTIATION); +#endif } if (SSL_set_ex_data(sc->connection, ngx_ssl_connection_index, c) == 0) { @@ -1206,6 +1248,31 @@ } +ngx_ssl_session_t * +ngx_ssl_get_session(ngx_connection_t *c) +{ +#ifdef TLS1_3_VERSION + if (c->ssl->session) { + SSL_SESSION_up_ref(c->ssl->session); + return c->ssl->session; + } +#endif + + return SSL_get1_session(c->ssl->connection); +} + + +ngx_ssl_session_t * +ngx_ssl_get0_session(ngx_connection_t *c) +{ + if (c->ssl->session) { + return c->ssl->session; + } + + return SSL_get0_session(c->ssl->connection); +} + + ngx_int_t ngx_ssl_set_session(ngx_connection_t *c, ngx_ssl_session_t *session) { @@ -2062,6 +2129,8 @@ || n == SSL_R_DIGEST_CHECK_FAILED /* 149 */ || n == SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST /* 151 */ || n == SSL_R_EXCESSIVE_MESSAGE_SIZE /* 152 */ + || n == SSL_R_HTTPS_PROXY_REQUEST /* 155 */ + || n == SSL_R_HTTP_REQUEST /* 156 */ || n == SSL_R_LENGTH_MISMATCH /* 159 */ #ifdef SSL_R_NO_CIPHERS_PASSED || n == SSL_R_NO_CIPHERS_PASSED /* 182 */ @@ -2077,6 +2146,7 @@ || n == SSL_R_UNEXPECTED_RECORD /* 245 */ || n == SSL_R_UNKNOWN_ALERT_TYPE /* 246 */ || n == SSL_R_UNKNOWN_PROTOCOL /* 252 */ + || n == SSL_R_UNSUPPORTED_PROTOCOL /* 258 */ || n == SSL_R_WRONG_VERSION_NUMBER /* 267 */ || n == SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC /* 281 */ #ifdef SSL_R_RENEGOTIATE_EXT_TOO_LONG @@ -2093,6 +2163,9 @@ #ifdef SSL_R_INAPPROPRIATE_FALLBACK || n == SSL_R_INAPPROPRIATE_FALLBACK /* 373 */ #endif +#ifdef SSL_R_VERSION_TOO_LOW + || n == SSL_R_VERSION_TOO_LOW /* 396 */ +#endif || n == 1000 /* SSL_R_SSLV3_ALERT_CLOSE_NOTIFY */ #ifdef SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE || n == SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE /* 1010 */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.15.1/src/event/ngx_event_openssl.h new/nginx-1.15.2/src/event/ngx_event_openssl.h --- old/nginx-1.15.1/src/event/ngx_event_openssl.h 2018-07-03 17:07:44.000000000 +0200 +++ new/nginx-1.15.2/src/event/ngx_event_openssl.h 2018-07-24 15:11:00.000000000 +0200 @@ -77,6 +77,9 @@ ngx_connection_handler_pt handler; + ngx_ssl_session_t *session; + ngx_connection_handler_pt save_session; + ngx_event_handler_pt saved_read_handler; ngx_event_handler_pt saved_write_handler; @@ -168,6 +171,8 @@ ngx_array_t *ngx_ssl_read_password_file(ngx_conf_t *cf, ngx_str_t *file); ngx_int_t ngx_ssl_dhparam(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file); ngx_int_t ngx_ssl_ecdh_curve(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *name); +ngx_int_t ngx_ssl_client_session_cache(ngx_conf_t *cf, ngx_ssl_t *ssl, + ngx_uint_t enable); ngx_int_t ngx_ssl_session_cache(ngx_ssl_t *ssl, ngx_str_t *sess_ctx, ssize_t builtin_session_cache, ngx_shm_zone_t *shm_zone, time_t timeout); ngx_int_t ngx_ssl_session_ticket_keys(ngx_conf_t *cf, ngx_ssl_t *ssl, @@ -178,7 +183,8 @@ void ngx_ssl_remove_cached_session(SSL_CTX *ssl, ngx_ssl_session_t *sess); ngx_int_t ngx_ssl_set_session(ngx_connection_t *c, ngx_ssl_session_t *session); -#define ngx_ssl_get_session(c) SSL_get1_session(c->ssl->connection) +ngx_ssl_session_t *ngx_ssl_get_session(ngx_connection_t *c); +ngx_ssl_session_t *ngx_ssl_get0_session(ngx_connection_t *c); #define ngx_ssl_free_session SSL_SESSION_free #define ngx_ssl_get_connection(ssl_conn) \ SSL_get_ex_data(ssl_conn, ngx_ssl_connection_index) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.15.1/src/http/modules/ngx_http_fastcgi_module.c new/nginx-1.15.2/src/http/modules/ngx_http_fastcgi_module.c --- old/nginx-1.15.1/src/http/modules/ngx_http_fastcgi_module.c 2018-07-03 17:07:44.000000000 +0200 +++ new/nginx-1.15.2/src/http/modules/ngx_http_fastcgi_module.c 2018-07-24 15:11:00.000000000 +0200 @@ -3501,7 +3501,7 @@ clcf->handler = ngx_http_fastcgi_handler; - if (clcf->name.data[clcf->name.len - 1] == '/') { + if (clcf->name.len && clcf->name.data[clcf->name.len - 1] == '/') { clcf->auto_redirect = 1; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.15.1/src/http/modules/ngx_http_grpc_module.c new/nginx-1.15.2/src/http/modules/ngx_http_grpc_module.c --- old/nginx-1.15.1/src/http/modules/ngx_http_grpc_module.c 2018-07-03 17:07:44.000000000 +0200 +++ new/nginx-1.15.2/src/http/modules/ngx_http_grpc_module.c 2018-07-24 15:11:00.000000000 +0200 @@ -4525,7 +4525,7 @@ clcf->handler = ngx_http_grpc_handler; - if (clcf->name.data[clcf->name.len - 1] == '/') { + if (clcf->name.len && clcf->name.data[clcf->name.len - 1] == '/') { clcf->auto_redirect = 1; } @@ -4627,6 +4627,13 @@ } } + if (ngx_ssl_client_session_cache(cf, glcf->upstream.ssl, + glcf->upstream.ssl_session_reuse) + != NGX_OK) + { + return NGX_ERROR; + } + #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation if (SSL_CTX_set_alpn_protos(glcf->upstream.ssl->ctx, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.15.1/src/http/modules/ngx_http_memcached_module.c new/nginx-1.15.2/src/http/modules/ngx_http_memcached_module.c --- old/nginx-1.15.1/src/http/modules/ngx_http_memcached_module.c 2018-07-03 17:07:44.000000000 +0200 +++ new/nginx-1.15.2/src/http/modules/ngx_http_memcached_module.c 2018-07-24 15:11:00.000000000 +0200 @@ -707,7 +707,7 @@ clcf->handler = ngx_http_memcached_handler; - if (clcf->name.data[clcf->name.len - 1] == '/') { + if (clcf->name.len && clcf->name.data[clcf->name.len - 1] == '/') { clcf->auto_redirect = 1; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.15.1/src/http/modules/ngx_http_proxy_module.c new/nginx-1.15.2/src/http/modules/ngx_http_proxy_module.c --- old/nginx-1.15.1/src/http/modules/ngx_http_proxy_module.c 2018-07-03 17:07:44.000000000 +0200 +++ new/nginx-1.15.2/src/http/modules/ngx_http_proxy_module.c 2018-07-24 15:11:00.000000000 +0200 @@ -3580,7 +3580,7 @@ clcf->handler = ngx_http_proxy_handler; - if (clcf->name.data[clcf->name.len - 1] == '/') { + if (clcf->name.len && clcf->name.data[clcf->name.len - 1] == '/') { clcf->auto_redirect = 1; } @@ -4308,6 +4308,13 @@ } } + if (ngx_ssl_client_session_cache(cf, plcf->upstream.ssl, + plcf->upstream.ssl_session_reuse) + != NGX_OK) + { + return NGX_ERROR; + } + return NGX_OK; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.15.1/src/http/modules/ngx_http_scgi_module.c new/nginx-1.15.2/src/http/modules/ngx_http_scgi_module.c --- old/nginx-1.15.1/src/http/modules/ngx_http_scgi_module.c 2018-07-03 17:07:44.000000000 +0200 +++ new/nginx-1.15.2/src/http/modules/ngx_http_scgi_module.c 2018-07-24 15:11:00.000000000 +0200 @@ -1857,7 +1857,7 @@ return NGX_CONF_ERROR; } - if (clcf->name.data[clcf->name.len - 1] == '/') { + if (clcf->name.len && clcf->name.data[clcf->name.len - 1] == '/') { clcf->auto_redirect = 1; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.15.1/src/http/modules/ngx_http_uwsgi_module.c new/nginx-1.15.2/src/http/modules/ngx_http_uwsgi_module.c --- old/nginx-1.15.1/src/http/modules/ngx_http_uwsgi_module.c 2018-07-03 17:07:44.000000000 +0200 +++ new/nginx-1.15.2/src/http/modules/ngx_http_uwsgi_module.c 2018-07-24 15:11:00.000000000 +0200 @@ -2144,7 +2144,7 @@ return NGX_CONF_ERROR; } - if (clcf->name.data[clcf->name.len - 1] == '/') { + if (clcf->name.len && clcf->name.data[clcf->name.len - 1] == '/') { clcf->auto_redirect = 1; } @@ -2391,6 +2391,13 @@ } } + if (ngx_ssl_client_session_cache(cf, uwcf->upstream.ssl, + uwcf->upstream.ssl_session_reuse) + != NGX_OK) + { + return NGX_ERROR; + } + return NGX_OK; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.15.1/src/http/ngx_http.c new/nginx-1.15.2/src/http/ngx_http.c --- old/nginx-1.15.1/src/http/ngx_http.c 2018-07-03 17:07:44.000000000 +0200 +++ new/nginx-1.15.2/src/http/ngx_http.c 2018-07-24 15:11:00.000000000 +0200 @@ -1685,10 +1685,6 @@ break; } - if (ngx_clone_listening(cf, ls) != NGX_OK) { - return NGX_ERROR; - } - addr++; last--; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.15.1/src/http/ngx_http_request.c new/nginx-1.15.2/src/http/ngx_http_request.c --- old/nginx-1.15.1/src/http/ngx_http_request.c 2018-07-03 17:07:44.000000000 +0200 +++ new/nginx-1.15.2/src/http/ngx_http_request.c 2018-07-24 15:11:00.000000000 +0200 @@ -912,7 +912,7 @@ SSL_set_verify_depth(ssl_conn, SSL_CTX_get_verify_depth(sscf->ssl.ctx)); -#ifdef SSL_CTRL_CLEAR_OPTIONS +#if OPENSSL_VERSION_NUMBER >= 0x009080dfL /* only in 0.9.8m+ */ SSL_clear_options(ssl_conn, SSL_get_options(ssl_conn) & ~SSL_CTX_get_options(sscf->ssl.ctx)); @@ -2353,6 +2353,7 @@ || rc == NGX_HTTP_NO_CONTENT) { if (rc == NGX_HTTP_CLOSE) { + c->timedout = 1; ngx_http_terminate_request(r, rc); return; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.15.1/src/http/ngx_http_upstream.c new/nginx-1.15.2/src/http/ngx_http_upstream.c --- old/nginx-1.15.1/src/http/ngx_http_upstream.c 2018-07-03 17:07:44.000000000 +0200 +++ new/nginx-1.15.2/src/http/ngx_http_upstream.c 2018-07-24 15:11:00.000000000 +0200 @@ -187,6 +187,7 @@ static void ngx_http_upstream_ssl_handshake_handler(ngx_connection_t *c); static void ngx_http_upstream_ssl_handshake(ngx_http_request_t *, ngx_http_upstream_t *u, ngx_connection_t *c); +static void ngx_http_upstream_ssl_save_session(ngx_connection_t *c); static ngx_int_t ngx_http_upstream_ssl_name(ngx_http_request_t *r, ngx_http_upstream_t *u, ngx_connection_t *c); #endif @@ -1675,6 +1676,8 @@ } if (u->conf->ssl_session_reuse) { + c->ssl->save_session = ngx_http_upstream_ssl_save_session; + if (u->peer.set_session(&u->peer, u->peer.data) != NGX_OK) { ngx_http_upstream_finalize_request(r, u, NGX_HTTP_INTERNAL_SERVER_ERROR); @@ -1759,10 +1762,6 @@ } } - if (u->conf->ssl_session_reuse) { - u->peer.save_session(&u->peer, u->peer.data); - } - c->write->handler = ngx_http_upstream_handler; c->read->handler = ngx_http_upstream_handler; @@ -1782,6 +1781,27 @@ } +static void +ngx_http_upstream_ssl_save_session(ngx_connection_t *c) +{ + ngx_http_request_t *r; + ngx_http_upstream_t *u; + + if (c->idle) { + return; + } + + r = c->data; + + u = r->upstream; + c = r->connection; + + ngx_http_set_log_request(c->log, r); + + u->peer.save_session(&u->peer, u->peer.data); +} + + static ngx_int_t ngx_http_upstream_ssl_name(ngx_http_request_t *r, ngx_http_upstream_t *u, ngx_connection_t *c) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.15.1/src/http/ngx_http_upstream_round_robin.c new/nginx-1.15.2/src/http/ngx_http_upstream_round_robin.c --- old/nginx-1.15.1/src/http/ngx_http_upstream_round_robin.c 2018-07-03 17:07:44.000000000 +0200 +++ new/nginx-1.15.2/src/http/ngx_http_upstream_round_robin.c 2018-07-24 15:11:00.000000000 +0200 @@ -744,7 +744,7 @@ if (peers->shpool) { - ssl_session = SSL_get0_session(pc->connection->ssl->connection); + ssl_session = ngx_ssl_get0_session(pc->connection); if (ssl_session == NULL) { return; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.15.1/src/os/unix/ngx_thread.h new/nginx-1.15.2/src/os/unix/ngx_thread.h --- old/nginx-1.15.1/src/os/unix/ngx_thread.h 2018-07-03 17:07:44.000000000 +0200 +++ new/nginx-1.15.2/src/os/unix/ngx_thread.h 2018-07-24 15:11:00.000000000 +0200 @@ -47,12 +47,12 @@ #elif (NGX_DARWIN) typedef uint64_t ngx_tid_t; -#define NGX_TID_T_FMT "%uA" +#define NGX_TID_T_FMT "%uL" #else typedef uint64_t ngx_tid_t; -#define NGX_TID_T_FMT "%uA" +#define NGX_TID_T_FMT "%uL" #endif diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.15.1/src/stream/ngx_stream.c new/nginx-1.15.2/src/stream/ngx_stream.c --- old/nginx-1.15.1/src/stream/ngx_stream.c 2018-07-03 17:07:44.000000000 +0200 +++ new/nginx-1.15.2/src/stream/ngx_stream.c 2018-07-24 15:11:00.000000000 +0200 @@ -538,10 +538,6 @@ break; } - if (ngx_clone_listening(cf, ls) != NGX_OK) { - return NGX_CONF_ERROR; - } - addr++; last--; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.15.1/src/stream/ngx_stream_proxy_module.c new/nginx-1.15.2/src/stream/ngx_stream_proxy_module.c --- old/nginx-1.15.1/src/stream/ngx_stream_proxy_module.c 2018-07-03 17:07:44.000000000 +0200 +++ new/nginx-1.15.2/src/stream/ngx_stream_proxy_module.c 2018-07-24 15:11:00.000000000 +0200 @@ -92,6 +92,7 @@ ngx_command_t *cmd, void *conf); static void ngx_stream_proxy_ssl_init_connection(ngx_stream_session_t *s); static void ngx_stream_proxy_ssl_handshake(ngx_connection_t *pc); +static void ngx_stream_proxy_ssl_save_session(ngx_connection_t *c); static ngx_int_t ngx_stream_proxy_ssl_name(ngx_stream_session_t *s); static ngx_int_t ngx_stream_proxy_set_ssl(ngx_conf_t *cf, ngx_stream_proxy_srv_conf_t *pscf); @@ -1008,6 +1009,8 @@ } if (pscf->ssl_session_reuse) { + pc->ssl->save_session = ngx_stream_proxy_ssl_save_session; + if (u->peer.set_session(&u->peer, u->peer.data) != NGX_OK) { ngx_stream_proxy_finalize(s, NGX_STREAM_INTERNAL_SERVER_ERROR); return; @@ -1066,11 +1069,6 @@ } } - if (pscf->ssl_session_reuse) { - u = s->upstream; - u->peer.save_session(&u->peer, u->peer.data); - } - if (pc->write->timer_set) { ngx_del_timer(pc->write); } @@ -1086,6 +1084,19 @@ } +static void +ngx_stream_proxy_ssl_save_session(ngx_connection_t *c) +{ + ngx_stream_session_t *s; + ngx_stream_upstream_t *u; + + s = c->data; + u = s->upstream; + + u->peer.save_session(&u->peer, u->peer.data); +} + + static ngx_int_t ngx_stream_proxy_ssl_name(ngx_stream_session_t *s) { @@ -2051,6 +2062,12 @@ } } + if (ngx_ssl_client_session_cache(cf, pscf->ssl, pscf->ssl_session_reuse) + != NGX_OK) + { + return NGX_ERROR; + } + return NGX_OK; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.15.1/src/stream/ngx_stream_ssl_preread_module.c new/nginx-1.15.2/src/stream/ngx_stream_ssl_preread_module.c --- old/nginx-1.15.1/src/stream/ngx_stream_ssl_preread_module.c 2018-07-03 17:07:44.000000000 +0200 +++ new/nginx-1.15.2/src/stream/ngx_stream_ssl_preread_module.c 2018-07-24 15:11:00.000000000 +0200 @@ -21,6 +21,7 @@ u_char *pos; u_char *dst; u_char buf[4]; + u_char version[2]; ngx_str_t host; ngx_str_t alpn; ngx_log_t *log; @@ -32,6 +33,8 @@ static ngx_int_t ngx_stream_ssl_preread_handler(ngx_stream_session_t *s); static ngx_int_t ngx_stream_ssl_preread_parse_record( ngx_stream_ssl_preread_ctx_t *ctx, u_char *pos, u_char *last); +static ngx_int_t ngx_stream_ssl_preread_protocol_variable( + ngx_stream_session_t *s, ngx_stream_variable_value_t *v, uintptr_t data); static ngx_int_t ngx_stream_ssl_preread_server_name_variable( ngx_stream_session_t *s, ngx_stream_variable_value_t *v, uintptr_t data); static ngx_int_t ngx_stream_ssl_preread_alpn_protocols_variable( @@ -86,6 +89,9 @@ static ngx_stream_variable_t ngx_stream_ssl_preread_vars[] = { + { ngx_string("ssl_preread_protocol"), NULL, + ngx_stream_ssl_preread_protocol_variable, 0, 0, 0 }, + { ngx_string("ssl_preread_server_name"), NULL, ngx_stream_ssl_preread_server_name_variable, 0, 0, 0 }, @@ -143,6 +149,14 @@ while (last - p >= 5) { + if ((p[0] & 0x80) && p[2] == 1 && (p[3] == 0 || p[3] == 3)) { + ngx_log_debug0(NGX_LOG_DEBUG_STREAM, ctx->log, 0, + "ssl preread: version 2 ClientHello"); + ctx->version[0] = p[3]; + ctx->version[1] = p[4]; + return NGX_OK; + } + if (p[0] != 0x16) { ngx_log_debug0(NGX_LOG_DEBUG_STREAM, ctx->log, 0, "ssl preread: not a handshake"); @@ -196,7 +210,8 @@ enum { sw_start = 0, sw_header, /* handshake msg_type, length */ - sw_head_tail, /* version, random */ + sw_version, /* client_version */ + sw_random, /* random */ sw_sid_len, /* session_id length */ sw_sid, /* session_id */ sw_cs_len, /* cipher_suites length */ @@ -210,7 +225,8 @@ sw_sni_host, /* SNI host_name */ sw_alpn_len, /* ALPN length */ sw_alpn_proto_len, /* ALPN protocol_name length */ - sw_alpn_proto_data /* ALPN protocol_name */ + sw_alpn_proto_data, /* ALPN protocol_name */ + sw_supver_len /* supported_versions length */ } state; ngx_log_debug2(NGX_LOG_DEBUG_STREAM, ctx->log, 0, @@ -254,13 +270,19 @@ return NGX_DECLINED; } - state = sw_head_tail; - dst = NULL; - size = 34; + state = sw_version; + dst = ctx->version; + size = 2; left = (p[1] << 16) + (p[2] << 8) + p[3]; break; - case sw_head_tail: + case sw_version: + state = sw_random; + dst = NULL; + size = 32; + break; + + case sw_random: state = sw_sid_len; dst = p; size = 1; @@ -334,6 +356,14 @@ break; } + if (p[0] == 0 && p[1] == 43) { + /* supported_versions extension */ + state = sw_supver_len; + dst = p; + size = 1; + break; + } + state = sw_ext; dst = NULL; size = (p[2] << 8) + p[3]; @@ -434,6 +464,19 @@ dst = NULL; size = 0; break; + + case sw_supver_len: + ngx_log_debug0(NGX_LOG_DEBUG_STREAM, ctx->log, 0, + "ssl preread: supported_versions"); + + /* set TLSv1.3 */ + ctx->version[0] = 3; + ctx->version[1] = 4; + + state = sw_ext; + dst = NULL; + size = p[0]; + break; } if (left < size) { @@ -453,6 +496,62 @@ } +static ngx_int_t +ngx_stream_ssl_preread_protocol_variable(ngx_stream_session_t *s, + ngx_variable_value_t *v, uintptr_t data) +{ + ngx_str_t version; + ngx_stream_ssl_preread_ctx_t *ctx; + + ctx = ngx_stream_get_module_ctx(s, ngx_stream_ssl_preread_module); + + if (ctx == NULL) { + v->not_found = 1; + return NGX_OK; + } + + /* SSL_get_version() format */ + + ngx_str_null(&version); + + switch (ctx->version[0]) { + case 0: + switch (ctx->version[1]) { + case 2: + ngx_str_set(&version, "SSLv2"); + break; + } + break; + case 3: + switch (ctx->version[1]) { + case 0: + ngx_str_set(&version, "SSLv3"); + break; + case 1: + ngx_str_set(&version, "TLSv1"); + break; + case 2: + ngx_str_set(&version, "TLSv1.1"); + break; + case 3: + ngx_str_set(&version, "TLSv1.2"); + break; + case 4: + ngx_str_set(&version, "TLSv1.3"); + break; + } + } + + v->valid = 1; + v->no_cacheable = 0; + v->not_found = 0; + v->len = version.len; + v->data = version.data; + + return NGX_OK; +} + + static ngx_int_t ngx_stream_ssl_preread_server_name_variable(ngx_stream_session_t *s, ngx_variable_value_t *v, uintptr_t data) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.15.1/src/stream/ngx_stream_upstream_round_robin.c new/nginx-1.15.2/src/stream/ngx_stream_upstream_round_robin.c --- old/nginx-1.15.1/src/stream/ngx_stream_upstream_round_robin.c 2018-07-03 17:07:44.000000000 +0200 +++ new/nginx-1.15.2/src/stream/ngx_stream_upstream_round_robin.c 2018-07-24 15:11:00.000000000 +0200 @@ -776,7 +776,7 @@ if (peers->shpool) { - ssl_session = SSL_get0_session(pc->connection->ssl->connection); + ssl_session = ngx_ssl_get0_session(pc->connection); if (ssl_session == NULL) { return;