This patches are pretty stable (except you can't use different OCSP
responders for SHA1 and SHA256 certs and use different ssl_stapling_files).
https://github.com/wikimedia/operations-software-nginx/tree/wmf-1.9.3-1/debian/patches
On Fri, Feb 5, 2016 at 11:17 PM, Jon Emord
mdou...@mdounin.ru wrote:
Hello!
On Tue, Mar 17, 2015 at 09:38:42PM +0300, kyprizel wrote:
Sure it should be tested (there are can be some memory leaks).
Need to know if it's idologically acceptable.
I've provided some comments in the reply to your off-list message.
--
Maxim Dounin
in the config will be used.
Can you please review it.
Thank you.
On Tue, Oct 7, 2014 at 5:03 PM, shm...@riseup.net shm...@riseup.net wrote:
Maxim Dounin wrote:
Hello!
On Tue, Oct 07, 2014 at 11:31:56AM +0400, kyprizel wrote:
Updating patch for the last nginx isn't a problem - we need
wrong curve?
On Tue, Mar 10, 2015 at 1:27 PM, thegrandch...@gmx.de wrote:
Hi,
this time not stupidly formatted ;):
I compiled nginx 1.7.10 + LibreSSL 2.1.4, but am not able to use ECC
certificates.
nginx -V:
nginx version: nginx/1.7.10
built by gcc 4.7.2 (Debian 4.7.2-5)
TLS SNI
Make a pcap, check packet loss/mtu/window size.
On Wed, Feb 4, 2015 at 8:54 PM, B.R. reallfqq-ng...@yahoo.fr wrote:
Nothing in the configuration part you provided rings any bell to me on why
this is going on.
I suggest you take a deeper look at the server level, see if there is not
Updating patch for the last nginx isn't a problem - we need to hear from
Maxim what was the problem with old patch (it wasn't applied that time -
why should by applied a new one?) to fix it.
On Mon, Oct 6, 2014 at 10:25 PM, shm...@riseup.net shm...@riseup.net
wrote:
calling all patch XPerts !
What about sharing keys b/w the physical instances?
On Mon, Sep 22, 2014 at 3:39 PM, Richard Fussenegger, BSc
rich...@fussenegger.info wrote:
I'd like to implement built-in session ticket rotation. I know that it
this was discussed before but it was never implemented. Right now a custom
Try to use 192.168.1.102:443.
On Wed, Aug 27, 2014 at 1:40 AM, Matthew Ngaha chigga...@gmail.com wrote:
I'm trying Nginx with Django on my localhost. I Include a
django.conf in my main nginx.conf and in this included conf the
server listens for both http https and sends either requests
No, it does not help. The problem somewhere in body reading/processing.
On Wed, Jun 4, 2014 at 8:10 PM, Andrei Belov de...@nginx.com wrote:
Not yet.
Quick look makes me think that client_body_in_file_only on; might help.
-- defan
On 04 июня 2014 г., at 19:58, kyprizel kypri...@gmail.com
I think this bug was fixed in nginx_refactoring tree.
On Wed, Jun 4, 2014 at 7:00 PM, Robert Paprocki
rpapro...@fearnothingproductions.net wrote:
Can you post a full core dump? Did you verify the mod_security tarball
you downloaded? Can detail the steps taken to build that module? What
Andrei, have you checked issue 630?
https://github.com/SpiderLabs/ModSecurity/issues/630
On Wed, Jun 4, 2014 at 7:12 PM, Andrei Belov de...@nginx.com wrote:
Hi,
there is a lot of open issues with ModSecurity and nginx:
I think the problem is your nginx uses libssl version from your OS
(0.9.8/1.0.0).
On Wed, Apr 16, 2014 at 4:08 PM, B.R. reallfqq-ng...@yahoo.fr wrote:
Rather than posting raw outputs, try to understand the piece orf advice
Maxim gave to you.
I suspect those SSL-validation websites test
Will this patch be applied to mainline?
On Thu, Mar 27, 2014 at 8:23 PM, Maxim Dounin mdou...@mdounin.ru wrote:
Hello!
On Wed, Mar 26, 2014 at 01:34:19PM +0400, kyprizel wrote:
will be log_alloc_failures better?
I think something like log_nomem will be good enough.
Patch:
# HG
something like this?
On Tue, Mar 18, 2014 at 8:00 PM, Maxim Dounin mdou...@mdounin.ru wrote:
Hello!
On Tue, Mar 18, 2014 at 03:42:33PM +0400, kyprizel wrote:
What will be the best way to do it?
Probably a flag in ngx_slab_pool_t will be good enough.
On Tue, Mar 18, 2014 at 3:33
What will be the best way to do it?
On Tue, Mar 18, 2014 at 3:33 PM, Maxim Dounin mdou...@mdounin.ru wrote:
Hello!
On Tue, Mar 18, 2014 at 03:26:10PM +0400, kyprizel wrote:
Hi,
currently SSL session lifetime and SSL ticket lifetime are equal in
nginx.
If we use session tickets
+0400, kyprizel wrote:
In some cases we need to vary period after OCSP response will be
refreshed.
By default it was hardcoded to 3600 sec. This directive allows to change
it
via config.
In which some cases? The directive was ommitted intentionally
to simplify things as it seems
mdou...@mdounin.ru wrote:
Hello!
On Mon, Jan 13, 2014 at 07:04:11PM +0400, kyprizel wrote:
So, you going to leave 3600 hardcoded there?
Yes, unless you have some better reasons to make it
configurable.
On Mon, Jan 13, 2014 at 6:51 PM, Maxim Dounin mdou...@mdounin.ru
wrote:
Hello
warning).
If he can't access it at all seeing something like OCSP response invalid
- he doesn't know what to do.
On Mon, Jan 13, 2014 at 8:12 PM, Maxim Dounin mdou...@mdounin.ru wrote:
Hello!
On Mon, Jan 13, 2014 at 07:45:29PM +0400, kyprizel wrote:
The reason is quite easy - most responders
:
Hello!
On Mon, Jan 13, 2014 at 08:23:46PM +0400, kyprizel wrote:
This looks like a very-very wrong way to address the problem.
Instead of resolving the problem it will hide it on some requests
(but not on others), making the problem harder to detect and debug.
Once user can access
In some cases we need to vary period after OCSP response will be refreshed.
By default it was hardcoded to 3600 sec. This directive allows to change it
via config.
Also, there were some kind of bursts when all the cluster nodes and nginx
workers go to update their OCSP staples - random delay
I mean, if something goes wrong while ticket file copying - nginx still
should function, no b/c it's not essential thing?
On Mon, Dec 23, 2013 at 9:14 PM, Maxim Dounin mdou...@mdounin.ru wrote:
Hello!
On Mon, Dec 23, 2013 at 07:54:01PM +0400, kyprizel wrote:
Do we really should fail
Hi,
we got a problem with OCSP stapling.
During the handshake some browsers send TLS extension certificate status
with more than 5 bytes in it.
In Nginx error_log it looks like:
[crit] 8721#0: *35 SSL_do_handshake() failed (SSL: error:0D0680A8:asn1
encoding routines:ASN1_CHECK_TLEN:wrong tag
If we have multiple keyfiles - I like the idea of marking some key as
default.
On Wed, Oct 2, 2013 at 12:47 PM, Piotr Sikora pi...@cloudflare.com wrote:
Hello Maxim,
As previously noted, the patch description is wrong. It also
make sense to add some description of the directive added.
Ok, I don't insist - I just need the functionality. What should I do to get
my patch accepted? :)
1. Store key as bin
2. Separate files
On Mon, Sep 30, 2013 at 10:00 PM, Maxim Dounin mdou...@mdounin.ru wrote:
Hello!
On Mon, Sep 30, 2013 at 08:15:34PM +0400, kyprizel wrote:
$ openssl rand
in printable characters.
On Mon, Sep 30, 2013 at 6:50 PM, Maxim Dounin mdou...@mdounin.ru wrote:
Hello!
On Sat, Sep 28, 2013 at 10:37:39PM +0400, kyprizel wrote:
On Sat, Sep 28, 2013 at 10:14 PM, Piotr Sikora pi...@cloudflare.com
wrote:
Hi,
My patch was designed not to use multiple
of mistake during nginx config parsing.
On Mon, Sep 30, 2013 at 7:31 PM, Maxim Dounin mdou...@mdounin.ru wrote:
Hello!
On Mon, Sep 30, 2013 at 07:14:59PM +0400, kyprizel wrote:
$ openssl rand -base64 48 | awk '{print -BEGIN SESSION TICKET
KEY-; print; print -END SESSION TICKET KEY
On Sat, Sep 28, 2013 at 10:14 PM, Piotr Sikora pi...@cloudflare.com wrote:
Hi,
My patch was designed not to use multiple keyfiles and keynames in nginx
config so it's able to rotate keys with simple logic, only updating
keyfile.
IMHO, that makes the key rollover much harder than it
Piotr, are we talking about session tickets (
http://tools.ietf.org/html/rfc4507) ?
On Mon, Sep 16, 2013 at 12:30 PM, Piotr Sikora pi...@cloudflare.com wrote:
Hello,
SSL session tickets are not good enough b/c they don't support modern
cipher modes (like GCM) and they don't work with PFS.
. As an alternative (and I don't like this idea) - we can distribute
sessions to nginx cache via custom-written module, something like it's done
in stud.
On Sat, Sep 14, 2013 at 11:06 PM, Maxim Dounin mdou...@mdounin.ru wrote:
Hello!
On Sat, Sep 14, 2013 at 02:49:49PM +0400, kyprizel wrote:
Hi
Hi,
I'm thinking on design of patch for adding distributed SSL session cache
and have a question -
is it possible and ok to create keepalive upstream to some storage
(memcached/redis/etc), then use it from
ngx_ssl_new_session/ngx_ssl_get_cached_session ?
30 matches
Mail list logo