Mercurial > hg > nginx-vendor-1-0
comparison src/event/ngx_event_openssl.c @ 638:692f4d4d7f10 NGINX_1_0_9
nginx 1.0.9
*) Change: now the 0x7F-0x1F characters are escaped as \xXX in an
access_log.
*) Change: now SIGWINCH signal works only in daemon mode.
*) Feature: "proxy/fastcgi/scgi/uwsgi_ignore_headers" directives support
the following additional values: X-Accel-Limit-Rate,
X-Accel-Buffering, X-Accel-Charset.
*) Feature: decrease of memory consumption if SSL is used.
*) Feature: accept filters are now supported on NetBSD.
*) Feature: the "uwsgi_buffering" and "scgi_buffering" directives.
Thanks to Peter Smit.
*) Bugfix: a segmentation fault occurred on start or while
reconfiguration if the "ssl" directive was used at http level and
there was no "ssl_certificate" defined.
*) Bugfix: some UTF-8 characters were processed incorrectly.
Thanks to Alexey Kuts.
*) Bugfix: the ngx_http_rewrite_module directives specified at "server"
level were executed twice if no matching locations were defined.
*) Bugfix: a socket leak might occurred if "aio sendfile" was used.
*) Bugfix: connections with fast clients might be closed after
send_timeout if file AIO was used.
*) Bugfix: in the ngx_http_autoindex_module.
*) Bugfix: the module ngx_http_mp4_module did not support seeking on
32-bit platforms.
*) Bugfix: non-cacheable responses might be cached if
"proxy_cache_bypass" directive was used.
Thanks to John Ferlito.
*) Bugfix: cached responses with an empty body were returned
incorrectly; the bug had appeared in 0.8.31.
*) Bugfix: 201 responses of the ngx_http_dav_module were incorrect; the
bug had appeared in 0.8.32.
*) Bugfix: in the "return" directive.
*) Bugfix: the "ssl_verify_client", "ssl_verify_depth", and
"ssl_prefer_server_ciphers" directives might work incorrectly if SNI
was used.
author | Igor Sysoev <http://sysoev.ru> |
---|---|
date | Tue, 01 Nov 2011 00:00:00 +0400 |
parents | 0d6525917227 |
children | ad25218fd14b |
comparison
equal
deleted
inserted
replaced
637:ea7441793bba | 638:692f4d4d7f10 |
---|---|
173 | 173 |
174 if (ngx_ssl_protocols[protocols >> 1] != 0) { | 174 if (ngx_ssl_protocols[protocols >> 1] != 0) { |
175 SSL_CTX_set_options(ssl->ctx, ngx_ssl_protocols[protocols >> 1]); | 175 SSL_CTX_set_options(ssl->ctx, ngx_ssl_protocols[protocols >> 1]); |
176 } | 176 } |
177 | 177 |
178 #ifdef SSL_OP_NO_COMPRESSION | |
179 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_COMPRESSION); | |
180 #endif | |
181 | |
182 #ifdef SSL_MODE_RELEASE_BUFFERS | |
183 SSL_CTX_set_mode(ssl->ctx, SSL_MODE_RELEASE_BUFFERS); | |
184 #endif | |
185 | |
178 SSL_CTX_set_read_ahead(ssl->ctx, 1); | 186 SSL_CTX_set_read_ahead(ssl->ctx, 1); |
179 | 187 |
180 SSL_CTX_set_info_callback(ssl->ctx, ngx_ssl_info_callback); | 188 SSL_CTX_set_info_callback(ssl->ctx, ngx_ssl_info_callback); |
181 | 189 |
182 return NGX_OK; | 190 return NGX_OK; |
853 * renegotiation gracefully, so drop connection here | 861 * renegotiation gracefully, so drop connection here |
854 */ | 862 */ |
855 | 863 |
856 ngx_log_error(NGX_LOG_NOTICE, c->log, 0, "SSL renegotiation disabled"); | 864 ngx_log_error(NGX_LOG_NOTICE, c->log, 0, "SSL renegotiation disabled"); |
857 | 865 |
866 while (ERR_peek_error()) { | |
867 ngx_ssl_error(NGX_LOG_DEBUG, c->log, 0, | |
868 "ignoring stale global SSL error"); | |
869 } | |
870 | |
871 ERR_clear_error(); | |
872 | |
858 c->ssl->no_wait_shutdown = 1; | 873 c->ssl->no_wait_shutdown = 1; |
859 c->ssl->no_send_shutdown = 1; | 874 c->ssl->no_send_shutdown = 1; |
860 | 875 |
861 return NGX_ERROR; | 876 return NGX_ERROR; |
862 } | 877 } |
1342 } else if (sslerr == SSL_ERROR_SSL) { | 1357 } else if (sslerr == SSL_ERROR_SSL) { |
1343 | 1358 |
1344 n = ERR_GET_REASON(ERR_peek_error()); | 1359 n = ERR_GET_REASON(ERR_peek_error()); |
1345 | 1360 |
1346 /* handshake failures */ | 1361 /* handshake failures */ |
1347 if (n == SSL_R_BLOCK_CIPHER_PAD_IS_WRONG /* 129 */ | 1362 if (n == SSL_R_BAD_CHANGE_CIPHER_SPEC /* 103 */ |
1363 || n == SSL_R_BLOCK_CIPHER_PAD_IS_WRONG /* 129 */ | |
1348 || n == SSL_R_DIGEST_CHECK_FAILED /* 149 */ | 1364 || n == SSL_R_DIGEST_CHECK_FAILED /* 149 */ |
1365 || n == SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST /* 151 */ | |
1366 || n == SSL_R_EXCESSIVE_MESSAGE_SIZE /* 152 */ | |
1349 || n == SSL_R_LENGTH_MISMATCH /* 159 */ | 1367 || n == SSL_R_LENGTH_MISMATCH /* 159 */ |
1350 || n == SSL_R_NO_CIPHERS_PASSED /* 182 */ | 1368 || n == SSL_R_NO_CIPHERS_PASSED /* 182 */ |
1351 || n == SSL_R_NO_CIPHERS_SPECIFIED /* 183 */ | 1369 || n == SSL_R_NO_CIPHERS_SPECIFIED /* 183 */ |
1370 || n == SSL_R_NO_COMPRESSION_SPECIFIED /* 187 */ | |
1352 || n == SSL_R_NO_SHARED_CIPHER /* 193 */ | 1371 || n == SSL_R_NO_SHARED_CIPHER /* 193 */ |
1353 || n == SSL_R_RECORD_LENGTH_MISMATCH /* 213 */ | 1372 || n == SSL_R_RECORD_LENGTH_MISMATCH /* 213 */ |
1373 #ifdef SSL_R_PARSE_TLSEXT | |
1374 || n == SSL_R_PARSE_TLSEXT /* 227 */ | |
1375 #endif | |
1354 || n == SSL_R_UNEXPECTED_MESSAGE /* 244 */ | 1376 || n == SSL_R_UNEXPECTED_MESSAGE /* 244 */ |
1355 || n == SSL_R_UNEXPECTED_RECORD /* 245 */ | 1377 || n == SSL_R_UNEXPECTED_RECORD /* 245 */ |
1356 || n == SSL_R_UNKNOWN_ALERT_TYPE /* 246 */ | 1378 || n == SSL_R_UNKNOWN_ALERT_TYPE /* 246 */ |
1357 || n == SSL_R_UNKNOWN_PROTOCOL /* 252 */ | 1379 || n == SSL_R_UNKNOWN_PROTOCOL /* 252 */ |
1358 || n == SSL_R_WRONG_VERSION_NUMBER /* 267 */ | 1380 || n == SSL_R_WRONG_VERSION_NUMBER /* 267 */ |
1359 || n == SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC /* 281 */ | 1381 || n == SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC /* 281 */ |
1382 #ifdef SSL_R_RENEGOTIATE_EXT_TOO_LONG | |
1383 || n == SSL_R_RENEGOTIATE_EXT_TOO_LONG /* 335 */ | |
1384 || n == SSL_R_RENEGOTIATION_ENCODING_ERR /* 336 */ | |
1385 || n == SSL_R_RENEGOTIATION_MISMATCH /* 337 */ | |
1386 #endif | |
1387 #ifdef SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED | |
1388 || n == SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED /* 338 */ | |
1389 #endif | |
1390 #ifdef SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING | |
1391 || n == SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING /* 345 */ | |
1392 #endif | |
1360 || n == 1000 /* SSL_R_SSLV3_ALERT_CLOSE_NOTIFY */ | 1393 || n == 1000 /* SSL_R_SSLV3_ALERT_CLOSE_NOTIFY */ |
1361 || n == SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE /* 1010 */ | 1394 || n == SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE /* 1010 */ |
1362 || n == SSL_R_SSLV3_ALERT_BAD_RECORD_MAC /* 1020 */ | 1395 || n == SSL_R_SSLV3_ALERT_BAD_RECORD_MAC /* 1020 */ |
1363 || n == SSL_R_TLSV1_ALERT_DECRYPTION_FAILED /* 1021 */ | 1396 || n == SSL_R_TLSV1_ALERT_DECRYPTION_FAILED /* 1021 */ |
1364 || n == SSL_R_TLSV1_ALERT_RECORD_OVERFLOW /* 1022 */ | 1397 || n == SSL_R_TLSV1_ALERT_RECORD_OVERFLOW /* 1022 */ |