| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
The certificate is selected by matching the arriving SNI to the common name and
the alternatives names. If no certificate matches the name, the first bundle in
the array is chosen.
|
|
This is a workaround for an issue in OpenSSL 1.1.1, where the /dev/random and
/dev/urandom files remain open after all listening sockets were removed:
- https://github.com/openssl/openssl/issues/7419
|
|
An immediate return statement on connection errors was mistakenly added to the
beginning of nxt_openssl_conn_io_shutdown() in ecd3c5bbf7d8, breaking the TLS
connection finalization procedure. As a result, a TLS connection was left
unfinalized if it had been closed prematurely or a fatal protocol error had
occurred, which caused memory and socket descriptor leakage.
Moreover, in some cases (notably, on handshake errors in tests with kqueue on
macOS) the read event was triggered later and nxt_h1p_conn_error() was called
the second time; after the change in af93c866b4f0, the latter call crashed the
router process in an attempt to remove a connection from the idle queue twice.
|
|
This closes #370 in GitHub.
|
|
Before this fix EWOULDBLOCK error was fatal for SSL write operation.
This closes #325 issue on GitHub.
|
|
After event is delivered from the kernel its further processing is blocked.
Non-ready TSL I/O operation should mark connection I/O state as not ready
to unblock events and to allow their further processing. Otherwise
the connection hangs.
|
|
|
|
This closes #182 issue on GitHub.
Thanks to 洪志道 (Hong Zhi Dao).
|
|
LibreSSL uses high OPENSSL_VERSION_NUMBER, but has no SSL_CTX_add0_chain_cert().
|
|
|
|
|
|
|
|
|
|
to nxt_conn_...
|
|
|
|
|
|
|
|
|
|
|
