summaryrefslogtreecommitdiffhomepage
path: root/src/nxt_openssl.c (follow)
AgeCommit message (Collapse)AuthorFilesLines
2021-05-26Enabling SSL_CTX configuration by using SSL_CONF_cmd().Andrey Suvorov1-8/+106
To perform various configuration operations on SSL_CTX, OpenSSL provides SSL_CONF_cmd(). Specifically, to configure ciphers for a listener, "CipherString" and "Ciphersuites" file commands are used: https://www.openssl.org/docs/man1.1.1/man3/SSL_CONF_cmd.html This feature can be configured in the "tls/conf_commands" section.
2021-05-26Fixing crash during TLS connection shutdown.Andrey Suvorov1-6/+26
A crash was caused by an incorrect timer handler nxt_h1p_idle_timeout() if SSL_shutdown() returned SSL_ERROR_WANT_READ/SSL_ERROR_WANT_WRITE. The flag SSL_RECEIVED_SHUTDOWN is used to avoid getting SSL_ERROR_WANT_READ, so the server won't wait for a close notification from a client. For SSL_ERROR_WANT_WRITE, a correct timer handler is set up.
2021-03-24Added ability to configure multiple certificates on a listener.Andrey Suvorov1-32/+372
The certificate is selected by matching the arriving SNI to the common name and the alternatives names. If no certificate matches the name, the first bundle in the array is chosen.
2021-03-24Workaround for an OpenSSL bug about not closing /dev/*random.Max Romanov1-0/+11
This is a workaround for an issue in OpenSSL 1.1.1, where the /dev/random and /dev/urandom files remain open after all listening sockets were removed: - https://github.com/openssl/openssl/issues/7419
2021-03-15Fixed TLS connection shutdown on errors.Valentin Bartenev1-4/+0
An immediate return statement on connection errors was mistakenly added to the beginning of nxt_openssl_conn_io_shutdown() in ecd3c5bbf7d8, breaking the TLS connection finalization procedure. As a result, a TLS connection was left unfinalized if it had been closed prematurely or a fatal protocol error had occurred, which caused memory and socket descriptor leakage. Moreover, in some cases (notably, on handshake errors in tests with kqueue on macOS) the read event was triggered later and nxt_h1p_conn_error() was called the second time; after the change in af93c866b4f0, the latter call crashed the router process in an attempt to remove a connection from the idle queue twice.
2020-02-05Kept the value of c->socket.read_handler while data is available.Tiago Natel de Moura1-4/+0
This closes #370 in GitHub.
2019-09-30Fixed error processing in SSL operations.Igor Sysoev1-13/+3
Before this fix EWOULDBLOCK error was fatal for SSL write operation. This closes #325 issue on GitHub.
2019-03-01Fixed TLS connections hanging.Igor Sysoev1-4/+2
After event is delivered from the kernel its further processing is blocked. Non-ready TSL I/O operation should mark connection I/O state as not ready to unblock events and to allow their further processing. Otherwise the connection hangs.
2018-11-13Checking error states in I/O handlers.Igor Sysoev1-6/+32
2018-11-13Fixed nxt_openssl_chain_file() return type.Valentin Bartenev1-3/+3
This closes #182 issue on GitHub. Thanks to 洪志道 (Hong Zhi Dao).
2018-10-22Compatibility with LibreSSL.Sergey Kandaurov1-1/+1
LibreSSL uses high OPENSSL_VERSION_NUMBER, but has no SSL_CTX_add0_chain_cert().
2018-09-20Controller: certificates storage interface.Valentin Bartenev1-7/+87
2018-09-20Added SSL/TLS support on connection level.Igor Sysoev1-231/+372
2018-03-05Reduced number of critical log levels.Valentin Bartenev1-11/+12
2017-06-20Using new memory pool implementation.Igor Sysoev1-1/+1
2017-06-14nxt_event_conn_... functions and structures have been renamedIgor Sysoev1-25/+21
to nxt_conn_...
2017-02-22I/O operations refactoring.Igor Sysoev1-15/+10
2017-02-07Event engines refactoring.Igor Sysoev1-6/+6
2017-01-30nxt_event_timer has been renamed to nxt_timer.Igor Sysoev1-1/+1
2017-01-23Introducing tasks.Igor Sysoev1-46/+48
2017-01-17Initial version.Igor Sysoev1-0/+855