mirror/nginx
1
0
Fork 0
mirror of https://github.com/nginx/nginx.git synced 2025-08-05 22:26:15 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merged with the default branch.

Browse Source
This commit is contained in:
Sergey Kandaurov 2021-09-01 10:57:25 +03:00
commit 72af057584
22 changed files with 662 additions and 238 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.hgtags
View File

@ -462,3 +462,4 @@ da571b8eaf8f30f36c43b3c9b25e01e31f47149c release-1.19.9
ffcbb9980ee2bad27b4d7b1cd680b14ff47b29aa release-1.19.10
df34dcc9ac072ffd0945e5a1f3eb7987e8275375 release-1.21.0
a68ac0677f8553b1f84d357bc9da114731ab5f47 release-1.21.1
bfbc52374adcbf2f9060afd62de940f6fab3bba5 release-1.21.2

8
docs/html/50x.html
View File

@ -3,11 +3,9 @@
<head>
<title>Error</title>
<style>
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
html { color-scheme: light dark; }
body { width: 35em; margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif; }
</style>
</head>
<body>

8
docs/html/index.html
View File

@ -3,11 +3,9 @@
<head>
<title>Welcome to nginx!</title>
<style>
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
html { color-scheme: light dark; }
body { width: 35em; margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif; }
</style>
</head>
<body>

107
docs/xml/nginx/changes.xml
View File

@ -5,6 +5,113 @@
<change_log title="nginx">
<changes ver="1.21.2" date="2021-08-31">
<change type="change">
<para lang="ru">
теперь nginx возвращает ошибку,
если в запросе по протоколу HTTP/1.0 присутствует
строка заголовка "Transfer-Encoding".
</para>
<para lang="en">
now nginx rejects HTTP/1.0 requests
with the "Transfer-Encoding" header line.
</para>
</change>
<change type="change">
<para lang="ru">
экспортные шифры больше не поддерживаются.
</para>
<para lang="en">
export ciphers are no longer supported.
</para>
</change>
<change type="feature">
<para lang="ru">
совместимость с OpenSSL 3.0.
</para>
<para lang="en">
OpenSSL 3.0 compatibility.
</para>
</change>
<change type="feature">
<para lang="ru">
теперь серверу аутентификации почтового прокси-сервера
передаются строки заголовка "Auth-SSL-Protocol" и "Auth-SSL-Cipher".<br/>
Спасибо Rob Mueller.
</para>
<para lang="en">
the "Auth-SSL-Protocol" and "Auth-SSL-Cipher" header lines
are now passed to the mail proxy authentication server.<br/>
Thanks to Rob Mueller.
</para>
</change>
<change type="feature">
<para lang="ru">
API для обработки тела запроса
теперь позволяет буферизировать обрабатываемые данные.
</para>
<para lang="en">
request body filters API
now permits buffering of the data being processed.
</para>
</change>
<change type="bugfix">
<para lang="ru">
SSL-соединения к бэкендам в модуле stream
могли зависать после SSL handshake.
</para>
<para lang="en">
backend SSL connections in the stream module
might hang after an SSL handshake.
</para>
</change>
<change type="bugfix">
<para lang="ru">
уровень безопасности, доступный в OpenSSL 1.1.0 и новее,
не учитывался при загрузке сертификатов сервера,
если был задан через "@SECLEVEL=N" в директиве ssl_ciphers.
</para>
<para lang="en">
the security level, which is available in OpenSSL 1.1.0 or newer,
did not affect loading of the server certificates
when set with "@SECLEVEL=N" in the "ssl_ciphers" directive.
</para>
</change>
<change type="bugfix">
<para lang="ru">
SSL-соединения с gRPC-бэкендами могли зависать,
если использовались методы select, poll или /dev/poll.
</para>
<para lang="en">
SSL connections with gRPC backends might hang
if select, poll, or /dev/poll methods were used.
</para>
</change>
<change type="bugfix">
<para lang="ru">
при использовании HTTP/2
тело запроса всегда записывалось на диск,
если в запросе не было строки заголовка "Content-Length".
</para>
<para lang="en">
when using HTTP/2
client request body was always written to disk
if the "Content-Length" header line was not present in the request.
</para>
</change>
</changes>
<changes ver="1.21.1" date="2021-07-06">
<change type="change">

2
misc/GNUmakefile
View File

@ -6,7 +6,7 @@ TEMP = tmp
CC = cl
OBJS = objs.msvc8
OPENSSL = openssl-1.1.1k
OPENSSL = openssl-1.1.1l
ZLIB = zlib-1.2.11
PCRE = pcre-8.44

4
src/core/nginx.h
View File

@ -9,8 +9,8 @@
#define _NGINX_H_INCLUDED_
#define nginx_version 1021001
#define NGINX_VERSION "1.21.1"
#define nginx_version 1021002
#define NGINX_VERSION "1.21.2"
#define NGINX_VER "nginx/" NGINX_VERSION
#ifdef NGX_BUILD

84
src/event/ngx_event_openssl.c
View File

@ -299,11 +299,6 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data)
SSL_CTX_set_options(ssl->ctx, SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER);
#endif
#ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING
/* this option allow a potential SSL 2.0 rollback (CAN-2005-2969) */
SSL_CTX_set_options(ssl->ctx, SSL_OP_MSIE_SSLV2_RSA_PADDING);
#endif
#ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG
SSL_CTX_set_options(ssl->ctx, SSL_OP_SSLEAY_080_CLIENT_DH_BUG);
#endif
@ -378,6 +373,10 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data)
SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_CLIENT_RENEGOTIATION);
#endif
#ifdef SSL_OP_IGNORE_UNEXPECTED_EOF
SSL_CTX_set_options(ssl->ctx, SSL_OP_IGNORE_UNEXPECTED_EOF);
#endif
#ifdef SSL_MODE_RELEASE_BUFFERS
SSL_CTX_set_mode(ssl->ctx, SSL_MODE_RELEASE_BUFFERS);
#endif
@ -859,11 +858,6 @@ ngx_ssl_ciphers(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *ciphers,
SSL_CTX_set_options(ssl->ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
}
#if (OPENSSL_VERSION_NUMBER < 0x10100001L && !defined LIBRESSL_VERSION_NUMBER)
/* a temporary 512-bit RSA key is required for export versions of MSIE */
SSL_CTX_set_tmp_rsa_callback(ssl->ctx, ngx_ssl_rsa512_key_callback);
#endif
return NGX_OK;
}
@ -1116,28 +1110,6 @@ ngx_ssl_info_callback(const ngx_ssl_conn_t *ssl_conn, int where, int ret)
}
RSA *
ngx_ssl_rsa512_key_callback(ngx_ssl_conn_t *ssl_conn, int is_export,
int key_length)
{
static RSA *key;
if (key_length != 512) {
return NULL;
}
#if (OPENSSL_VERSION_NUMBER < 0x10100003L && !defined OPENSSL_NO_DEPRECATED)
if (key == NULL) {
key = RSA_generate_key(512, RSA_F4, NULL, NULL);
}
#endif
return key;
}
ngx_array_t *
ngx_ssl_read_password_file(ngx_conf_t *cf, ngx_str_t *file)
{
@ -1350,7 +1322,6 @@ ngx_ssl_passwords_cleanup(void *data)
ngx_int_t
ngx_ssl_dhparam(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file)
{
DH *dh;
BIO *bio;
if (file->len == 0) {
@ -1368,6 +1339,10 @@ ngx_ssl_dhparam(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file)
return NGX_ERROR;
}
#ifdef SSL_CTX_set_tmp_dh
{
DH *dh;
dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
if (dh == NULL) {
ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
@ -1376,9 +1351,42 @@ ngx_ssl_dhparam(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file)
return NGX_ERROR;
}
SSL_CTX_set_tmp_dh(ssl->ctx, dh);
if (SSL_CTX_set_tmp_dh(ssl->ctx, dh) != 1) {
ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
"SSL_CTX_set_tmp_dh(\"%s\") failed", file->data);
DH_free(dh);
BIO_free(bio);
return NGX_ERROR;
}
DH_free(dh);
}
#else
{
EVP_PKEY *dh;
/*
* PEM_read_bio_DHparams() and SSL_CTX_set_tmp_dh()
* are deprecated in OpenSSL 3.0
*/
dh = PEM_read_bio_Parameters(bio, NULL);
if (dh == NULL) {
ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
"PEM_read_bio_Parameters(\"%s\") failed", file->data);
BIO_free(bio);
return NGX_ERROR;
}
if (SSL_CTX_set0_tmp_dh_pkey(ssl->ctx, dh) != 1) {
ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
"SSL_CTX_set0_tmp_dh_pkey(\%s\") failed", file->data);
BIO_free(bio);
return NGX_ERROR;
}
}
#endif
BIO_free(bio);
return NGX_OK;
@ -1740,6 +1748,9 @@ ngx_ssl_handshake(ngx_connection_t *c)
c->recv_chain = ngx_ssl_recv_chain;
c->send_chain = ngx_ssl_send_chain;
c->read->ready = 1;
c->write->ready = 1;
#ifndef SSL_OP_NO_RENEGOTIATION
#if OPENSSL_VERSION_NUMBER < 0x10100000L
#ifdef SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS
@ -1885,6 +1896,9 @@ ngx_ssl_try_early_data(ngx_connection_t *c)
c->recv_chain = ngx_ssl_recv_chain;
c->send_chain = ngx_ssl_send_chain;
c->read->ready = 1;
c->write->ready = 1;
rc = ngx_ssl_ocsp_validate(c);
if (rc == NGX_ERROR) {
@ -3241,7 +3255,7 @@ ngx_ssl_error(ngx_uint_t level, ngx_log_t *log, ngx_err_t err, char *fmt, ...)
for ( ;; ) {
n = ERR_peek_error_line_data(NULL, NULL, &data, &flags);
n = ERR_peek_error_data(&data, &flags);
if (n == 0) {
break;

15
src/event/ngx_event_openssl.h
View File

@ -12,6 +12,8 @@
#include <ngx_config.h>
#include <ngx_core.h>
#define OPENSSL_SUPPRESS_DEPRECATED
#include <openssl/ssl.h>
#include <openssl/err.h>
#include <openssl/bn.h>
@ -35,7 +37,6 @@
#include <openssl/ocsp.h>
#endif
#include <openssl/rand.h>
#include <openssl/rsa.h>
#include <openssl/x509.h>
#include <openssl/x509v3.h>
@ -72,6 +73,16 @@
#endif
#if (OPENSSL_VERSION_NUMBER >= 0x30000000L && !defined SSL_get_peer_certificate)
#define SSL_get_peer_certificate(s) SSL_get1_peer_certificate(s)
#endif
#if (OPENSSL_VERSION_NUMBER < 0x30000000L && !defined ERR_peek_error_data)
#define ERR_peek_error_data(d, f) ERR_peek_error_line_data(NULL, NULL, d, f)
#endif
typedef struct ngx_ssl_ocsp_s ngx_ssl_ocsp_t;
@ -204,8 +215,6 @@ ngx_int_t ngx_ssl_ocsp_validate(ngx_connection_t *c);
ngx_int_t ngx_ssl_ocsp_get_status(ngx_connection_t *c, const char **s);
void ngx_ssl_ocsp_cleanup(ngx_connection_t *c);
ngx_int_t ngx_ssl_ocsp_cache_init(ngx_shm_zone_t *shm_zone, void *data);
RSA *ngx_ssl_rsa512_key_callback(ngx_ssl_conn_t *ssl_conn, int is_export,
int key_length);
ngx_array_t *ngx_ssl_read_password_file(ngx_conf_t *cf, ngx_str_t *file);
ngx_array_t *ngx_ssl_preserve_passwords(ngx_conf_t *cf,
ngx_array_t *passwords);

12
src/http/modules/ngx_http_grpc_module.c
View File

@ -4896,6 +4896,12 @@ ngx_http_grpc_set_ssl(ngx_conf_t *cf, ngx_http_grpc_loc_conf_t *glcf)
cln->handler = ngx_ssl_cleanup_ctx;
cln->data = glcf->upstream.ssl;
if (ngx_ssl_ciphers(cf, glcf->upstream.ssl, &glcf->ssl_ciphers, 0)
!= NGX_OK)
{
return NGX_ERROR;
}
if (glcf->upstream.ssl_certificate) {
if (glcf->upstream.ssl_certificate_key == NULL) {
@ -4927,12 +4933,6 @@ ngx_http_grpc_set_ssl(ngx_conf_t *cf, ngx_http_grpc_loc_conf_t *glcf)
}
}
if (ngx_ssl_ciphers(cf, glcf->upstream.ssl, &glcf->ssl_ciphers, 0)
!= NGX_OK)
{
return NGX_ERROR;
}
if (glcf->upstream.ssl_verify) {
if (glcf->ssl_trusted_certificate.len == 0) {
ngx_log_error(NGX_LOG_EMERG, cf->log, 0,

12
src/http/modules/ngx_http_proxy_module.c
View File

@ -4944,6 +4944,12 @@ ngx_http_proxy_set_ssl(ngx_conf_t *cf, ngx_http_proxy_loc_conf_t *plcf)
cln->handler = ngx_ssl_cleanup_ctx;
cln->data = plcf->upstream.ssl;
if (ngx_ssl_ciphers(cf, plcf->upstream.ssl, &plcf->ssl_ciphers, 0)
!= NGX_OK)
{
return NGX_ERROR;
}
if (plcf->upstream.ssl_certificate) {
if (plcf->upstream.ssl_certificate_key == NULL) {
@ -4975,12 +4981,6 @@ ngx_http_proxy_set_ssl(ngx_conf_t *cf, ngx_http_proxy_loc_conf_t *plcf)
}
}
if (ngx_ssl_ciphers(cf, plcf->upstream.ssl, &plcf->ssl_ciphers, 0)
!= NGX_OK)
{
return NGX_ERROR;
}
if (plcf->upstream.ssl_verify) {
if (plcf->ssl_trusted_certificate.len == 0) {
ngx_log_error(NGX_LOG_EMERG, cf->log, 0,

14
src/http/modules/ngx_http_ssl_module.c
View File

@ -830,6 +830,13 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
ngx_http_ssl_npn_advertised, NULL);
#endif
if (ngx_ssl_ciphers(cf, &conf->ssl, &conf->ciphers,
conf->prefer_server_ciphers)
!= NGX_OK)
{
return NGX_CONF_ERROR;
}
if (ngx_http_ssl_compile_certificates(cf, conf) != NGX_OK) {
return NGX_CONF_ERROR;
}
@ -862,13 +869,6 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
}
}
if (ngx_ssl_ciphers(cf, &conf->ssl, &conf->ciphers,
conf->prefer_server_ciphers)
!= NGX_OK)
{
return NGX_CONF_ERROR;
}
conf->ssl.buffer_size = conf->buffer_size;
if (conf->verify) {

12
src/http/modules/ngx_http_uwsgi_module.c
View File

@ -2432,6 +2432,12 @@ ngx_http_uwsgi_set_ssl(ngx_conf_t *cf, ngx_http_uwsgi_loc_conf_t *uwcf)
cln->handler = ngx_ssl_cleanup_ctx;
cln->data = uwcf->upstream.ssl;
if (ngx_ssl_ciphers(cf, uwcf->upstream.ssl, &uwcf->ssl_ciphers, 0)
!= NGX_OK)
{
return NGX_ERROR;
}
if (uwcf->upstream.ssl_certificate) {
if (uwcf->upstream.ssl_certificate_key == NULL) {
@ -2463,12 +2469,6 @@ ngx_http_uwsgi_set_ssl(ngx_conf_t *cf, ngx_http_uwsgi_loc_conf_t *uwcf)
}
}
if (ngx_ssl_ciphers(cf, uwcf->upstream.ssl, &uwcf->ssl_ciphers, 0)
!= NGX_OK)
{
return NGX_ERROR;
}
if (uwcf->upstream.ssl_verify) {
if (uwcf->ssl_trusted_certificate.len == 0) {
ngx_log_error(NGX_LOG_EMERG, cf->log, 0,

8
src/http/ngx_http_request.c
View File

@ -1992,6 +1992,14 @@ ngx_http_process_request_header(ngx_http_request_t *r)
}
if (r->headers_in.transfer_encoding) {
if (r->http_version < NGX_HTTP_VERSION_11) {
ngx_log_error(NGX_LOG_INFO, r->connection->log, 0,
"client sent HTTP/1.0 request with "
"\"Transfer-Encoding\" header");
ngx_http_finalize_request(r, NGX_HTTP_BAD_REQUEST);
return NGX_ERROR;
}
if (r->headers_in.transfer_encoding->value.len == 7
&& ngx_strncasecmp(r->headers_in.transfer_encoding->value.data,
(u_char *) "chunked", 7) == 0)

3
src/http/ngx_http_request.h
View File

@ -303,6 +303,9 @@ typedef struct {
ngx_chain_t *busy;
ngx_http_chunked_t *chunked;
ngx_http_client_body_handler_pt post_handler;
unsigned filter_need_buffering:1;
unsigned last_sent:1;
unsigned last_saved:1;
} ngx_http_request_body_t;

128
src/http/ngx_http_request_body.c
View File

@ -62,11 +62,16 @@ ngx_http_read_client_request_body(ngx_http_request_t *r,
/*
* set by ngx_pcalloc():
*
* rb->temp_file = NULL;
* rb->bufs = NULL;
* rb->buf = NULL;
* rb->free = NULL;
* rb->busy = NULL;
* rb->chunked = NULL;
* rb->received = 0;
* rb->filter_need_buffering = 0;
* rb->last_sent = 0;
* rb->last_saved = 0;
*/
rb->rest = -1;
@ -151,7 +156,7 @@ ngx_http_read_client_request_body(ngx_http_request_t *r,
}
}
if (rb->rest == 0) {
if (rb->rest == 0 && rb->last_saved) {
/* the whole request body was pre-read */
r->request_body_no_buffering = 0;
post_handler(r);
@ -179,6 +184,10 @@ ngx_http_read_client_request_body(ngx_http_request_t *r,
size += preread;
}
if (size == 0) {
size++;
}
} else {
size = clcf->client_body_buffer_size;
}
@ -289,6 +298,7 @@ ngx_http_do_read_client_request_body(ngx_http_request_t *r)
size_t size;
ssize_t n;
ngx_int_t rc;
ngx_uint_t flush;
ngx_chain_t out;
ngx_connection_t *c;
ngx_http_request_body_t *rb;
@ -296,12 +306,17 @@ ngx_http_do_read_client_request_body(ngx_http_request_t *r)
c = r->connection;
rb = r->request_body;
flush = 1;
ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0,
"http read client request body");
for ( ;; ) {
for ( ;; ) {
if (rb->rest == 0) {
break;
}
if (rb->buf->last == rb->buf->end) {
/* update chains */
@ -325,12 +340,25 @@ ngx_http_do_read_client_request_body(ngx_http_request_t *r)
return NGX_AGAIN;
}
if (rb->filter_need_buffering) {
clcf = ngx_http_get_module_loc_conf(r,
ngx_http_core_module);
ngx_add_timer(c->read, clcf->client_body_timeout);
if (ngx_handle_read_event(c->read, 0) != NGX_OK) {
return NGX_HTTP_INTERNAL_SERVER_ERROR;
}
return NGX_AGAIN;
}
ngx_log_error(NGX_LOG_ALERT, c->log, 0,
"busy buffers after request body flush");
return NGX_HTTP_INTERNAL_SERVER_ERROR;
}
flush = 0;
rb->buf->pos = rb->buf->start;
rb->buf->last = rb->buf->start;
}
@ -342,6 +370,10 @@ ngx_http_do_read_client_request_body(ngx_http_request_t *r)
size = (size_t) rest;
}
if (size == 0) {
break;
}
n = c->recv(c, rb->buf->last, size);
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0,
@ -366,6 +398,7 @@ ngx_http_do_read_client_request_body(ngx_http_request_t *r)
/* pass buffer to request body filter chain */
flush = 0;
out.buf = rb->buf;
out.next = NULL;
@ -387,11 +420,19 @@ ngx_http_do_read_client_request_body(ngx_http_request_t *r)
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0,
"http client request body rest %O", rb->rest);
if (rb->rest == 0) {
if (flush) {
rc = ngx_http_request_body_filter(r, NULL);
if (rc != NGX_OK) {
return rc;
}
}
if (rb->rest == 0 && rb->last_saved) {
break;
}
if (!c->read->ready) {
if (!c->read->ready || rb->rest == 0) {
clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module);
ngx_add_timer(c->read, clcf->client_body_timeout);
@ -960,15 +1001,32 @@ ngx_http_request_body_length_filter(ngx_http_request_t *r, ngx_chain_t *in)
rb = r->request_body;
out = NULL;
ll = &out;
if (rb->rest == -1) {
ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
"http request body content length filter");
rb->rest = r->headers_in.content_length_n;
}
out = NULL;
ll = &out;
if (rb->rest == 0) {
tl = ngx_chain_get_free_buf(r->pool, &rb->free);
if (tl == NULL) {
return NGX_HTTP_INTERNAL_SERVER_ERROR;
}
b = tl->buf;
ngx_memzero(b, sizeof(ngx_buf_t));
b->last_buf = 1;
*ll = tl;
ll = &tl->next;
}
}
for (cl = in; cl; cl = cl->next) {
@ -1032,6 +1090,9 @@ ngx_http_request_body_chunked_filter(ngx_http_request_t *r, ngx_chain_t *in)
rb = r->request_body;
out = NULL;
ll = &out;
if (rb->rest == -1) {
ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
@ -1048,9 +1109,6 @@ ngx_http_request_body_chunked_filter(ngx_http_request_t *r, ngx_chain_t *in)
rb->rest = cscf->large_client_header_buffers.size;
}
out = NULL;
ll = &out;
for (cl = in; cl; cl = cl->next) {
b = NULL;
@ -1207,15 +1265,16 @@ ngx_int_t
ngx_http_request_body_save_filter(ngx_http_request_t *r, ngx_chain_t *in)
{
ngx_buf_t *b;
ngx_chain_t *cl;
ngx_chain_t *cl, *tl, **ll;
ngx_http_request_body_t *rb;
rb = r->request_body;
#if (NGX_DEBUG)
ll = &rb->bufs;
for (cl = rb->bufs; cl; cl = cl->next) {
#if 0
for (cl = rb->bufs; cl; cl = cl->next) {
ngx_log_debug7(NGX_LOG_DEBUG_EVENT, r->connection->log, 0,
"http body old buf t:%d f:%d %p, pos %p, size: %z "
"file: %O, size: %O",
@ -1224,10 +1283,13 @@ ngx_http_request_body_save_filter(ngx_http_request_t *r, ngx_chain_t *in)
cl->buf->last - cl->buf->pos,
cl->buf->file_pos,
cl->buf->file_last - cl->buf->file_pos);
}
#endif
ll = &cl->next;
}
for (cl = in; cl; cl = cl->next) {
ngx_log_debug7(NGX_LOG_DEBUG_EVENT, r->connection->log, 0,
"http body new buf t:%d f:%d %p, pos %p, size: %z "
"file: %O, size: %O",
@ -1236,15 +1298,31 @@ ngx_http_request_body_save_filter(ngx_http_request_t *r, ngx_chain_t *in)
cl->buf->last - cl->buf->pos,
cl->buf->file_pos,
cl->buf->file_last - cl->buf->file_pos);
if (cl->buf->last_buf) {
if (rb->last_saved) {
ngx_log_error(NGX_LOG_ALERT, r->connection->log, 0,
"duplicate last buf in save filter");
*ll = NULL;
return NGX_HTTP_INTERNAL_SERVER_ERROR;
}
rb->last_saved = 1;
}
tl = ngx_alloc_chain_link(r->pool);
if (tl == NULL) {
*ll = NULL;
return NGX_HTTP_INTERNAL_SERVER_ERROR;
}
tl->buf = cl->buf;
*ll = tl;
ll = &tl->next;
}
#endif
/* TODO: coalesce neighbouring buffers */
if (ngx_chain_add_copy(r->pool, &rb->bufs, in) != NGX_OK) {
return NGX_HTTP_INTERNAL_SERVER_ERROR;
}
*ll = NULL;
if (r->request_body_no_buffering) {
return NGX_OK;
@ -1261,10 +1339,18 @@ ngx_http_request_body_save_filter(ngx_http_request_t *r, ngx_chain_t *in)
return NGX_OK;
}
/* rb->rest == 0 */
if (!rb->last_saved) {
return NGX_OK;
}
if (rb->temp_file || r->request_body_in_file_only) {
if (rb->bufs && rb->bufs->buf->in_file) {
ngx_log_error(NGX_LOG_ALERT, r->connection->log, 0,
"body already in file");
return NGX_HTTP_INTERNAL_SERVER_ERROR;
}
if (ngx_http_write_request_body(r) != NGX_OK) {
return NGX_HTTP_INTERNAL_SERVER_ERROR;
}

4
src/http/ngx_http_upstream.c
View File

@ -2133,6 +2133,10 @@ ngx_http_upstream_send_request(ngx_http_request_t *r, ngx_http_upstream_t *u,
c->tcp_nopush = NGX_TCP_NOPUSH_UNSET;
}
if (c->read->ready) {
ngx_post_event(c->read, &ngx_posted_events);
}
return;
}

335
src/http/v2/ngx_http_v2.c
View File

@ -173,7 +173,7 @@ static ngx_int_t ngx_http_v2_construct_cookie_header(ngx_http_request_t *r);
static void ngx_http_v2_run_request(ngx_http_request_t *r);
static void ngx_http_v2_run_request_handler(ngx_event_t *ev);
static ngx_int_t ngx_http_v2_process_request_body(ngx_http_request_t *r,
u_char *pos, size_t size, ngx_uint_t last);
u_char *pos, size_t size, ngx_uint_t last, ngx_uint_t flush);
static ngx_int_t ngx_http_v2_filter_request_body(ngx_http_request_t *r);
static void ngx_http_v2_read_client_request_body_handler(ngx_http_request_t *r);
@ -1092,7 +1092,7 @@ static u_char *
ngx_http_v2_state_read_data(ngx_http_v2_connection_t *h2c, u_char *pos,
u_char *end)
{
size_t size;
size_t size, window;
ngx_buf_t *buf;
ngx_int_t rc;
ngx_connection_t *fc;
@ -1140,13 +1140,40 @@ ngx_http_v2_state_read_data(ngx_http_v2_connection_t *h2c, u_char *pos,
h2c->payload_bytes += size;
if (r->request_body) {
rc = ngx_http_v2_process_request_body(r, pos, size, stream->in_closed);
rc = ngx_http_v2_process_request_body(r, pos, size,
stream->in_closed, 0);
if (rc != NGX_OK) {
if (rc != NGX_OK && rc != NGX_AGAIN) {
stream->skip_data = 1;
ngx_http_finalize_request(r, rc);
}
if (rc == NGX_AGAIN && !stream->no_flow_control) {
buf = r->request_body->buf;
window = buf->end - buf->last;
window -= h2c->state.length - size;
if (window < stream->recv_window) {
ngx_log_error(NGX_LOG_ALERT, h2c->connection->log, 0,
"http2 negative window update");
return ngx_http_v2_connection_error(h2c,
NGX_HTTP_V2_INTERNAL_ERROR);
}
if (window > stream->recv_window) {
if (ngx_http_v2_send_window_update(h2c, stream->node->id,
window - stream->recv_window)
== NGX_ERROR)
{
return ngx_http_v2_connection_error(h2c,
NGX_HTTP_V2_INTERNAL_ERROR);
}
stream->recv_window = window;
}
}
ngx_http_run_posted_requests(fc);
} else if (size) {
@ -4027,16 +4054,30 @@ ngx_http_v2_read_request_body(ngx_http_request_t *r)
return NGX_OK;
}
rb->rest = 1;
/* set rb->filter_need_buffering */
rc = ngx_http_top_request_body_filter(r, NULL);
if (rc != NGX_OK) {
stream->skip_data = 1;
return rc;
}
h2scf = ngx_http_get_module_srv_conf(r, ngx_http_v2_module);
clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module);
len = r->headers_in.content_length_n;
if (r->request_body_no_buffering && !stream->in_closed) {
if (len < 0 || len > (off_t) clcf->client_body_buffer_size) {
len = clcf->client_body_buffer_size;
if (len < 0 || len > (off_t) clcf->client_body_buffer_size) {
len = clcf->client_body_buffer_size;
}
} else {
len++;
}
if (r->request_body_no_buffering || rb->filter_need_buffering) {
/*
* We need a room to store data up to the stream's initial window size,
@ -4050,57 +4091,54 @@ ngx_http_v2_read_request_body(ngx_http_request_t *r)
if (len > NGX_HTTP_V2_MAX_WINDOW) {
len = NGX_HTTP_V2_MAX_WINDOW;
}
rb->buf = ngx_create_temp_buf(r->pool, (size_t) len);
} else if (len >= 0 && len <= (off_t) clcf->client_body_buffer_size
&& !r->request_body_in_file_only)
{
rb->buf = ngx_create_temp_buf(r->pool, (size_t) len);
} else {
rb->buf = ngx_calloc_buf(r->pool);
if (rb->buf != NULL) {
rb->buf->sync = 1;
}
}
rb->buf = ngx_create_temp_buf(r->pool, (size_t) len);
if (rb->buf == NULL) {
stream->skip_data = 1;
return NGX_HTTP_INTERNAL_SERVER_ERROR;
}
rb->rest = 1;
buf = stream->preread;
if (stream->in_closed) {
r->request_body_no_buffering = 0;
if (!rb->filter_need_buffering) {
r->request_body_no_buffering = 0;
}
if (buf) {
rc = ngx_http_v2_process_request_body(r, buf->pos,
buf->last - buf->pos, 1);
buf->last - buf->pos, 1, 0);
ngx_pfree(r->pool, buf->start);
} else {
rc = ngx_http_v2_process_request_body(r, NULL, 0, 1, 0);
}
if (rc != NGX_AGAIN) {
return rc;
}
return ngx_http_v2_process_request_body(r, NULL, 0, 1);
r->read_event_handler = ngx_http_v2_read_client_request_body_handler;
r->write_event_handler = ngx_http_request_empty_handler;
return NGX_AGAIN;
}
if (buf) {
rc = ngx_http_v2_process_request_body(r, buf->pos,
buf->last - buf->pos, 0);
buf->last - buf->pos, 0, 0);
ngx_pfree(r->pool, buf->start);
if (rc != NGX_OK) {
if (rc != NGX_OK && rc != NGX_AGAIN) {
stream->skip_data = 1;
return rc;
}
}
if (r->request_body_no_buffering) {
if (r->request_body_no_buffering || rb->filter_need_buffering) {
size = (size_t) len - h2scf->preread_size;
} else {
@ -4142,9 +4180,9 @@ ngx_http_v2_read_request_body(ngx_http_request_t *r)
static ngx_int_t
ngx_http_v2_process_request_body(ngx_http_request_t *r, u_char *pos,
size_t size, ngx_uint_t last)
size_t size, ngx_uint_t last, ngx_uint_t flush)
{
ngx_buf_t *buf;
size_t n;
ngx_int_t rc;
ngx_connection_t *fc;
ngx_http_request_body_t *rb;
@ -4152,77 +4190,128 @@ ngx_http_v2_process_request_body(ngx_http_request_t *r, u_char *pos,
fc = r->connection;
rb = r->request_body;
buf = rb->buf;
if (size) {
if (buf->sync) {
buf->pos = buf->start = pos;
buf->last = buf->end = pos + size;
ngx_log_debug0(NGX_LOG_DEBUG_HTTP, fc->log, 0,
"http2 process request body");
r->request_body_in_file_only = 1;
if (size == 0 && !last && !flush) {
return NGX_AGAIN;
}
} else {
if (size > (size_t) (buf->end - buf->last)) {
ngx_log_error(NGX_LOG_INFO, fc->log, 0,
"client intended to send body data "
"larger than declared");
for ( ;; ) {
for ( ;; ) {
if (rb->buf->last == rb->buf->end && size) {
return NGX_HTTP_BAD_REQUEST;
if (r->request_body_no_buffering) {
/* should never happen due to flow control */
ngx_log_error(NGX_LOG_ALERT, fc->log, 0,
"no space in http2 body buffer");
return NGX_HTTP_INTERNAL_SERVER_ERROR;
}
/* update chains */
ngx_log_error(NGX_LOG_DEBUG, fc->log, 0,
"http2 body update chains");
rc = ngx_http_v2_filter_request_body(r);
if (rc != NGX_OK) {
return rc;
}
if (rb->busy != NULL) {
ngx_log_error(NGX_LOG_ALERT, fc->log, 0,
"busy buffers after request body flush");
return NGX_HTTP_INTERNAL_SERVER_ERROR;
}
rb->buf->pos = rb->buf->start;
rb->buf->last = rb->buf->start;
}
buf->last = ngx_cpymem(buf->last, pos, size);
/* copy body data to the buffer */
n = rb->buf->end - rb->buf->last;
if (n > size) {
n = size;
}
if (n > 0) {
rb->buf->last = ngx_cpymem(rb->buf->last, pos, n);
}
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, fc->log, 0,
"http2 request body recv %uz", n);
pos += n;
size -= n;
if (size == 0 && last) {
rb->rest = 0;
}
if (r->request_body_no_buffering) {
break;
}
/* pass buffer to request body filter chain */
rc = ngx_http_v2_filter_request_body(r);
if (rc != NGX_OK) {
return rc;
}
if (rb->rest == 0) {
break;
}
if (size == 0) {
break;
}
}
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, fc->log, 0,
"http2 request body rest %O", rb->rest);
if (rb->rest == 0 && rb->last_saved) {
break;
}
if (size == 0) {
clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module);
ngx_add_timer(fc->read, clcf->client_body_timeout);
if (r->request_body_no_buffering) {
ngx_post_event(fc->read, &ngx_posted_events);
return NGX_AGAIN;
}
return NGX_AGAIN;
}
}
if (last) {
rb->rest = 0;
if (fc->read->timer_set) {
ngx_del_timer(fc->read);
}
if (r->request_body_no_buffering) {
ngx_post_event(fc->read, &ngx_posted_events);
return NGX_OK;
}
rc = ngx_http_v2_filter_request_body(r);
if (rc != NGX_OK) {
return rc;
}
if (buf->sync) {
/* prevent reusing this buffer in the upstream module */
rb->buf = NULL;
}
if (r->headers_in.chunked) {
r->headers_in.content_length_n = rb->received;
}
r->read_event_handler = ngx_http_block_reading;
rb->post_handler(r);
return NGX_OK;
if (fc->read->timer_set) {
ngx_del_timer(fc->read);
}
if (size == 0) {
return NGX_OK;
}
clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module);
ngx_add_timer(fc->read, clcf->client_body_timeout);
if (r->request_body_no_buffering) {
ngx_post_event(fc->read, &ngx_posted_events);
return NGX_OK;
}
if (buf->sync) {
return ngx_http_v2_filter_request_body(r);
if (r->headers_in.chunked) {
r->headers_in.content_length_n = rb->received;
}
r->read_event_handler = ngx_http_block_reading;
rb->post_handler(r);
return NGX_OK;
}
@ -4239,7 +4328,7 @@ ngx_http_v2_filter_request_body(ngx_http_request_t *r)
rb = r->request_body;
buf = rb->buf;
if (buf->pos == buf->last && rb->rest) {
if (buf->pos == buf->last && (rb->rest || rb->last_sent)) {
cl = NULL;
goto update;
}
@ -4302,6 +4391,7 @@ ngx_http_v2_filter_request_body(ngx_http_request_t *r)
}
b->last_buf = 1;
rb->last_sent = 1;
}
b->tag = (ngx_buf_tag_t) &ngx_http_v2_filter_request_body;
@ -4321,7 +4411,12 @@ update:
static void
ngx_http_v2_read_client_request_body_handler(ngx_http_request_t *r)
{
ngx_connection_t *fc;
size_t window;
ngx_buf_t *buf;
ngx_int_t rc;
ngx_connection_t *fc;
ngx_http_v2_stream_t *stream;
ngx_http_v2_connection_t *h2c;
fc = r->connection;
@ -4347,6 +4442,63 @@ ngx_http_v2_read_client_request_body_handler(ngx_http_request_t *r)
ngx_http_finalize_request(r, NGX_HTTP_CLIENT_CLOSED_REQUEST);
return;
}
rc = ngx_http_v2_process_request_body(r, NULL, 0, r->stream->in_closed, 1);
if (rc != NGX_OK && rc != NGX_AGAIN) {
r->stream->skip_data = 1;
ngx_http_finalize_request(r, rc);
return;
}
if (rc == NGX_OK) {
return;
}
if (r->request_body->rest == 0) {
return;
}
stream = r->stream;
h2c = stream->connection;
buf = r->request_body->buf;
window = buf->end - buf->start;
if (h2c->state.stream == stream) {
window -= h2c->state.length;
}
if (window <= stream->recv_window) {
if (window < stream->recv_window) {
ngx_log_error(NGX_LOG_ALERT, r->connection->log, 0,
"http2 negative window update");
stream->skip_data = 1;
ngx_http_finalize_request(r, NGX_HTTP_INTERNAL_SERVER_ERROR);
return;
}
return;
}
if (ngx_http_v2_send_window_update(h2c, stream->node->id,
window - stream->recv_window)
== NGX_ERROR)
{
stream->skip_data = 1;
ngx_http_finalize_request(r, NGX_HTTP_INTERNAL_SERVER_ERROR);
return;
}
stream->recv_window = window;
if (ngx_http_v2_send_output_queue(h2c) == NGX_ERROR) {
stream->skip_data = 1;
ngx_http_finalize_request(r, NGX_HTTP_INTERNAL_SERVER_ERROR);
return;
}
}
@ -4364,6 +4516,9 @@ ngx_http_v2_read_unbuffered_request_body(ngx_http_request_t *r)
stream = r->stream;
fc = r->connection;
ngx_log_debug0(NGX_LOG_DEBUG_HTTP, fc->log, 0,
"http2 read unbuffered request body");
if (fc->read->timedout) {
if (stream->recv_window) {
stream->skip_data = 1;
@ -4387,10 +4542,14 @@ ngx_http_v2_read_unbuffered_request_body(ngx_http_request_t *r)
return rc;
}
if (!r->request_body->rest) {
if (r->request_body->rest == 0 && r->request_body->last_saved) {
return NGX_OK;
}
if (r->request_body->rest == 0) {
return NGX_AGAIN;
}
if (r->request_body->busy != NULL) {
return NGX_AGAIN;
}

41
src/mail/ngx_mail_auth_http_module.c
View File

@ -1137,8 +1137,8 @@ ngx_mail_auth_http_create_request(ngx_mail_session_t *s, ngx_pool_t *pool,
ngx_str_t login, passwd;
ngx_connection_t *c;
#if (NGX_MAIL_SSL)
ngx_str_t verify, subject, issuer, serial, fingerprint,
raw_cert, cert;
ngx_str_t protocol, cipher, verify, subject, issuer,
serial, fingerprint, raw_cert, cert;
ngx_mail_ssl_conf_t *sslcf;
#endif
ngx_mail_core_srv_conf_t *cscf;
@ -1155,6 +1155,25 @@ ngx_mail_auth_http_create_request(ngx_mail_session_t *s, ngx_pool_t *pool,
#if (NGX_MAIL_SSL)
if (c->ssl) {
if (ngx_ssl_get_protocol(c, pool, &protocol) != NGX_OK) {
return NULL;
}
protocol.len = ngx_strlen(protocol.data);
if (ngx_ssl_get_cipher_name(c, pool, &cipher) != NGX_OK) {
return NULL;
}
cipher.len = ngx_strlen(cipher.data);
} else {
ngx_str_null(&protocol);
ngx_str_null(&cipher);
}
sslcf = ngx_mail_get_module_srv_conf(s, ngx_mail_ssl_module);
if (c->ssl && sslcf->verify) {
@ -1252,6 +1271,10 @@ ngx_mail_auth_http_create_request(ngx_mail_session_t *s, ngx_pool_t *pool,
if (c->ssl) {
len += sizeof("Auth-SSL: on" CRLF) - 1
+ sizeof("Auth-SSL-Protocol: ") - 1 + protocol.len
+ sizeof(CRLF) - 1
+ sizeof("Auth-SSL-Cipher: ") - 1 + cipher.len
+ sizeof(CRLF) - 1
+ sizeof("Auth-SSL-Verify: ") - 1 + verify.len
+ sizeof(CRLF) - 1
+ sizeof("Auth-SSL-Subject: ") - 1 + subject.len
@ -1373,6 +1396,20 @@ ngx_mail_auth_http_create_request(ngx_mail_session_t *s, ngx_pool_t *pool,
b->last = ngx_cpymem(b->last, "Auth-SSL: on" CRLF,
sizeof("Auth-SSL: on" CRLF) - 1);
if (protocol.len) {
b->last = ngx_cpymem(b->last, "Auth-SSL-Protocol: ",
sizeof("Auth-SSL-Protocol: ") - 1);
b->last = ngx_copy(b->last, protocol.data, protocol.len);
*b->last++ = CR; *b->last++ = LF;
}
if (cipher.len) {
b->last = ngx_cpymem(b->last, "Auth-SSL-Cipher: ",
sizeof("Auth-SSL-Cipher: ") - 1);
b->last = ngx_copy(b->last, cipher.data, cipher.len);
*b->last++ = CR; *b->last++ = LF;
}
if (verify.len) {
b->last = ngx_cpymem(b->last, "Auth-SSL-Verify: ",
sizeof("Auth-SSL-Verify: ") - 1);

14
src/mail/ngx_mail_ssl_module.c
View File

@ -394,6 +394,13 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child)
cln->handler = ngx_ssl_cleanup_ctx;
cln->data = &conf->ssl;
if (ngx_ssl_ciphers(cf, &conf->ssl, &conf->ciphers,
conf->prefer_server_ciphers)
!= NGX_OK)
{
return NGX_CONF_ERROR;
}
if (ngx_ssl_certificates(cf, &conf->ssl, conf->certificates,
conf->certificate_keys, conf->passwords)
!= NGX_OK)
@ -430,13 +437,6 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child)
}
}
if (ngx_ssl_ciphers(cf, &conf->ssl, &conf->ciphers,
conf->prefer_server_ciphers)
!= NGX_OK)
{
return NGX_CONF_ERROR;
}
if (ngx_ssl_dhparam(cf, &conf->ssl, &conf->dhparam) != NGX_OK) {
return NGX_CONF_ERROR;
}

66
src/os/unix/ngx_atomic.h
View File

@ -38,6 +38,39 @@ typedef volatile ngx_atomic_uint_t ngx_atomic_t;
#define ngx_cpu_pause()
#elif (NGX_HAVE_GCC_ATOMIC)
/* GCC 4.1 builtin atomic operations */
#define NGX_HAVE_ATOMIC_OPS 1
typedef long ngx_atomic_int_t;
typedef unsigned long ngx_atomic_uint_t;
#if (NGX_PTR_SIZE == 8)
#define NGX_ATOMIC_T_LEN (sizeof("-9223372036854775808") - 1)
#else
#define NGX_ATOMIC_T_LEN (sizeof("-2147483648") - 1)
#endif
typedef volatile ngx_atomic_uint_t ngx_atomic_t;
#define ngx_atomic_cmp_set(lock, old, set) \
__sync_bool_compare_and_swap(lock, old, set)
#define ngx_atomic_fetch_add(value, add) \
__sync_fetch_and_add(value, add)
#define ngx_memory_barrier() __sync_synchronize()
#if ( __i386__ || __i386 || __amd64__ || __amd64 )
#define ngx_cpu_pause() __asm__ ("pause")
#else
#define ngx_cpu_pause()
#endif
#elif (NGX_DARWIN_ATOMIC)
/*
@ -88,39 +121,6 @@ typedef uint32_t ngx_atomic_uint_t;
typedef volatile ngx_atomic_uint_t ngx_atomic_t;
#elif (NGX_HAVE_GCC_ATOMIC)
/* GCC 4.1 builtin atomic operations */
#define NGX_HAVE_ATOMIC_OPS 1
typedef long ngx_atomic_int_t;
typedef unsigned long ngx_atomic_uint_t;
#if (NGX_PTR_SIZE == 8)
#define NGX_ATOMIC_T_LEN (sizeof("-9223372036854775808") - 1)
#else
#define NGX_ATOMIC_T_LEN (sizeof("-2147483648") - 1)
#endif
typedef volatile ngx_atomic_uint_t ngx_atomic_t;
#define ngx_atomic_cmp_set(lock, old, set) \
__sync_bool_compare_and_swap(lock, old, set)
#define ngx_atomic_fetch_add(value, add) \
__sync_fetch_and_add(value, add)
#define ngx_memory_barrier() __sync_synchronize()
#if ( __i386__ || __i386 || __amd64__ || __amd64 )
#define ngx_cpu_pause() __asm__ ("pause")
#else
#define ngx_cpu_pause()
#endif
#elif ( __i386__ || __i386 )
typedef int32_t ngx_atomic_int_t;

8
src/stream/ngx_stream_proxy_module.c
View File

@ -2185,6 +2185,10 @@ ngx_stream_proxy_set_ssl(ngx_conf_t *cf, ngx_stream_proxy_srv_conf_t *pscf)
cln->handler = ngx_ssl_cleanup_ctx;
cln->data = pscf->ssl;
if (ngx_ssl_ciphers(cf, pscf->ssl, &pscf->ssl_ciphers, 0) != NGX_OK) {
return NGX_ERROR;
}
if (pscf->ssl_certificate) {
if (pscf->ssl_certificate_key == NULL) {
@ -2216,10 +2220,6 @@ ngx_stream_proxy_set_ssl(ngx_conf_t *cf, ngx_stream_proxy_srv_conf_t *pscf)
}
}
if (ngx_ssl_ciphers(cf, pscf->ssl, &pscf->ssl_ciphers, 0) != NGX_OK) {
return NGX_ERROR;
}
if (pscf->ssl_verify) {
if (pscf->ssl_trusted_certificate.len == 0) {
ngx_log_error(NGX_LOG_EMERG, cf->log, 0,

14
src/stream/ngx_stream_ssl_module.c
View File

@ -720,6 +720,13 @@ ngx_stream_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child)
ngx_stream_ssl_servername);
#endif
if (ngx_ssl_ciphers(cf, &conf->ssl, &conf->ciphers,
conf->prefer_server_ciphers)
!= NGX_OK)
{
return NGX_CONF_ERROR;
}
if (ngx_stream_ssl_compile_certificates(cf, conf) != NGX_OK) {
return NGX_CONF_ERROR;
}
@ -752,13 +759,6 @@ ngx_stream_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child)
}
}
if (ngx_ssl_ciphers(cf, &conf->ssl, &conf->ciphers,
conf->prefer_server_ciphers)
!= NGX_OK)
{
return NGX_CONF_ERROR;
}
if (conf->verify) {
if (conf->client_certificate.len == 0 && conf->verify != 3) {