Commit Graph

6493 Commits

Author SHA1 Message Date
Maxim Dounin
b7edec61c3 SSL: logging level of "no suitable signature algorithm".
The "no suitable signature algorithm" errors are reported by OpenSSL 1.1.1
when using TLSv1.3 if there are no shared signature algorithms.  In
particular, this can happen if the client limits available signature
algorithms to something we don't have a certificate for, or to an empty
list.  For example, the following command:

    openssl s_client -connect 127.0.0.1:8443 -sigalgs rsa_pkcs1_sha1

will always result in the "no suitable signature algorithm" error
as the "rsa_pkcs1_sha1" algorithm refers solely to signatures which
appear in certificates and not defined for use in TLS 1.3 handshake
messages.

The SSL_R_NO_COMMON_SIGNATURE_ALGORITHMS error is what BoringSSL returns
in the same situation.
2018-09-25 14:00:04 +03:00
Maxim Dounin
31ef0c47ca SSL: logging level of "no suitable key share".
The "no suitable key share" errors are reported by OpenSSL 1.1.1 when
using TLSv1.3 if there are no shared groups (that is, elliptic curves).
In particular, it is easy enough to trigger by using only a single
curve in ssl_ecdh_curve:

    ssl_ecdh_curve secp384r1;

and using a different curve in the client:

    openssl s_client -connect 127.0.0.1:443 -curves prime256v1

On the client side it is seen as "sslv3 alert handshake failure",
"SSL alert number 40":

0:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:ssl/record/rec_layer_s3.c:1528:SSL alert number 40

It can be also triggered with default ssl_ecdh_curve by using a curve
which is not in the default list (X25519, prime256v1, X448, secp521r1,
secp384r1):

    openssl s_client -connect 127.0.0.1:8443 -curves brainpoolP512r1

Given that many clients hardcode prime256v1, these errors might become
a common problem with TLSv1.3 if ssl_ecdh_curve is redefined.  Previously
this resulted in not using ECDH with such clients, but with TLSv1.3 it
is no longer possible and will result in a handshake failure.

The SSL_R_NO_SHARED_GROUP error is what BoringSSL returns in the same
situation.

Seen at:

https://serverfault.com/questions/932102/nginx-ssl-handshake-error-no-suitable-key-share
2018-09-25 13:59:53 +03:00
Gena Makhomed
1065455289 Cache: status must be less then 599 in *_cache_valid directives.
Previously, configurations with typo, for example

    fastcgi_cache_valid 200301 302 5m;

successfully pass configuration test. Adding check for status
codes > 599, and such configurations are now properly rejected.
2018-09-24 20:26:46 +03:00
Nova DasSarma
8117b3f5a0 Removed bgcolor attribute on body in error pages and autoindex.
The bgcolor attribute overrides compatibility settings in browsers
and leads to undesirable behavior when the default font color is set
to white in the browser, since font-color is not also overridden.
2018-09-19 09:26:47 -05:00
Sergey Kandaurov
ab9038af7e SSL: support for TLSv1.3 early data with OpenSSL.
In collaboration with Maxim Dounin.
2018-09-21 20:49:12 +03:00
Maxim Dounin
61cec6f01b SSL: disabled renegotiation checks with SSL_OP_NO_RENEGOTIATION.
Following 7319:dcab86115261, as long as SSL_OP_NO_RENEGOTIATION is
defined, it is OpenSSL library responsibility to prevent renegotiation,
so the checks are meaningless.

Additionally, with TLSv1.3 OpenSSL tends to report SSL_CB_HANDSHAKE_START
at various unexpected moments - notably, on KeyUpdate messages and
when sending tickets.  This change prevents unexpected connection
close on KeyUpdate messages and when finishing handshake with upcoming
early data changes.
2018-09-21 20:31:32 +03:00
Maxim Dounin
a834b8aa09 Rewrite: removed r->err_status special handling (ticket #1634).
Trying to look into r->err_status in the "return" directive
makes it behave differently than real errors generated in other
parts of the code, and is an endless source of various problems.
This behaviour was introduced in 726:7b71936d5299 (0.4.4) with
the comment "fix: "return" always overrode "error_page" response code".
It is not clear if there were any real cases this was expected to fix,
but there are several cases which are broken due to this change, some
previously fixed (4147:7f64de1cc2c0).

In ticket #1634, the problem is that when r->err_status is set to
a non-special status code, it is not possible to return a response
by simply returning r->err_status.  If this is the case, the only
option is to return script's e->status instead.  An example
configuration:

    location / {
        error_page 404 =200 /err502;
        return 404;
    }

    location = /err502 {
        return 502;
    }

After the change, such a configuration will properly return
standard 502 error, much like it happens when a 502 error is
generated by proxy_pass.

This also fixes the following configuration to properly close
connection as clearly requested by "return 444":

    location / {
        error_page 404 /close;
        return 404;
    }

    location = /close {
        return 444;
    }

Previously, this required "error_page 404 = /close;" to work
as intended.
2018-09-21 15:59:33 +03:00
Maxim Dounin
e4a3211e2f Fixed socket leak with "return 444" in error_page (ticket #274).
Socket leak was observed in the following configuration:

    error_page 400 = /close;

    location = /close {
        return 444;
    }

The problem is that "return 444" triggers termination of the request,
and due to error_page termination thinks that it needs to use a posted
request to clear stack.  But at the early request processing where 400
errors are generated there are no ngx_http_run_posted_requests() calls,
so the request is only terminated after an external event.

Variants of the problem include "error_page 497" instead (ticket #695)
and various other errors generated during early request processing
(405, 414, 421, 494, 495, 496, 501, 505).

The same problem can be also triggered with "return 499" and "return 408"
as both codes trigger ngx_http_terminate_request(), much like "return 444".

To fix this, the patch adds ngx_http_run_posted_requests() calls to
ngx_http_process_request_line() and ngx_http_process_request_headers()
functions, and to ngx_http_v2_run_request() and ngx_http_v2_push_stream()
functions in HTTP/2.

Since the ngx_http_process_request() function is now only called via
other functions which call ngx_http_run_posted_requests(), the call
there is no longer needed and was removed.
2018-09-21 15:59:30 +03:00
Maxim Dounin
05029e775f SSL: restore handlers after blocking.
It is possible that after SSL_read() will return SSL_ERROR_WANT_WRITE,
further calls will return SSL_ERROR_WANT_READ without reading any
application data.  We have to call ngx_handle_write_event() and
switch back to normal write handling much like we do if there are some
application data, or the write there will be reported again and again.

Similarly, we have to switch back to normal read handling if there
is saved read handler and SSL_write() returns SSL_ERROR_WANT_WRITE.
2018-09-10 18:57:39 +03:00
Maxim Dounin
c2f90de0c5 SSL: corrected SSL_ERROR_WANT_WRITE / SSL_ERROR_WANT_READ logging.
While SSL_read() most likely to return SSL_ERROR_WANT_WRITE (and SSL_write()
accordingly SSL_ERROR_WANT_READ) during an SSL renegotiation, it is
not necessary mean that a renegotiation was started.  In particular,
it can never happen during a renegotiation or can happen multiple times
during a renegotiation.

Because of the above, misleading "peer started SSL renegotiation" info
messages were replaced with "SSL_read: want write" and "SSL_write: want read"
debug ones.

Additionally, "SSL write handler" and "SSL read handler" are now logged
by the SSL write and read handlers, to make it easier to understand that
temporary SSL handlers are called instead of normal handlers.
2018-09-10 18:57:19 +03:00
Maxim Dounin
278be041dd Lingering close changed to handle NGX_AGAIN.
The "do { c->recv() } while (c->read->ready)" form used in the
ngx_http_lingering_close_handler() is not really correct, as for
example with SSL c->read->ready may be still set when returning NGX_AGAIN
due to SSL_ERROR_WANT_WRITE.  Therefore the above might be an infinite loop.

This doesn't really matter in lingering close, as we shutdown write side
of the socket anyway and also disable renegotiation (and even without shutdown
and with renegotiation it requires using very large certificate chain and
tuning socket buffers to trigger SSL_ERROR_WANT_WRITE).  But for the sake of
correctness added an NGX_AGAIN check.
2018-09-10 18:57:13 +03:00
Maxim Dounin
07dbfd00ff gRPC: disabled keepalive when sending control frames was blocked.
If sending request body was not completed (u->request_body_sent is not set),
the upstream keepalive module won't save such a connection.  However, it
is theoretically possible (though highly unlikely) that sending of some
control frames can be blocked after the request body was sent.  The
ctx->output_blocked flag introduced to disable keepalive in such cases.
2018-09-03 19:34:02 +03:00
Maxim Dounin
71e152debe gRPC: improved keepalive handling.
The code is now able to parse additional control frames after
the response is received, and can send control frames as well.
This fixes keepalive problems as observed with grpc-c, which can
send window update and ping frames after the response, see
http://mailman.nginx.org/pipermail/nginx/2018-August/056620.html.
2018-09-03 19:34:01 +03:00
Maxim Dounin
b71792b110 Uwsgi: added a check on maximum uwsgi request size.
Requested by Chris Caputo.
2018-09-03 19:17:06 +03:00
Maxim Dounin
07c3e79b64 Uwsgi: style. 2018-09-03 19:17:01 +03:00
Roman Arutyunyan
09cb553c7f Version bump. 2018-08-30 14:42:15 +03:00
Roman Arutyunyan
d9908c6c9a Stream: avoid potential infinite loop at preread phase.
Previously the preread phase code ignored NGX_AGAIN value returned from
c->recv() and relied only on c->read->ready.  But this flag is not reliable and
should only be checked for optimization purposes.  For example, when using
SSL, c->read->ready may be set when no input is available.  This can lead to
calling preread handler infinitely in a loop.
2018-08-29 15:56:42 +03:00
Maxim Dounin
73d467cecd release-1.15.3 tag 2018-08-28 18:36:00 +03:00
Maxim Dounin
3b8bf4e6a6 nginx-1.15.3-RELEASE 2018-08-28 18:36:00 +03:00
Maxim Dounin
719d14de8e Updated OpenSSL used for win32 builds. 2018-08-28 15:05:41 +03:00
Vladimir Homutov
62821f1c99 Upstream: fixed request chain traversal (ticket #1618).
The problem does not manifest itself currently, because in case of
non-buffered reading, chain link created by u->create_request method
consists of a single element.

Found by PVS-Studio.
2018-08-24 12:19:37 +03:00
Maxim Dounin
d817ceae72 Upstream keepalive: keepalive_requests directive.
The directive configures maximum number of requests allowed on
a connection kept in the cache.  Once a connection reaches the number
of requests configured, it is no longer saved to the cache.
The default is 100.

Much like keepalive_requests for client connections, this is mostly
a safeguard to make sure connections are closed periodically and the
memory allocated from the connection pool is freed.
2018-08-10 21:54:46 +03:00
Maxim Dounin
7de808990b Upstream keepalive: keepalive_timeout directive.
The directive configures maximum time a connection can be kept in the
cache.  By configuring a time which is smaller than the corresponding
timeout on the backend side one can avoid the race between closing
a connection by the backend and nginx trying to use the same connection
to send a request at the same time.
2018-08-10 21:54:23 +03:00
Maxim Dounin
f3d1a925b5 Upstream keepalive: comment added. 2018-08-10 21:54:17 +03:00
Maxim Dounin
1b1b632eed SSL: fixed build with LibreSSL 2.8.0 (ticket #1605).
LibreSSL 2.8.0 "added const annotations to many existing APIs from OpenSSL,
making interoperability easier for downstream applications".  This includes
the const change in the SSL_CTX_sess_set_get_cb() callback function (see
9dd43f4ef67e), which breaks compilation.

To fix this, added a condition on how we redefine OPENSSL_VERSION_NUMBER
when working with LibreSSL (see 382fc7069e3a).  With LibreSSL 2.8.0,
we now set OPENSSL_VERSION_NUMBER to 0x1010000fL (OpenSSL 1.1.0), so the
appropriate conditions in the code will use "const" as it happens with
OpenSSL 1.1.0 and later versions.
2018-08-10 20:49:06 +03:00
Maxim Konovalov
3c9dcff8bd A link to the error_log directive on nginx.org removed.
It makes more harm than good for users and nginx.org
infrastructure.
2018-08-10 14:15:05 +03:00
Maxim Dounin
0d224602e9 HTTP/2: workaround for clients which fail on table size updates.
There are clients which cannot handle HPACK's dynamic table size updates
as added in 12cadc4669a7 (1.13.6).  Notably, old versions of OkHttp library
are known to fail on it (ticket #1397).

This change makes it possible to work with such clients by only sending
dynamic table size updates in response to SETTINGS_HEADER_TABLE_SIZE.  As
a downside, clients which do not use SETTINGS_HEADER_TABLE_SIZE will
continue to maintain default 4k table.
2018-08-09 20:12:17 +03:00
Maxim Dounin
dd8e1e178c Skipping spaces in configuration files (ticket #1557).
Previously, a chunk of spaces larger than NGX_CONF_BUFFER (4096 bytes)
resulted in the "too long parameter" error during parsing such a
configuration.  This was because the code only set start and start_line
on non-whitespace characters, and hence adjacent whitespace characters
were preserved when reading additional data from the configuration file.
Fix is to always move start and start_line if the last character was
a space.
2018-08-09 12:15:42 +03:00
Maxim Dounin
3b1589173f SSL: support for TLSv1.3 early data with BoringSSL.
Early data AKA 0-RTT mode is enabled as long as "ssl_early_data on" is
specified in the configuration (default is off).

The $ssl_early_data variable evaluates to "1" if the SSL handshake
isn't yet completed, and can be used to set the Early-Data header as
per draft-ietf-httpbis-replay-04.
2018-08-07 02:16:07 +03:00
Maxim Dounin
9f30fda1c2 SSL: enabled TLSv1.3 with BoringSSL.
BoringSSL currently requires SSL_CTX_set_max_proto_version(TLS1_3_VERSION)
to be able to enable TLS 1.3.  This is because by default max protocol
version is set to TLS 1.2, and the SSL_OP_NO_* options are merely used
as a blacklist within the version range specified using the
SSL_CTX_set_min_proto_version() and SSL_CTX_set_max_proto_version()
functions.

With this change, we now call SSL_CTX_set_max_proto_version() with an
explicit maximum version set.  This enables TLS 1.3 with BoringSSL.
As a side effect, this change also limits maximum protocol version to
the newest protocol we know about, TLS 1.3.  This seems to be a good
change, as enabling unknown protocols might have unexpected results.

Additionally, we now explicitly call SSL_CTX_set_min_proto_version()
with 0.  This is expected to help with Debian system-wide default
of MinProtocol set to TLSv1.2, see
http://mailman.nginx.org/pipermail/nginx-ru/2017-October/060411.html.

Note that there is no SSL_CTX_set_min_proto_version macro in BoringSSL,
so we call SSL_CTX_set_min_proto_version() and SSL_CTX_set_max_proto_version()
as long as the TLS1_3_VERSION macro is defined.
2018-08-07 02:15:28 +03:00
Sergey Kandaurov
a6baf5e508 Dav: removed dead store after 8e7a5de61664.
Found by Clang Static Analyzer.
2018-08-02 13:19:48 +03:00
Maxim Dounin
04a6d9d3c9 Dav: changed COPY of a file to preserve access mask.
The behaviour is now in line with COPY of a directory with contents,
which preserves access masks on individual files, as well as the "cp"
command.

Requested by Roman Arutyunyan.
2018-08-01 02:12:21 +03:00
Maxim Dounin
9e0d1236f1 Dav: changed ngx_copy_file() to preserve access and mtime.
This fixes wrong permissions and file time after cross-device MOVE
in the DAV module (ticket #1577).  Broken in 8101d9101ed8 (0.8.9) when
cross-device copying was introduced in ngx_ext_rename_file().

With this change, ngx_copy_file() always calls ngx_set_file_time(),
either with the time provided, or with the time from the original file.
This is considered acceptable given that copying the file is costly anyway,
and optimizing cases when we do not need to preserve time will require
interface changes.
2018-08-01 02:12:11 +03:00
Maxim Dounin
6bff9c9967 Dav: fixed ngx_copy_file() to truncate destination file.
Previously, ngx_open_file(NGX_FILE_CREATE_OR_OPEN) was used, resulting
in destination file being partially rewritten if exists.  Notably,
this affected WebDAV COPY command (ticket #1576).
2018-08-01 02:11:58 +03:00
Sergey Kandaurov
d5c43bf51c Configure: fixed compiler warnings with "-Wall -Wextra". 2018-07-24 18:46:54 +03:00
Sergey Kandaurov
a1e2c5566c Version bump. 2018-07-24 18:46:18 +03:00
Maxim Dounin
aabb5ea332 release-1.15.2 tag 2018-07-24 16:11:00 +03:00
Maxim Dounin
924ccf2f4e nginx-1.15.2-RELEASE 2018-07-24 16:10:59 +03:00
Maxim Dounin
5a19c034f3 Fixed NGX_TID_T_FMT format specification for uint64_t.
Previously, "%uA" was used, which corresponds to ngx_atomic_uint_t.
Size of ngx_atomic_uint_t can be easily different from uint64_t,
leading to undefined results.
2018-07-22 04:03:40 +03:00
Sergey Kandaurov
b93931ae82 Stream ssl_preread: added SSLv2 Client Hello support.
In particular, it was not possible to obtain SSLv2 protocol version.
2018-07-18 18:51:25 +03:00
Ruslan Ermilov
372b624627 Fixed invalid access to location defined as an empty string. 2018-07-17 15:30:43 +03:00
Sergey Kandaurov
d5a27006e0 SSL: save sessions for upstream peers using a callback function.
In TLSv1.3, NewSessionTicket messages arrive after the handshake and
can come at any time.  Therefore we use a callback to save the session
when we know about it.  This approach works for < TLSv1.3 as well.
The callback function is set once per location on merge phase.

Since SSL_get_session() in BoringSSL returns an unresumable session for
TLSv1.3, peer save_session() methods have been updated as well to use a
session supplied within the callback.  To preserve API, the session is
cached in c->ssl->session.  It is preferably accessed in save_session()
methods by ngx_ssl_get_session() and ngx_ssl_get0_session() wrappers.
2018-07-17 12:53:23 +03:00
Maxim Dounin
e1bebd05cb SSL: use of the SSL_OP_NO_RENEGOTIATION option (ticket #1376).
The SSL_OP_NO_RENEGOTIATION option is available in OpenSSL 1.1.0h+ and can
save some CPU cycles on renegotiation attempts.
2018-07-16 17:47:48 +03:00
Maxim Dounin
1456129902 SSL: fixed SSL_clear_options() usage with OpenSSL 1.1.0+.
In OpenSSL 1.1.0 the SSL_CTRL_CLEAR_OPTIONS macro was removed, so
conditional compilation test on it results in SSL_clear_options()
and SSL_CTX_clear_options() not being used.  Notably, this caused
"ssl_prefer_server_ciphers off" to not work in SNI-based virtual
servers if server preference was switched on in the default server.

It looks like the only possible fix is to test OPENSSL_VERSION_NUMBER
explicitly.
2018-07-16 17:47:20 +03:00
Maxim Dounin
b1734fd800 SSL: logging levels of "unsupported protocol", "version too low".
Starting with OpenSSL 1.1.0, SSL_R_UNSUPPORTED_PROTOCOL instead of
SSL_R_UNKNOWN_PROTOCOL is reported when a protocol is disabled via
an SSL_OP_NO_* option.

Additionally, SSL_R_VERSION_TOO_LOW is reported when using MinProtocol
or when seclevel checks (as set by @SECLEVEL=n in the cipher string)
rejects a protocol, and this is what happens with SSLv3 and @SECLEVEL=1,
which is the default.

There is also the SSL_R_VERSION_TOO_HIGH error code, but it looks like
it is not possible to trigger it.
2018-07-16 17:47:18 +03:00
Maxim Dounin
85b44b46fb Events: added configuration check on the number of connections.
There should be at least one worker connection for each listening socket,
plus an additional connection for channel between worker and master,
or starting worker processes will fail.
2018-07-12 19:50:07 +03:00
Maxim Dounin
751bdd3bb2 Events: moved sockets cloning to ngx_event_init_conf().
Previously, listenings sockets were not cloned if the worker_processes
directive was specified after "listen ... reuseport".

This also simplifies upcoming configuration check on the number
of worker connections, as it needs to know the number of listening
sockets before cloning.
2018-07-12 19:50:02 +03:00
Roman Arutyunyan
a8e38e2a9c Stream ssl_preread: $ssl_preread_protocol variable.
The variable keeps the latest SSL protocol version supported by the client.
The variable has the same format as $ssl_protocol.

The version is read from the client_version field of ClientHello.  If the
supported_versions extension is present in the ClientHello, then the version
is set to TLSv1.3.
2018-07-11 17:56:51 +03:00
Ruslan Ermilov
527cac2979 Allow resetting connections closed by "return 444" (ticket #905).
If reset_timedout_connection is on, TCP connections closed by
"return 444" will be reset instead of a normal close.
2018-07-12 12:50:20 +03:00
Maxim Dounin
f62d460d5b Resolver: retry sending queries on errors (ticket #1511).
Errors when sending UDP datagrams can happen, e.g., when local IP address
changes (see fa0e093b64d7), or an unavailable DNS server on the LAN can cause
send() to fail with EHOSTDOWN on BSD systems.  If this happens during
initial query, retry sending immediately, to a different DNS server when
possible.  If this is not enough, allow normal resend to happen by ignoring
the return code of the second ngx_resolver_send_query() call, much like we
do in ngx_resolver_resend().
2018-07-05 22:21:14 +03:00