From owner-dev-commits-ports-all@freebsd.org Fri Apr 23 14:47:48 2021 Return-Path: Delivered-To: dev-commits-ports-all@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id DF0095F569C; Fri, 23 Apr 2021 14:47:48 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4FRcb861RKz4kp2; Fri, 23 Apr 2021 14:47:48 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id C14197216; Fri, 23 Apr 2021 14:47:48 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 13NElmcT093428; Fri, 23 Apr 2021 14:47:48 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 13NElmd1093427; Fri, 23 Apr 2021 14:47:48 GMT (envelope-from git) Date: Fri, 23 Apr 2021 14:47:48 GMT Message-Id: <202104231447.13NElmd1093427@gitrepo.freebsd.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org From: Jochen Neumeister Subject: git: 290fb053aba2 - main - Refresh the kernel TLS patch. MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: joneum X-Git-Repository: ports X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 290fb053aba28c7b6e53a09a45bd053d2bf33894 Auto-Submitted: auto-generated X-BeenThere: dev-commits-ports-all@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Commit messages for all branches of the ports repository List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Apr 2021 14:47:48 -0000 The branch main has been updated by joneum: URL: https://cgit.FreeBSD.org/ports/commit/?id=290fb053aba28c7b6e53a09a45bd053d2bf33894 commit 290fb053aba28c7b6e53a09a45bd053d2bf33894 Author: Jochen Neumeister AuthorDate: 2021-04-23 14:37:10 +0000 Commit: Jochen Neumeister CommitDate: 2021-04-23 14:38:13 +0000 Refresh the kernel TLS patch. This functionality is available with the following prerequisites: o) security/openssl built from ports with the kTLS options defined; o) FreeBSD 13. Obtained from: www/nginx-devel Sponsored by: Netzkommune GmbH --- www/nginx/Makefile | 6 +- www/nginx/files/extra-patch-ktls | 469 +++++---------------------------------- 2 files changed, 59 insertions(+), 416 deletions(-) diff --git a/www/nginx/Makefile b/www/nginx/Makefile index 9c997e7b90a0..c664aeb3565c 100644 --- a/www/nginx/Makefile +++ b/www/nginx/Makefile @@ -2,7 +2,7 @@ PORTNAME= nginx PORTVERSION= 1.20.0 -PORTREVISION?= 0 +PORTREVISION?= 1 PORTEPOCH= 2 CATEGORIES= www MASTER_SITES= https://nginx.org/download/ \ @@ -227,10 +227,6 @@ IGNORE= requires at least HTTP or MAIL to \ PKGNAMESUFFIX:= ${PKGNAMESUFFIX}-nopcre .endif -.if ${PORT_OPTIONS:MKTLS} -CFLAGS+= -DNGX_SSL_SENDFILE -.endif - .if ${PORT_OPTIONS:MPASSENGER} && empty(PORT_OPTIONS:MDEBUG) CONFIGURE_ENV+= OPTIMIZE="yes" CFLAGS+= -DNDEBUG diff --git a/www/nginx/files/extra-patch-ktls b/www/nginx/files/extra-patch-ktls index c26f2f8d8b84..52c40f53933c 100644 --- a/www/nginx/files/extra-patch-ktls +++ b/www/nginx/files/extra-patch-ktls @@ -1,17 +1,39 @@ -diff --git a/src/core/ngx_log.h b/src/core/ngx_log.h -index afb73bf7..4c6e9c2c 100644 ---- a/src/core/ngx_log.h -+++ b/src/core/ngx_log.h -@@ -30,6 +30,7 @@ - #define NGX_LOG_DEBUG_HTTP 0x100 - #define NGX_LOG_DEBUG_MAIL 0x200 - #define NGX_LOG_DEBUG_STREAM 0x400 -+#define NGX_LOG_DEBUG_SSL 0x800 +From 11ad5d15c487ecc0a37f9747bb4bfa5bb96893c1 Mon Sep 17 00:00:00 2001 +From: John Baldwin +Date: Thu, 22 Aug 2019 12:18:32 -0700 +Subject: [PATCH] Add support for using SSL_sendfile from OpenSSL. + +This uses kernel TLS on systems supported by OpenSSL to send +files via sendfile() over TLS connections. +--- + auto/lib/openssl/conf | 8 ++ + src/event/ngx_event_openssl.c | 172 ++++++++++++++++++++++++++++++++++ + src/event/ngx_event_openssl.h | 7 ++ + src/http/ngx_http_request.c | 14 ++- + src/http/ngx_http_upstream.c | 5 + + 5 files changed, 203 insertions(+), 3 deletions(-) + +diff --git a/auto/lib/openssl/conf b/auto/lib/openssl/conf +index 4fb52df7fe..c4772248ae 100644 +--- a/auto/lib/openssl/conf ++++ b/auto/lib/openssl/conf +@@ -123,6 +123,14 @@ else + CORE_INCS="$CORE_INCS $ngx_feature_path" + CORE_LIBS="$CORE_LIBS $ngx_feature_libs" + OPENSSL=YES ++ ++ ngx_feature="SSL_sendfile()" ++ ngx_feature_name="NGX_SSL_SENDFILE" ++ ngx_feature_run=no ++ ngx_feature_test="SSL *ssl; ++ (void)BIO_get_ktls_send(SSL_get_wbio(ssl)); ++ SSL_sendfile(ssl, -1, 0, 0, 0);" ++ . auto/feature + fi + fi - /* - * do not forget to update debug_levels[] in src/core/ngx_log.c diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c -index 7be4fb4c..dd147c42 100644 +index 93a6ae46ea..04759827fc 100644 --- a/src/event/ngx_event_openssl.c +++ b/src/event/ngx_event_openssl.c @@ -52,6 +52,10 @@ static void ngx_ssl_shutdown_handler(ngx_event_t *ev); @@ -25,34 +47,7 @@ index 7be4fb4c..dd147c42 100644 static ngx_int_t ngx_ssl_session_id_context(ngx_ssl_t *ssl, ngx_str_t *sess_ctx, ngx_array_t *certificates); -@@ -1022,7 +1026,7 @@ ngx_ssl_verify_callback(int ok, X509_STORE_CTX *x509_store) - iname = X509_get_issuer_name(cert); - issuer = iname ? X509_NAME_oneline(iname, NULL, 0) : "(none)"; - -- ngx_log_debug5(NGX_LOG_DEBUG_EVENT, c->log, 0, -+ ngx_log_debug5(NGX_LOG_DEBUG_SSL, c->log, 0, - "verify:%d, error:%d, depth:%d, " - "subject:\"%s\", issuer:\"%s\"", - ok, err, depth, subject, issuer); -@@ -1055,7 +1059,7 @@ ngx_ssl_info_callback(const ngx_ssl_conn_t *ssl_conn, int where, int ret) - - if (c->ssl->handshaked) { - c->ssl->renegotiation = 1; -- ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL renegotiation"); -+ ngx_log_debug0(NGX_LOG_DEBUG_SSL, c->log, 0, "SSL renegotiation"); - } - } - -@@ -1616,7 +1620,7 @@ ngx_ssl_handshake(ngx_connection_t *c) - - n = SSL_do_handshake(c->ssl->connection); - -- ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_do_handshake: %d", n); -+ ngx_log_debug1(NGX_LOG_DEBUG_SSL, c->log, 0, "SSL_do_handshake: %d", n); - - if (n == 1) { - -@@ -1637,7 +1641,11 @@ ngx_ssl_handshake(ngx_connection_t *c) +@@ -1712,7 +1716,11 @@ ngx_ssl_handshake(ngx_connection_t *c) c->recv = ngx_ssl_recv; c->send = ngx_ssl_write; c->recv_chain = ngx_ssl_recv_chain; @@ -64,13 +59,13 @@ index 7be4fb4c..dd147c42 100644 #ifndef SSL_OP_NO_RENEGOTIATION #if OPENSSL_VERSION_NUMBER < 0x10100000L -@@ -1652,12 +1660,19 @@ ngx_ssl_handshake(ngx_connection_t *c) - #endif - #endif +@@ -1741,6 +1749,13 @@ ngx_ssl_handshake(ngx_connection_t *c) + + c->ssl->handshaked = 1; +#if (NGX_SSL_SENDFILE) -+ c->ssl->can_use_sendfile = BIO_get_ktls_send(SSL_get_wbio(c->ssl->connection)); -+ ngx_log_debug1(NGX_LOG_DEBUG_SSL, c->log, 0, ++ c->ssl->can_use_sendfile = !!BIO_get_ktls_send(SSL_get_wbio(c->ssl->connection)); ++ ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, + "BIO_get_ktls_send: %d", c->ssl->can_use_sendfile); + c->sendfile = c->ssl->can_use_sendfile ? 1 : 0; +#endif @@ -78,125 +73,7 @@ index 7be4fb4c..dd147c42 100644 return NGX_OK; } - sslerr = SSL_get_error(c->ssl->connection, n); - -- ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_get_error: %d", sslerr); -+ ngx_log_debug1(NGX_LOG_DEBUG_SSL, c->log, 0, "SSL_get_error: %d", sslerr); - - if (sslerr == SSL_ERROR_WANT_READ) { - c->read->ready = 0; -@@ -1728,7 +1743,7 @@ ngx_ssl_try_early_data(ngx_connection_t *c) - - n = SSL_read_early_data(c->ssl->connection, &buf, 1, &readbytes); - -- ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, -+ ngx_log_debug2(NGX_LOG_DEBUG_SSL, c->log, 0, - "SSL_read_early_data: %d, %uz", n, readbytes); - - if (n == SSL_READ_EARLY_DATA_FINISH) { -@@ -1770,7 +1785,7 @@ ngx_ssl_try_early_data(ngx_connection_t *c) - - sslerr = SSL_get_error(c->ssl->connection, n); - -- ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_get_error: %d", sslerr); -+ ngx_log_debug1(NGX_LOG_DEBUG_SSL, c->log, 0, "SSL_get_error: %d", sslerr); - - if (sslerr == SSL_ERROR_WANT_READ) { - c->read->ready = 0; -@@ -1861,17 +1876,17 @@ ngx_ssl_handshake_log(ngx_connection_t *c) - - *d = '\0'; - -- ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, -+ ngx_log_debug2(NGX_LOG_DEBUG_SSL, c->log, 0, - "SSL: %s, cipher: \"%s\"", - SSL_get_version(c->ssl->connection), &buf[1]); - - if (SSL_session_reused(c->ssl->connection)) { -- ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, -+ ngx_log_debug0(NGX_LOG_DEBUG_SSL, c->log, 0, - "SSL reused session"); - } - - } else { -- ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, -+ ngx_log_debug0(NGX_LOG_DEBUG_SSL, c->log, 0, - "SSL no shared ciphers"); - } - } -@@ -1886,7 +1901,7 @@ ngx_ssl_handshake_handler(ngx_event_t *ev) - - c = ev->data; - -- ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, -+ ngx_log_debug1(NGX_LOG_DEBUG_SSL, c->log, 0, - "SSL handshake handler: %d", ev->write); - - if (ev->timedout) { -@@ -1996,7 +2011,7 @@ ngx_ssl_recv(ngx_connection_t *c, u_char *buf, size_t size) - - n = SSL_read(c->ssl->connection, buf, size); - -- ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_read: %d", n); -+ ngx_log_debug1(NGX_LOG_DEBUG_SSL, c->log, 0, "SSL_read: %d", n); - - if (n > 0) { - bytes += n; -@@ -2100,7 +2115,7 @@ ngx_ssl_recv_early(ngx_connection_t *c, u_char *buf, size_t size) - - n = SSL_read_early_data(c->ssl->connection, buf, size, &readbytes); - -- ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, -+ ngx_log_debug2(NGX_LOG_DEBUG_SSL, c->log, 0, - "SSL_read_early_data: %d, %uz", n, readbytes); - - if (n == SSL_READ_EARLY_DATA_SUCCESS) { -@@ -2220,7 +2235,7 @@ ngx_ssl_handle_recv(ngx_connection_t *c, int n) - - err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0; - -- ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_get_error: %d", sslerr); -+ ngx_log_debug1(NGX_LOG_DEBUG_SSL, c->log, 0, "SSL_get_error: %d", sslerr); - - if (sslerr == SSL_ERROR_WANT_READ) { - -@@ -2243,7 +2258,7 @@ ngx_ssl_handle_recv(ngx_connection_t *c, int n) - - if (sslerr == SSL_ERROR_WANT_WRITE) { - -- ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, -+ ngx_log_debug0(NGX_LOG_DEBUG_SSL, c->log, 0, - "SSL_read: want write"); - - c->write->ready = 0; -@@ -2268,7 +2283,7 @@ ngx_ssl_handle_recv(ngx_connection_t *c, int n) - c->ssl->no_send_shutdown = 1; - - if (sslerr == SSL_ERROR_ZERO_RETURN || ERR_peek_error() == 0) { -- ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, -+ ngx_log_debug0(NGX_LOG_DEBUG_SSL, c->log, 0, - "peer shutdown SSL cleanly"); - return NGX_DONE; - } -@@ -2286,7 +2301,7 @@ ngx_ssl_write_handler(ngx_event_t *wev) - - c = wev->data; - -- ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL write handler"); -+ ngx_log_debug0(NGX_LOG_DEBUG_SSL, c->log, 0, "SSL write handler"); - - c->read->handler(c->read); - } -@@ -2390,7 +2405,7 @@ ngx_ssl_send_chain(ngx_connection_t *c, ngx_chain_t *in, off_t limit) - size = (ssize_t) (limit - send); - } - -- ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, -+ ngx_log_debug1(NGX_LOG_DEBUG_SSL, c->log, 0, - "SSL buf copy: %z", size); - - ngx_memcpy(buf->last, in->buf->pos, size); -@@ -2454,6 +2469,163 @@ ngx_ssl_send_chain(ngx_connection_t *c, ngx_chain_t *in, off_t limit) +@@ -2609,6 +2624,163 @@ ngx_ssl_send_chain(ngx_connection_t *c, ngx_chain_t *in, off_t limit) return in; } @@ -209,7 +86,7 @@ index 7be4fb4c..dd147c42 100644 + + can_use_sendfile = BIO_get_ktls_send(SSL_get_wbio(c->ssl->connection)); + -+ ngx_log_debug5(NGX_LOG_DEBUG_SSL, c->log, 0, ++ ngx_log_debug5(NGX_LOG_DEBUG_EVENT, c->log, 0, + "Sending chain %p can_use_sendfile:%d c->sendfile:%d " \ + "c->ssl->buffer:%d limit:%O", + in, can_use_sendfile, c->sendfile, c->ssl->buffer, limit); @@ -244,14 +121,14 @@ index 7be4fb4c..dd147c42 100644 + + n = ngx_ssl_sendfile(c, in->buf->file->fd, in->buf->file_pos, + sendfile_size, sendfile_flags); -+ ngx_log_debug1(NGX_LOG_DEBUG_SSL, c->log, 0, ++ ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, + "ngx_ssl_sendfile returns:%z", n); + } else { + n = ngx_ssl_write(c, in->buf->pos, in->buf->last - in->buf->pos); -+ ngx_log_debug1(NGX_LOG_DEBUG_SSL, c->log, 0, ++ ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, + "ngx_ssl_write returns:%z", n); + } -+ ++ + if (n == NGX_ERROR) { + return NGX_CHAIN_ERROR; + } @@ -279,12 +156,12 @@ index 7be4fb4c..dd147c42 100644 + + ngx_ssl_clear_error(c->log); + -+ ngx_log_debug3(NGX_LOG_DEBUG_SSL, c->log, 0, ++ ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0, + "SSL to sendfile: %uz at %O with %Xd", size, off, flags); + + n = SSL_sendfile(c->ssl->connection, fd, off, size, flags); + -+ ngx_log_debug1(NGX_LOG_DEBUG_SSL, c->log, 0, "SSL_sendfile: %d", n); ++ ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_sendfile: %d", n); + + if (n > 0) { + @@ -310,14 +187,14 @@ index 7be4fb4c..dd147c42 100644 + +#ifdef __FreeBSD__ + if (sslerr == SSL_ERROR_WANT_WRITE && ngx_errno == EBUSY) { -+ ngx_log_debug1(NGX_LOG_DEBUG_SSL, c->log, 0, "bioerr=NGX_EBUSY, sslerr=%d", sslerr); ++ ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "bioerr=NGX_EBUSY, sslerr=%d", sslerr); + return NGX_BUSY; + } +#endif + + err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0; + -+ ngx_log_debug1(NGX_LOG_DEBUG_SSL, c->log, 0, "SSL_get_error: %d", sslerr); ++ ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_get_error: %d", sslerr); + + if (sslerr == SSL_ERROR_WANT_WRITE) { + c->write->ready = 0; @@ -360,242 +237,12 @@ index 7be4fb4c..dd147c42 100644 ssize_t ngx_ssl_write(ngx_connection_t *c, u_char *data, size_t size) -@@ -2469,11 +2641,11 @@ ngx_ssl_write(ngx_connection_t *c, u_char *data, size_t size) - - ngx_ssl_clear_error(c->log); - -- ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL to write: %uz", size); -+ ngx_log_debug1(NGX_LOG_DEBUG_SSL, c->log, 0, "SSL to write: %uz", size); - - n = SSL_write(c->ssl->connection, data, size); - -- ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_write: %d", n); -+ ngx_log_debug1(NGX_LOG_DEBUG_SSL, c->log, 0, "SSL_write: %d", n); - - if (n > 0) { - -@@ -2499,7 +2671,7 @@ ngx_ssl_write(ngx_connection_t *c, u_char *data, size_t size) - - err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0; - -- ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_get_error: %d", sslerr); -+ ngx_log_debug1(NGX_LOG_DEBUG_SSL, c->log, 0, "SSL_get_error: %d", sslerr); - - if (sslerr == SSL_ERROR_WANT_WRITE) { - -@@ -2522,7 +2694,7 @@ ngx_ssl_write(ngx_connection_t *c, u_char *data, size_t size) - - if (sslerr == SSL_ERROR_WANT_READ) { - -- ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, -+ ngx_log_debug0(NGX_LOG_DEBUG_SSL, c->log, 0, - "SSL_write: want read"); - - c->read->ready = 0; -@@ -2565,13 +2737,13 @@ ngx_ssl_write_early(ngx_connection_t *c, u_char *data, size_t size) - - ngx_ssl_clear_error(c->log); - -- ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL to write: %uz", size); -+ ngx_log_debug1(NGX_LOG_DEBUG_SSL, c->log, 0, "SSL to write: %uz", size); - - written = 0; - - n = SSL_write_early_data(c->ssl->connection, data, size, &written); - -- ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, -+ ngx_log_debug2(NGX_LOG_DEBUG_SSL, c->log, 0, - "SSL_write_early_data: %d, %uz", n, written); - - if (n > 0) { -@@ -2603,11 +2775,11 @@ ngx_ssl_write_early(ngx_connection_t *c, u_char *data, size_t size) - - err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0; - -- ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_get_error: %d", sslerr); -+ ngx_log_debug1(NGX_LOG_DEBUG_SSL, c->log, 0, "SSL_get_error: %d", sslerr); - - if (sslerr == SSL_ERROR_WANT_WRITE) { - -- ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, -+ ngx_log_debug0(NGX_LOG_DEBUG_SSL, c->log, 0, - "SSL_write_early_data: want write"); - - if (c->ssl->saved_read_handler) { -@@ -2637,7 +2809,7 @@ ngx_ssl_write_early(ngx_connection_t *c, u_char *data, size_t size) - - if (sslerr == SSL_ERROR_WANT_READ) { - -- ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, -+ ngx_log_debug0(NGX_LOG_DEBUG_SSL, c->log, 0, - "SSL_write_early_data: want read"); - - c->read->ready = 0; -@@ -2678,7 +2850,7 @@ ngx_ssl_read_handler(ngx_event_t *rev) - - c = rev->data; - -- ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL read handler"); -+ ngx_log_debug0(NGX_LOG_DEBUG_SSL, c->log, 0, "SSL read handler"); - - c->write->handler(c->write); - } -@@ -2740,7 +2912,7 @@ ngx_ssl_shutdown(ngx_connection_t *c) - - n = SSL_shutdown(c->ssl->connection); - -- ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_shutdown: %d", n); -+ ngx_log_debug1(NGX_LOG_DEBUG_SSL, c->log, 0, "SSL_shutdown: %d", n); - - sslerr = 0; - -@@ -2749,7 +2921,7 @@ ngx_ssl_shutdown(ngx_connection_t *c) - if (n != 1 && ERR_peek_error()) { - sslerr = SSL_get_error(c->ssl->connection, n); - -- ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, -+ ngx_log_debug1(NGX_LOG_DEBUG_SSL, c->log, 0, - "SSL_get_error: %d", sslerr); - } - -@@ -2803,7 +2975,7 @@ ngx_ssl_shutdown_handler(ngx_event_t *ev) - c->timedout = 1; - } - -- ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ev->log, 0, "SSL shutdown handler"); -+ ngx_log_debug0(NGX_LOG_DEBUG_SSL, ev->log, 0, "SSL shutdown handler"); - - if (ngx_ssl_shutdown(c) == NGX_AGAIN) { - return; -@@ -3404,7 +3576,7 @@ ngx_ssl_new_session(ngx_ssl_conn_t *ssl_conn, ngx_ssl_session_t *sess) - - hash = ngx_crc32_short(session_id, session_id_length); - -- ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0, -+ ngx_log_debug3(NGX_LOG_DEBUG_SSL, c->log, 0, - "ssl new session: %08XD:%ud:%d", - hash, session_id_length, len); - -@@ -3471,7 +3643,7 @@ ngx_ssl_get_cached_session(ngx_ssl_conn_t *ssl_conn, - - c = ngx_ssl_get_connection(ssl_conn); - -- ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, -+ ngx_log_debug2(NGX_LOG_DEBUG_SSL, c->log, 0, - "ssl get session: %08XD:%d", hash, len); - - shm_zone = SSL_CTX_get_ex_data(c->ssl->session_ctx, -@@ -3591,7 +3763,7 @@ ngx_ssl_remove_session(SSL_CTX *ssl, ngx_ssl_session_t *sess) - - hash = ngx_crc32_short(id, len); - -- ngx_log_debug2(NGX_LOG_DEBUG_EVENT, ngx_cycle->log, 0, -+ ngx_log_debug2(NGX_LOG_DEBUG_SSL, ngx_cycle->log, 0, - "ssl remove session: %08XD:%ud", hash, len); - - shpool = (ngx_slab_pool_t *) shm_zone->shm.addr; -@@ -3669,7 +3841,7 @@ ngx_ssl_expire_sessions(ngx_ssl_session_cache_t *cache, - - ngx_queue_remove(q); - -- ngx_log_debug1(NGX_LOG_DEBUG_EVENT, ngx_cycle->log, 0, -+ ngx_log_debug1(NGX_LOG_DEBUG_SSL, ngx_cycle->log, 0, - "expire session: %08Xi", sess_id->node.key); - - ngx_rbtree_delete(&cache->session_rbtree, &sess_id->node); -@@ -3904,7 +4076,7 @@ ngx_ssl_session_ticket_key_callback(ngx_ssl_conn_t *ssl_conn, - if (enc == 1) { - /* encrypt session ticket */ - -- ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0, -+ ngx_log_debug3(NGX_LOG_DEBUG_SSL, c->log, 0, - "ssl session ticket encrypt, key: \"%*s\" (%s session)", - ngx_hex_dump(buf, key[0].name, 16) - buf, buf, - SSL_session_reused(ssl_conn) ? "reused" : "new"); -@@ -3951,7 +4123,7 @@ ngx_ssl_session_ticket_key_callback(ngx_ssl_conn_t *ssl_conn, - } - } - -- ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, -+ ngx_log_debug2(NGX_LOG_DEBUG_SSL, c->log, 0, - "ssl session ticket decrypt, key: \"%*s\" not found", - ngx_hex_dump(buf, name, 16) - buf, buf); - -@@ -3959,7 +4131,7 @@ ngx_ssl_session_ticket_key_callback(ngx_ssl_conn_t *ssl_conn, - - found: - -- ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0, -+ ngx_log_debug3(NGX_LOG_DEBUG_SSL, c->log, 0, - "ssl session ticket decrypt, key: \"%*s\"%s", - ngx_hex_dump(buf, key[i].name, 16) - buf, buf, - (i == 0) ? " (default)" : ""); -@@ -4056,12 +4228,12 @@ ngx_ssl_check_host(ngx_connection_t *c, ngx_str_t *name) - } - - if (X509_check_host(cert, (char *) name->data, name->len, 0, NULL) != 1) { -- ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, -+ ngx_log_debug0(NGX_LOG_DEBUG_SSL, c->log, 0, - "X509_check_host(): no match"); - goto failed; - } - -- ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, -+ ngx_log_debug0(NGX_LOG_DEBUG_SSL, c->log, 0, - "X509_check_host(): match"); - - goto found; -@@ -4094,19 +4266,19 @@ ngx_ssl_check_host(ngx_connection_t *c, ngx_str_t *name) - - str = altname->d.dNSName; - -- ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, -+ ngx_log_debug2(NGX_LOG_DEBUG_SSL, c->log, 0, - "SSL subjectAltName: \"%*s\"", - ASN1_STRING_length(str), ASN1_STRING_data(str)); - - if (ngx_ssl_check_name(name, str) == NGX_OK) { -- ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, -+ ngx_log_debug0(NGX_LOG_DEBUG_SSL, c->log, 0, - "SSL subjectAltName: match"); - GENERAL_NAMES_free(altnames); - goto found; - } - } - -- ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, -+ ngx_log_debug0(NGX_LOG_DEBUG_SSL, c->log, 0, - "SSL subjectAltName: no match"); - - GENERAL_NAMES_free(altnames); -@@ -4136,18 +4308,18 @@ ngx_ssl_check_host(ngx_connection_t *c, ngx_str_t *name) - entry = X509_NAME_get_entry(sname, i); - str = X509_NAME_ENTRY_get_data(entry); - -- ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, -+ ngx_log_debug2(NGX_LOG_DEBUG_SSL, c->log, 0, - "SSL commonName: \"%*s\"", - ASN1_STRING_length(str), ASN1_STRING_data(str)); - - if (ngx_ssl_check_name(name, str) == NGX_OK) { -- ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, -+ ngx_log_debug0(NGX_LOG_DEBUG_SSL, c->log, 0, - "SSL commonName: match"); - goto found; - } - } - -- ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, -+ ngx_log_debug0(NGX_LOG_DEBUG_SSL, c->log, 0, - "SSL commonName: no match"); - } - #endif diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h -index 61da0c5d..ae1e2b0f 100644 +index 329760d093..233b7f20c8 100644 --- a/src/event/ngx_event_openssl.h +++ b/src/event/ngx_event_openssl.h -@@ -99,6 +99,9 @@ struct ngx_ssl_connection_s { - unsigned in_early:1; +@@ -106,6 +106,9 @@ struct ngx_ssl_connection_s { + unsigned in_ocsp:1; unsigned early_preread:1; unsigned write_blocked:1; +#if (NGX_SSL_SENDFILE) @@ -604,7 +251,7 @@ index 61da0c5d..ae1e2b0f 100644 }; -@@ -270,6 +273,10 @@ ssize_t ngx_ssl_write(ngx_connection_t *c, u_char *data, size_t size); +@@ -289,6 +292,10 @@ ssize_t ngx_ssl_write(ngx_connection_t *c, u_char *data, size_t size); ssize_t ngx_ssl_recv_chain(ngx_connection_t *c, ngx_chain_t *cl, off_t limit); ngx_chain_t *ngx_ssl_send_chain(ngx_connection_t *c, ngx_chain_t *in, off_t limit); @@ -616,10 +263,10 @@ index 61da0c5d..ae1e2b0f 100644 ngx_int_t ngx_ssl_shutdown(ngx_connection_t *c); void ngx_cdecl ngx_ssl_error(ngx_uint_t level, ngx_log_t *log, ngx_err_t err, diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c -index 80c19656..8bc5c4b2 100644 +index 68d81e9320..e4a922a83a 100644 --- a/src/http/ngx_http_request.c +++ b/src/http/ngx_http_request.c -@@ -605,7 +605,10 @@ ngx_http_alloc_request(ngx_connection_t *c) +@@ -608,7 +608,10 @@ ngx_http_alloc_request(ngx_connection_t *c) #if (NGX_HTTP_SSL) if (c->ssl) { @@ -631,7 +278,7 @@ index 80c19656..8bc5c4b2 100644 } #endif -@@ -741,8 +744,13 @@ ngx_http_ssl_handshake(ngx_event_t *rev) +@@ -747,8 +750,13 @@ ngx_http_ssl_handshake(ngx_event_t *rev) sscf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_ssl_module); @@ -648,10 +295,10 @@ index 80c19656..8bc5c4b2 100644 ngx_http_close_connection(c); return; diff --git a/src/http/ngx_http_upstream.c b/src/http/ngx_http_upstream.c -index a7391d09..d6a8fce4 100644 +index 9cbb5a3b0c..f93f2ae244 100644 --- a/src/http/ngx_http_upstream.c +++ b/src/http/ngx_http_upstream.c -@@ -1721,6 +1721,11 @@ ngx_http_upstream_ssl_init_connection(ngx_http_request_t *r, +@@ -1715,6 +1715,11 @@ ngx_http_upstream_ssl_init_connection(ngx_http_request_t *r, return; }