Date: Fri, 23 Apr 2021 15:24:09 +0000 From: "Sergey A. Osokin" <osa@freebsd.org> To: Jochen Neumeister <joneum@freebsd.org> Cc: ports-committers@freebsd.org, dev-commits-ports-all@freebsd.org, dev-commits-ports-main@freebsd.org Subject: Re: git: 290fb053aba2 - main - Refresh the kernel TLS patch. Message-ID: <YILmmdzXtkCVjoV1@FreeBSD.org> In-Reply-To: <202104231447.13NElmd1093427@gitrepo.freebsd.org> References: <202104231447.13NElmd1093427@gitrepo.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--AAOvXnivZPAxdosV Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Thank you, Jochen. On Fri, Apr 23, 2021 at 02:47:48PM +0000, Jochen Neumeister wrote: > The branch main has been updated by joneum: >=20 > URL: https://cgit.FreeBSD.org/ports/commit/?id=3D290fb053aba28c7b6e53a09a= 45bd053d2bf33894 >=20 > commit 290fb053aba28c7b6e53a09a45bd053d2bf33894 > Author: Jochen Neumeister <joneum@FreeBSD.org> > AuthorDate: 2021-04-23 14:37:10 +0000 > Commit: Jochen Neumeister <joneum@FreeBSD.org> > CommitDate: 2021-04-23 14:38:13 +0000 >=20 > Refresh the kernel TLS patch. > =20 > This functionality is available with the following prerequisites: > o) security/openssl built from ports with the kTLS options defined; > o) FreeBSD 13. > =20 > Obtained from: www/nginx-devel > Sponsored by: Netzkommune GmbH > --- > www/nginx/Makefile | 6 +- > www/nginx/files/extra-patch-ktls | 469 +++++----------------------------= ------ > 2 files changed, 59 insertions(+), 416 deletions(-) >=20 > diff --git a/www/nginx/Makefile b/www/nginx/Makefile > index 9c997e7b90a0..c664aeb3565c 100644 > --- a/www/nginx/Makefile > +++ b/www/nginx/Makefile > @@ -2,7 +2,7 @@ > =20 > PORTNAME=3D nginx > PORTVERSION=3D 1.20.0 > -PORTREVISION?=3D 0 > +PORTREVISION?=3D 1 > PORTEPOCH=3D 2 > CATEGORIES=3D www > MASTER_SITES=3D https://nginx.org/download/ \ > @@ -227,10 +227,6 @@ IGNORE=3D requires at least HTTP or MAIL to \ > PKGNAMESUFFIX:=3D ${PKGNAMESUFFIX}-nopcre > .endif > =20 > -.if ${PORT_OPTIONS:MKTLS} > -CFLAGS+=3D -DNGX_SSL_SENDFILE > -.endif > - > .if ${PORT_OPTIONS:MPASSENGER} && empty(PORT_OPTIONS:MDEBUG) > CONFIGURE_ENV+=3D OPTIMIZE=3D"yes" > CFLAGS+=3D -DNDEBUG > diff --git a/www/nginx/files/extra-patch-ktls b/www/nginx/files/extra-pat= ch-ktls > index c26f2f8d8b84..52c40f53933c 100644 > --- a/www/nginx/files/extra-patch-ktls > +++ b/www/nginx/files/extra-patch-ktls > @@ -1,17 +1,39 @@ > -diff --git a/src/core/ngx_log.h b/src/core/ngx_log.h > -index afb73bf7..4c6e9c2c 100644 > ---- a/src/core/ngx_log.h > -+++ b/src/core/ngx_log.h > -@@ -30,6 +30,7 @@ > - #define NGX_LOG_DEBUG_HTTP 0x100 > - #define NGX_LOG_DEBUG_MAIL 0x200 > - #define NGX_LOG_DEBUG_STREAM 0x400 > -+#define NGX_LOG_DEBUG_SSL 0x800 > +From 11ad5d15c487ecc0a37f9747bb4bfa5bb96893c1 Mon Sep 17 00:00:00 2001 > +From: John Baldwin <jhb@FreeBSD.org> > +Date: Thu, 22 Aug 2019 12:18:32 -0700 > +Subject: [PATCH] Add support for using SSL_sendfile from OpenSSL. > + > +This uses kernel TLS on systems supported by OpenSSL to send > +files via sendfile() over TLS connections. > +--- > + auto/lib/openssl/conf | 8 ++ > + src/event/ngx_event_openssl.c | 172 ++++++++++++++++++++++++++++++++++ > + src/event/ngx_event_openssl.h | 7 ++ > + src/http/ngx_http_request.c | 14 ++- > + src/http/ngx_http_upstream.c | 5 + > + 5 files changed, 203 insertions(+), 3 deletions(-) > + > +diff --git a/auto/lib/openssl/conf b/auto/lib/openssl/conf > +index 4fb52df7fe..c4772248ae 100644 > +--- a/auto/lib/openssl/conf > ++++ b/auto/lib/openssl/conf > +@@ -123,6 +123,14 @@ else > + CORE_INCS=3D"$CORE_INCS $ngx_feature_path" > + CORE_LIBS=3D"$CORE_LIBS $ngx_feature_libs" > + OPENSSL=3DYES > ++ > ++ ngx_feature=3D"SSL_sendfile()" > ++ ngx_feature_name=3D"NGX_SSL_SENDFILE" > ++ ngx_feature_run=3Dno > ++ ngx_feature_test=3D"SSL *ssl; > ++ (void)BIO_get_ktls_send(SSL_get_wbio(ssl)= ); > ++ SSL_sendfile(ssl, -1, 0, 0, 0);" > ++ . auto/feature > + fi > + fi > =20 > - /* > - * do not forget to update debug_levels[] in src/core/ngx_log.c > diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl= =2Ec > -index 7be4fb4c..dd147c42 100644 > +index 93a6ae46ea..04759827fc 100644 > --- a/src/event/ngx_event_openssl.c > +++ b/src/event/ngx_event_openssl.c > @@ -52,6 +52,10 @@ static void ngx_ssl_shutdown_handler(ngx_event_t *ev); > @@ -25,34 +47,7 @@ index 7be4fb4c..dd147c42 100644 > =20 > static ngx_int_t ngx_ssl_session_id_context(ngx_ssl_t *ssl, > ngx_str_t *sess_ctx, ngx_array_t *certificates); > -@@ -1022,7 +1026,7 @@ ngx_ssl_verify_callback(int ok, X509_STORE_CTX *x5= 09_store) > - iname =3D X509_get_issuer_name(cert); > - issuer =3D iname ? X509_NAME_oneline(iname, NULL, 0) : "(none)"; > -=20 > -- ngx_log_debug5(NGX_LOG_DEBUG_EVENT, c->log, 0, > -+ ngx_log_debug5(NGX_LOG_DEBUG_SSL, c->log, 0, > - "verify:%d, error:%d, depth:%d, " > - "subject:\"%s\", issuer:\"%s\"", > - ok, err, depth, subject, issuer); > -@@ -1055,7 +1059,7 @@ ngx_ssl_info_callback(const ngx_ssl_conn_t *ssl_co= nn, int where, int ret) > -=20 > - if (c->ssl->handshaked) { > - c->ssl->renegotiation =3D 1; > -- ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL renegot= iation"); > -+ ngx_log_debug0(NGX_LOG_DEBUG_SSL, c->log, 0, "SSL renegotia= tion"); > - } > - } > -=20 > -@@ -1616,7 +1620,7 @@ ngx_ssl_handshake(ngx_connection_t *c) > -=20 > - n =3D SSL_do_handshake(c->ssl->connection); > -=20 > -- ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_do_handshake: %= d", n); > -+ ngx_log_debug1(NGX_LOG_DEBUG_SSL, c->log, 0, "SSL_do_handshake: %d"= , n); > -=20 > - if (n =3D=3D 1) { > -=20 > -@@ -1637,7 +1641,11 @@ ngx_ssl_handshake(ngx_connection_t *c) > +@@ -1712,7 +1716,11 @@ ngx_ssl_handshake(ngx_connection_t *c) > c->recv =3D ngx_ssl_recv; > c->send =3D ngx_ssl_write; > c->recv_chain =3D ngx_ssl_recv_chain; > @@ -64,13 +59,13 @@ index 7be4fb4c..dd147c42 100644 > =20 > #ifndef SSL_OP_NO_RENEGOTIATION > #if OPENSSL_VERSION_NUMBER < 0x10100000L > -@@ -1652,12 +1660,19 @@ ngx_ssl_handshake(ngx_connection_t *c) > - #endif > - #endif > +@@ -1741,6 +1749,13 @@ ngx_ssl_handshake(ngx_connection_t *c) > +=20 > + c->ssl->handshaked =3D 1; > =20 > +#if (NGX_SSL_SENDFILE) > -+ c->ssl->can_use_sendfile =3D BIO_get_ktls_send(SSL_get_wbio(c->= ssl->connection)); > -+ ngx_log_debug1(NGX_LOG_DEBUG_SSL, c->log, 0, > ++ c->ssl->can_use_sendfile =3D !!BIO_get_ktls_send(SSL_get_wbio(c= ->ssl->connection)); > ++ ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, > + "BIO_get_ktls_send: %d", c->ssl->can_use_sendfil= e); > + c->sendfile =3D c->ssl->can_use_sendfile ? 1 : 0; > +#endif > @@ -78,125 +73,7 @@ index 7be4fb4c..dd147c42 100644 > return NGX_OK; > } > =20 > - sslerr =3D SSL_get_error(c->ssl->connection, n); > -=20 > -- ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_get_error: %d",= sslerr); > -+ ngx_log_debug1(NGX_LOG_DEBUG_SSL, c->log, 0, "SSL_get_error: %d", s= slerr); > -=20 > - if (sslerr =3D=3D SSL_ERROR_WANT_READ) { > - c->read->ready =3D 0; > -@@ -1728,7 +1743,7 @@ ngx_ssl_try_early_data(ngx_connection_t *c) > -=20 > - n =3D SSL_read_early_data(c->ssl->connection, &buf, 1, &readbytes); > -=20 > -- ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, > -+ ngx_log_debug2(NGX_LOG_DEBUG_SSL, c->log, 0, > - "SSL_read_early_data: %d, %uz", n, readbytes); > -=20 > - if (n =3D=3D SSL_READ_EARLY_DATA_FINISH) { > -@@ -1770,7 +1785,7 @@ ngx_ssl_try_early_data(ngx_connection_t *c) > -=20 > - sslerr =3D SSL_get_error(c->ssl->connection, n); > -=20 > -- ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_get_error: %d",= sslerr); > -+ ngx_log_debug1(NGX_LOG_DEBUG_SSL, c->log, 0, "SSL_get_error: %d", s= slerr); > -=20 > - if (sslerr =3D=3D SSL_ERROR_WANT_READ) { > - c->read->ready =3D 0; > -@@ -1861,17 +1876,17 @@ ngx_ssl_handshake_log(ngx_connection_t *c) > -=20 > - *d =3D '\0'; > -=20 > -- ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, > -+ ngx_log_debug2(NGX_LOG_DEBUG_SSL, c->log, 0, > - "SSL: %s, cipher: \"%s\"", > - SSL_get_version(c->ssl->connection), &buf[1]); > -=20 > - if (SSL_session_reused(c->ssl->connection)) { > -- ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, > -+ ngx_log_debug0(NGX_LOG_DEBUG_SSL, c->log, 0, > - "SSL reused session"); > - } > -=20 > - } else { > -- ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, > -+ ngx_log_debug0(NGX_LOG_DEBUG_SSL, c->log, 0, > - "SSL no shared ciphers"); > - } > - } > -@@ -1886,7 +1901,7 @@ ngx_ssl_handshake_handler(ngx_event_t *ev) > -=20 > - c =3D ev->data; > -=20 > -- ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, > -+ ngx_log_debug1(NGX_LOG_DEBUG_SSL, c->log, 0, > - "SSL handshake handler: %d", ev->write); > -=20 > - if (ev->timedout) { > -@@ -1996,7 +2011,7 @@ ngx_ssl_recv(ngx_connection_t *c, u_char *buf, siz= e_t size) > -=20 > - n =3D SSL_read(c->ssl->connection, buf, size); > -=20 > -- ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_read: %d", = n); > -+ ngx_log_debug1(NGX_LOG_DEBUG_SSL, c->log, 0, "SSL_read: %d", n); > -=20 > - if (n > 0) { > - bytes +=3D n; > -@@ -2100,7 +2115,7 @@ ngx_ssl_recv_early(ngx_connection_t *c, u_char *bu= f, size_t size) > -=20 > - n =3D SSL_read_early_data(c->ssl->connection, buf, size, &readb= ytes); > -=20 > -- ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, > -+ ngx_log_debug2(NGX_LOG_DEBUG_SSL, c->log, 0, > - "SSL_read_early_data: %d, %uz", n, readbytes); > -=20 > - if (n =3D=3D SSL_READ_EARLY_DATA_SUCCESS) { > -@@ -2220,7 +2235,7 @@ ngx_ssl_handle_recv(ngx_connection_t *c, int n) > -=20 > - err =3D (sslerr =3D=3D SSL_ERROR_SYSCALL) ? ngx_errno : 0; > -=20 > -- ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_get_error: %d",= sslerr); > -+ ngx_log_debug1(NGX_LOG_DEBUG_SSL, c->log, 0, "SSL_get_error: %d", s= slerr); > -=20 > - if (sslerr =3D=3D SSL_ERROR_WANT_READ) { > -=20 > -@@ -2243,7 +2258,7 @@ ngx_ssl_handle_recv(ngx_connection_t *c, int n) > -=20 > - if (sslerr =3D=3D SSL_ERROR_WANT_WRITE) { > -=20 > -- ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, > -+ ngx_log_debug0(NGX_LOG_DEBUG_SSL, c->log, 0, > - "SSL_read: want write"); > -=20 > - c->write->ready =3D 0; > -@@ -2268,7 +2283,7 @@ ngx_ssl_handle_recv(ngx_connection_t *c, int n) > - c->ssl->no_send_shutdown =3D 1; > -=20 > - if (sslerr =3D=3D SSL_ERROR_ZERO_RETURN || ERR_peek_error() =3D=3D = 0) { > -- ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, > -+ ngx_log_debug0(NGX_LOG_DEBUG_SSL, c->log, 0, > - "peer shutdown SSL cleanly"); > - return NGX_DONE; > - } > -@@ -2286,7 +2301,7 @@ ngx_ssl_write_handler(ngx_event_t *wev) > -=20 > - c =3D wev->data; > -=20 > -- ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL write handler"); > -+ ngx_log_debug0(NGX_LOG_DEBUG_SSL, c->log, 0, "SSL write handler"); > -=20 > - c->read->handler(c->read); > - } > -@@ -2390,7 +2405,7 @@ ngx_ssl_send_chain(ngx_connection_t *c, ngx_chain_= t *in, off_t limit) > - size =3D (ssize_t) (limit - send); > - } > -=20 > -- ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, > -+ ngx_log_debug1(NGX_LOG_DEBUG_SSL, c->log, 0, > - "SSL buf copy: %z", size); > -=20 > - ngx_memcpy(buf->last, in->buf->pos, size); > -@@ -2454,6 +2469,163 @@ ngx_ssl_send_chain(ngx_connection_t *c, ngx_chai= n_t *in, off_t limit) > +@@ -2609,6 +2624,163 @@ ngx_ssl_send_chain(ngx_connection_t *c, ngx_chai= n_t *in, off_t limit) > return in; > } > =20 > @@ -209,7 +86,7 @@ index 7be4fb4c..dd147c42 100644 > + > + can_use_sendfile =3D BIO_get_ktls_send(SSL_get_wbio(c->ssl->connect= ion)); > + > -+ ngx_log_debug5(NGX_LOG_DEBUG_SSL, c->log, 0, > ++ ngx_log_debug5(NGX_LOG_DEBUG_EVENT, c->log, 0, > + "Sending chain %p can_use_sendfile:%d c->sendfile:%d " \ > + "c->ssl->buffer:%d limit:%O", > + in, can_use_sendfile, c->sendfile, c->ssl->buffer, limit); > @@ -244,14 +121,14 @@ index 7be4fb4c..dd147c42 100644 > + > + n =3D ngx_ssl_sendfile(c, in->buf->file->fd, in->buf->file_= pos, > + sendfile_size, sendfile_flags); > -+ ngx_log_debug1(NGX_LOG_DEBUG_SSL, c->log, 0, > ++ ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, > + "ngx_ssl_sendfile returns:%z", n); > + } else { > + n =3D ngx_ssl_write(c, in->buf->pos, in->buf->last - in->bu= f->pos); > -+ ngx_log_debug1(NGX_LOG_DEBUG_SSL, c->log, 0, > ++ ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, > + "ngx_ssl_write returns:%z", n); > + } > -+ =20 > ++ > + if (n =3D=3D NGX_ERROR) { > + return NGX_CHAIN_ERROR; > + } > @@ -279,12 +156,12 @@ index 7be4fb4c..dd147c42 100644 > + > + ngx_ssl_clear_error(c->log); > + > -+ ngx_log_debug3(NGX_LOG_DEBUG_SSL, c->log, 0, > ++ ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0, > + "SSL to sendfile: %uz at %O with %Xd", size, off, flags); > + > + n =3D SSL_sendfile(c->ssl->connection, fd, off, size, flags); > + > -+ ngx_log_debug1(NGX_LOG_DEBUG_SSL, c->log, 0, "SSL_sendfile: %d", n); > ++ ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_sendfile: %d", = n); > + > + if (n > 0) { > + > @@ -310,14 +187,14 @@ index 7be4fb4c..dd147c42 100644 > + > +#ifdef __FreeBSD__ > + if (sslerr =3D=3D SSL_ERROR_WANT_WRITE && ngx_errno =3D=3D EBUSY) { > -+ ngx_log_debug1(NGX_LOG_DEBUG_SSL, c->log, 0, "bioerr=3DNGX_EBUSY= , sslerr=3D%d", sslerr); > ++ ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "bioerr=3DNGX_EBU= SY, sslerr=3D%d", sslerr); > + return NGX_BUSY; > + } > +#endif > + > + err =3D (sslerr =3D=3D SSL_ERROR_SYSCALL) ? ngx_errno : 0; > + > -+ ngx_log_debug1(NGX_LOG_DEBUG_SSL, c->log, 0, "SSL_get_error: %d", s= slerr); > ++ ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_get_error: %d",= sslerr); > + > + if (sslerr =3D=3D SSL_ERROR_WANT_WRITE) { > + c->write->ready =3D 0; > @@ -360,242 +237,12 @@ index 7be4fb4c..dd147c42 100644 > =20 > ssize_t > ngx_ssl_write(ngx_connection_t *c, u_char *data, size_t size) > -@@ -2469,11 +2641,11 @@ ngx_ssl_write(ngx_connection_t *c, u_char *data,= size_t size) > -=20 > - ngx_ssl_clear_error(c->log); > -=20 > -- ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL to write: %uz",= size); > -+ ngx_log_debug1(NGX_LOG_DEBUG_SSL, c->log, 0, "SSL to write: %uz", s= ize); > -=20 > - n =3D SSL_write(c->ssl->connection, data, size); > -=20 > -- ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_write: %d", n); > -+ ngx_log_debug1(NGX_LOG_DEBUG_SSL, c->log, 0, "SSL_write: %d", n); > -=20 > - if (n > 0) { > -=20 > -@@ -2499,7 +2671,7 @@ ngx_ssl_write(ngx_connection_t *c, u_char *data, s= ize_t size) > -=20 > - err =3D (sslerr =3D=3D SSL_ERROR_SYSCALL) ? ngx_errno : 0; > -=20 > -- ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_get_error: %d",= sslerr); > -+ ngx_log_debug1(NGX_LOG_DEBUG_SSL, c->log, 0, "SSL_get_error: %d", s= slerr); > -=20 > - if (sslerr =3D=3D SSL_ERROR_WANT_WRITE) { > -=20 > -@@ -2522,7 +2694,7 @@ ngx_ssl_write(ngx_connection_t *c, u_char *data, s= ize_t size) > -=20 > - if (sslerr =3D=3D SSL_ERROR_WANT_READ) { > -=20 > -- ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, > -+ ngx_log_debug0(NGX_LOG_DEBUG_SSL, c->log, 0, > - "SSL_write: want read"); > -=20 > - c->read->ready =3D 0; > -@@ -2565,13 +2737,13 @@ ngx_ssl_write_early(ngx_connection_t *c, u_char = *data, size_t size) > -=20 > - ngx_ssl_clear_error(c->log); > -=20 > -- ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL to write: %uz",= size); > -+ ngx_log_debug1(NGX_LOG_DEBUG_SSL, c->log, 0, "SSL to write: %uz", s= ize); > -=20 > - written =3D 0; > -=20 > - n =3D SSL_write_early_data(c->ssl->connection, data, size, &written= ); > -=20 > -- ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, > -+ ngx_log_debug2(NGX_LOG_DEBUG_SSL, c->log, 0, > - "SSL_write_early_data: %d, %uz", n, written); > -=20 > - if (n > 0) { > -@@ -2603,11 +2775,11 @@ ngx_ssl_write_early(ngx_connection_t *c, u_char = *data, size_t size) > -=20 > - err =3D (sslerr =3D=3D SSL_ERROR_SYSCALL) ? ngx_errno : 0; > -=20 > -- ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_get_error: %d",= sslerr); > -+ ngx_log_debug1(NGX_LOG_DEBUG_SSL, c->log, 0, "SSL_get_error: %d", s= slerr); > -=20 > - if (sslerr =3D=3D SSL_ERROR_WANT_WRITE) { > -=20 > -- ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, > -+ ngx_log_debug0(NGX_LOG_DEBUG_SSL, c->log, 0, > - "SSL_write_early_data: want write"); > -=20 > - if (c->ssl->saved_read_handler) { > -@@ -2637,7 +2809,7 @@ ngx_ssl_write_early(ngx_connection_t *c, u_char *d= ata, size_t size) > -=20 > - if (sslerr =3D=3D SSL_ERROR_WANT_READ) { > -=20 > -- ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, > -+ ngx_log_debug0(NGX_LOG_DEBUG_SSL, c->log, 0, > - "SSL_write_early_data: want read"); > -=20 > - c->read->ready =3D 0; > -@@ -2678,7 +2850,7 @@ ngx_ssl_read_handler(ngx_event_t *rev) > -=20 > - c =3D rev->data; > -=20 > -- ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL read handler"); > -+ ngx_log_debug0(NGX_LOG_DEBUG_SSL, c->log, 0, "SSL read handler"); > -=20 > - c->write->handler(c->write); > - } > -@@ -2740,7 +2912,7 @@ ngx_ssl_shutdown(ngx_connection_t *c) > -=20 > - n =3D SSL_shutdown(c->ssl->connection); > -=20 > -- ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_shutdown: %d", = n); > -+ ngx_log_debug1(NGX_LOG_DEBUG_SSL, c->log, 0, "SSL_shutdown: %d", n); > -=20 > - sslerr =3D 0; > -=20 > -@@ -2749,7 +2921,7 @@ ngx_ssl_shutdown(ngx_connection_t *c) > - if (n !=3D 1 && ERR_peek_error()) { > - sslerr =3D SSL_get_error(c->ssl->connection, n); > -=20 > -- ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, > -+ ngx_log_debug1(NGX_LOG_DEBUG_SSL, c->log, 0, > - "SSL_get_error: %d", sslerr); > - } > -=20 > -@@ -2803,7 +2975,7 @@ ngx_ssl_shutdown_handler(ngx_event_t *ev) > - c->timedout =3D 1; > - } > -=20 > -- ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ev->log, 0, "SSL shutdown handl= er"); > -+ ngx_log_debug0(NGX_LOG_DEBUG_SSL, ev->log, 0, "SSL shutdown handler= "); > -=20 > - if (ngx_ssl_shutdown(c) =3D=3D NGX_AGAIN) { > - return; > -@@ -3404,7 +3576,7 @@ ngx_ssl_new_session(ngx_ssl_conn_t *ssl_conn, ngx_= ssl_session_t *sess) > -=20 > - hash =3D ngx_crc32_short(session_id, session_id_length); > -=20 > -- ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0, > -+ ngx_log_debug3(NGX_LOG_DEBUG_SSL, c->log, 0, > - "ssl new session: %08XD:%ud:%d", > - hash, session_id_length, len); > -=20 > -@@ -3471,7 +3643,7 @@ ngx_ssl_get_cached_session(ngx_ssl_conn_t *ssl_con= n, > -=20 > - c =3D ngx_ssl_get_connection(ssl_conn); > -=20 > -- ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, > -+ ngx_log_debug2(NGX_LOG_DEBUG_SSL, c->log, 0, > - "ssl get session: %08XD:%d", hash, len); > -=20 > - shm_zone =3D SSL_CTX_get_ex_data(c->ssl->session_ctx, > -@@ -3591,7 +3763,7 @@ ngx_ssl_remove_session(SSL_CTX *ssl, ngx_ssl_sessi= on_t *sess) > -=20 > - hash =3D ngx_crc32_short(id, len); > -=20 > -- ngx_log_debug2(NGX_LOG_DEBUG_EVENT, ngx_cycle->log, 0, > -+ ngx_log_debug2(NGX_LOG_DEBUG_SSL, ngx_cycle->log, 0, > - "ssl remove session: %08XD:%ud", hash, len); > -=20 > - shpool =3D (ngx_slab_pool_t *) shm_zone->shm.addr; > -@@ -3669,7 +3841,7 @@ ngx_ssl_expire_sessions(ngx_ssl_session_cache_t *c= ache, > -=20 > - ngx_queue_remove(q); > -=20 > -- ngx_log_debug1(NGX_LOG_DEBUG_EVENT, ngx_cycle->log, 0, > -+ ngx_log_debug1(NGX_LOG_DEBUG_SSL, ngx_cycle->log, 0, > - "expire session: %08Xi", sess_id->node.key); > -=20 > - ngx_rbtree_delete(&cache->session_rbtree, &sess_id->node); > -@@ -3904,7 +4076,7 @@ ngx_ssl_session_ticket_key_callback(ngx_ssl_conn_t= *ssl_conn, > - if (enc =3D=3D 1) { > - /* encrypt session ticket */ > -=20 > -- ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0, > -+ ngx_log_debug3(NGX_LOG_DEBUG_SSL, c->log, 0, > - "ssl session ticket encrypt, key: \"%*s\" (%s se= ssion)", > - ngx_hex_dump(buf, key[0].name, 16) - buf, buf, > - SSL_session_reused(ssl_conn) ? "reused" : "new"); > -@@ -3951,7 +4123,7 @@ ngx_ssl_session_ticket_key_callback(ngx_ssl_conn_t= *ssl_conn, > - } > - } > -=20 > -- ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, > -+ ngx_log_debug2(NGX_LOG_DEBUG_SSL, c->log, 0, > - "ssl session ticket decrypt, key: \"%*s\" not fo= und", > - ngx_hex_dump(buf, name, 16) - buf, buf); > -=20 > -@@ -3959,7 +4131,7 @@ ngx_ssl_session_ticket_key_callback(ngx_ssl_conn_t= *ssl_conn, > -=20 > - found: > -=20 > -- ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0, > -+ ngx_log_debug3(NGX_LOG_DEBUG_SSL, c->log, 0, > - "ssl session ticket decrypt, key: \"%*s\"%s", > - ngx_hex_dump(buf, key[i].name, 16) - buf, buf, > - (i =3D=3D 0) ? " (default)" : ""); > -@@ -4056,12 +4228,12 @@ ngx_ssl_check_host(ngx_connection_t *c, ngx_str_= t *name) > - } > -=20 > - if (X509_check_host(cert, (char *) name->data, name->len, 0, NULL) = !=3D 1) { > -- ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, > -+ ngx_log_debug0(NGX_LOG_DEBUG_SSL, c->log, 0, > - "X509_check_host(): no match"); > - goto failed; > - } > -=20 > -- ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, > -+ ngx_log_debug0(NGX_LOG_DEBUG_SSL, c->log, 0, > - "X509_check_host(): match"); > -=20 > - goto found; > -@@ -4094,19 +4266,19 @@ ngx_ssl_check_host(ngx_connection_t *c, ngx_str_= t *name) > -=20 > - str =3D altname->d.dNSName; > -=20 > -- ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, > -+ ngx_log_debug2(NGX_LOG_DEBUG_SSL, c->log, 0, > - "SSL subjectAltName: \"%*s\"", > - ASN1_STRING_length(str), ASN1_STRING_data(st= r)); > -=20 > - if (ngx_ssl_check_name(name, str) =3D=3D NGX_OK) { > -- ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, > -+ ngx_log_debug0(NGX_LOG_DEBUG_SSL, c->log, 0, > - "SSL subjectAltName: match"); > - GENERAL_NAMES_free(altnames); > - goto found; > - } > - } > -=20 > -- ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, > -+ ngx_log_debug0(NGX_LOG_DEBUG_SSL, c->log, 0, > - "SSL subjectAltName: no match"); > -=20 > - GENERAL_NAMES_free(altnames); > -@@ -4136,18 +4308,18 @@ ngx_ssl_check_host(ngx_connection_t *c, ngx_str_= t *name) > - entry =3D X509_NAME_get_entry(sname, i); > - str =3D X509_NAME_ENTRY_get_data(entry); > -=20 > -- ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, > -+ ngx_log_debug2(NGX_LOG_DEBUG_SSL, c->log, 0, > - "SSL commonName: \"%*s\"", > - ASN1_STRING_length(str), ASN1_STRING_data(str)); > -=20 > - if (ngx_ssl_check_name(name, str) =3D=3D NGX_OK) { > -- ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, > -+ ngx_log_debug0(NGX_LOG_DEBUG_SSL, c->log, 0, > - "SSL commonName: match"); > - goto found; > - } > - } > -=20 > -- ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, > -+ ngx_log_debug0(NGX_LOG_DEBUG_SSL, c->log, 0, > - "SSL commonName: no match"); > - } > - #endif > diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl= =2Eh > -index 61da0c5d..ae1e2b0f 100644 > +index 329760d093..233b7f20c8 100644 > --- a/src/event/ngx_event_openssl.h > +++ b/src/event/ngx_event_openssl.h > -@@ -99,6 +99,9 @@ struct ngx_ssl_connection_s { > - unsigned in_early:1; > +@@ -106,6 +106,9 @@ struct ngx_ssl_connection_s { > + unsigned in_ocsp:1; > unsigned early_preread:1; > unsigned write_blocked:1; > +#if (NGX_SSL_SENDFILE) > @@ -604,7 +251,7 @@ index 61da0c5d..ae1e2b0f 100644 > }; > =20 > =20 > -@@ -270,6 +273,10 @@ ssize_t ngx_ssl_write(ngx_connection_t *c, u_char *= data, size_t size); > +@@ -289,6 +292,10 @@ ssize_t ngx_ssl_write(ngx_connection_t *c, u_char *= data, size_t size); > ssize_t ngx_ssl_recv_chain(ngx_connection_t *c, ngx_chain_t *cl, off_t = limit); > ngx_chain_t *ngx_ssl_send_chain(ngx_connection_t *c, ngx_chain_t *in, > off_t limit); > @@ -616,10 +263,10 @@ index 61da0c5d..ae1e2b0f 100644 > ngx_int_t ngx_ssl_shutdown(ngx_connection_t *c); > void ngx_cdecl ngx_ssl_error(ngx_uint_t level, ngx_log_t *log, ngx_err_= t err, > diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c > -index 80c19656..8bc5c4b2 100644 > +index 68d81e9320..e4a922a83a 100644 > --- a/src/http/ngx_http_request.c > +++ b/src/http/ngx_http_request.c > -@@ -605,7 +605,10 @@ ngx_http_alloc_request(ngx_connection_t *c) > +@@ -608,7 +608,10 @@ ngx_http_alloc_request(ngx_connection_t *c) > =20 > #if (NGX_HTTP_SSL) > if (c->ssl) { > @@ -631,7 +278,7 @@ index 80c19656..8bc5c4b2 100644 > } > #endif > =20 > -@@ -741,8 +744,13 @@ ngx_http_ssl_handshake(ngx_event_t *rev) > +@@ -747,8 +750,13 @@ ngx_http_ssl_handshake(ngx_event_t *rev) > sscf =3D ngx_http_get_module_srv_conf(hc->conf_ctx, > ngx_http_ssl_module); > =20 > @@ -648,10 +295,10 @@ index 80c19656..8bc5c4b2 100644 > ngx_http_close_connection(c); > return; > diff --git a/src/http/ngx_http_upstream.c b/src/http/ngx_http_upstream.c > -index a7391d09..d6a8fce4 100644 > +index 9cbb5a3b0c..f93f2ae244 100644 > --- a/src/http/ngx_http_upstream.c > +++ b/src/http/ngx_http_upstream.c > -@@ -1721,6 +1721,11 @@ ngx_http_upstream_ssl_init_connection(ngx_http_re= quest_t *r, > +@@ -1715,6 +1715,11 @@ ngx_http_upstream_ssl_init_connection(ngx_http_re= quest_t *r, > return; > } > =20 --AAOvXnivZPAxdosV Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQITBAEBCgB9FiEEZTMJYdHlAQrZCsSmOBlAga+KbzQFAmCC5pBfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDY1 MzMwOTYxRDFFNTAxMEFEOTBBQzRBNjM4MTk0MDgxQUY4QTZGMzQACgkQOBlAga+K bzTbSgwApbcWM6HkPs9tYOgYkHlHHZ+SYKaoYIcu/RidUiWEVWRRNvJpkV9Ee0cs 2WuMsS/BFOhrrj6kf3uUE2S0akFceQrMutMmOLb0/SnJOPvZxYTx6eTbtBol7n4Z e80mb6HbGX6sfQvolJJznsiGp8+Jfj6j5K5UCeqLNgqAGeCwAwwtcssFfsTyZXfb UMv2fRa18Rj7v8YR4cdcGTR2A694TiW9RQqWuQ/0lBnX5jqBlp25/YcYG65kPbd+ l1QOLtCUotAH1AzMc4tG+TQtomkK8EWBKRbTk7+HMB34/kO8VOp0ODFrWT/55KKf /uk/KEpdx+xr70o87Lkgv7rr4tkXtA4pgjoOqcvqVbNqjmiN9IMAtGlKpAcQt8tD 96/39/hLa+0A9yKOgpmW4vBep3lBrCOCjhKRa0kdMwOe6P1W2In57vBlqGT4YZaD meB86kIm9QXAhmiF3TlFqNGRosl//4fu8B1eNl2z7GWuaFO8RMCReEs9QgN4cU+o v1ZRR71i =F+7B -----END PGP SIGNATURE----- --AAOvXnivZPAxdosV--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?YILmmdzXtkCVjoV1>