Commit Graph

101 Commits

Author SHA1 Message Date
Tatsuhiro Tsujikawa 301df2a856 src: Disable SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS 2015-06-22 23:26:45 +09:00
Tatsuhiro Tsujikawa 532bffdb01 nghttpx: Minimize critical section for shared ocsp response 2015-06-12 21:27:12 +09:00
Tatsuhiro Tsujikawa 34efc6b7a4 More constexpr 2015-05-29 22:36:05 +09:00
Tatsuhiro Tsujikawa 0479f833fc Revert "nghttpx: Remove last write/read fields for TLS"
This reverts commit 585af93828.
2015-05-15 22:20:15 +09:00
Tatsuhiro Tsujikawa 38cfc5c47c Check more headers and funcs 2015-05-13 23:29:20 +09:00
Tatsuhiro Tsujikawa d247470da2 nghttpx: Rewrite ocsp without thread
Since libev handles SIGCHLD, using waitpid in separate thread to wait
for the completion of fetch-ocsp-response script process is undefined.
This commit rewrite ocsp handling code so that it utilizes libev
ev_child watcher and perform ocsp update without thread.
2015-04-09 01:03:28 +09:00
Tatsuhiro Tsujikawa 4bc9afe20a nghttpx: Add OCSP stapling feature 2015-03-30 23:58:28 +09:00
Tatsuhiro Tsujikawa 585af93828 nghttpx: Remove last write/read fields for TLS
It seems that we don't care about this since we don't change buffer
pointer between would-block write/read and next write/read.  Somehow
we decided we need these fields.  As a precaution, we set
SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER in SSL_set_mode() for both server
and client contexts.
2015-03-10 00:11:11 +09:00
Tatsuhiro Tsujikawa ae0100a9ab nghttpx: Refactor worker interface 2015-02-11 22:49:03 +09:00
Tatsuhiro Tsujikawa b4b2ddad3b src: Rewrite defer function template 2015-02-06 23:27:15 +09:00
Tatsuhiro Tsujikawa 6ff67ae869 src: Move array_size to nghttp2 namespace 2015-02-06 22:44:09 +09:00
Tatsuhiro Tsujikawa b165775811 nghttpx: Refactor CertLookupTree 2015-02-06 21:25:43 +09:00
Tatsuhiro Tsujikawa b2fb888363 Share I/O code with all upstreams/downstream objects 2015-02-05 03:05:34 +09:00
Tatsuhiro Tsujikawa 4b58b25c19 nghttpx: Refactor code to build cert_tree, add SNI test 2015-01-25 15:36:14 +09:00
Tatsuhiro Tsujikawa 0f4b0966ef nghttpx: Merge all options settings in one SSL_CTX_set_options 2015-01-23 23:32:01 +09:00
Tatsuhiro Tsujikawa 1e4f8f27fd nghttpx: Add --tls-ctx-per-worker option
When same SSL_CTX is used by multiple thread simultaneously we have to
setup some number of mutex locks for it.  We could not check how this
locking affects scalability since we have 4 cores at best in our
development machine.  Good side of sharing SSL_CTX across threads is
we can share session ID pool.

If --tls-ctx-per-worker is enabled, SSL_CTX is created per thread
basis and we can eliminate mutex locks.  The downside is session ID is
no longer shared, which means if session ID generated by one thread
cannot be acceptable by another thread.  But we have now session
ticket enabled and its keys are shared by all threads.
2015-01-13 00:25:02 +09:00
Tatsuhiro Tsujikawa 0ea041e8cb nghttpx: Add doc and clean up 2015-01-12 22:47:30 +09:00
Tatsuhiro Tsujikawa 689e8c0ee3 nghttpx: Don't copy ticket_keys std::shared_ptr 2015-01-08 21:49:19 +09:00
Tatsuhiro Tsujikawa fcddb5c06c nghttpx: Distribute session ticket keys to workers without mutex 2015-01-08 21:15:45 +09:00
Tatsuhiro Tsujikawa 5d3544185c nghttpx: Fix crash in SSL_CTX_set_tlsext_ticket_key_cb
It seems that returning 0 when enc == 0 crashes OpenSSL.
2015-01-08 20:46:35 +09:00
Tatsuhiro Tsujikawa 5dce9501a6 Fix compile error with libstdc++ and/or --disable-threads 2015-01-08 01:57:59 +09:00
Tatsuhiro Tsujikawa 08e8cc1915 nghttpx: Add --tls-ticket-key-file option
This option specifies files contains 48 random bytes to construct
session ticket key data.  This option can be used repeatedly to
specify multiple keys, but only the first one is used to encrypt
tickets.
2015-01-08 01:26:30 +09:00
Tatsuhiro Tsujikawa 52f3572d5b nghttpx: Enable TLS session tickets with session key rotation every 12hrs 2015-01-08 00:01:09 +09:00
Tatsuhiro Tsujikawa bfac015d61 src: Use libev for rest of the applications 2015-01-03 00:19:41 +09:00
Tatsuhiro Tsujikawa d695d2ccc0 nghttp, nghttpx, nghttpd, h2load: Support h2-16 in NPN/ALPN
The nghttp2 library itself is still h2-14.  To experiment with the
implementations to require h2-16 to test new features (e.g.,
prioritization), nghttp, nghttpx, nghttpd and h2load now support h2-16
as well as h2-14.  Cleartext HTTP Upgrade is still limited to h2-14
however.
2014-12-16 22:57:58 +09:00
Tatsuhiro Tsujikawa b607a22076 nghttpx: Support multiple HTTP/1 backend address
For HTTP/1 backend, -b option can be used several times to specify
multiple backend address.  HTTP/2 backend does not support multiple
addresses and only uses first address even if multiple addresses are
specified.
2014-12-06 19:30:27 +09:00
Tatsuhiro Tsujikawa b8dafbdf5e nghttpx: Pass NI_NUMERICSERV to getnameinfo to get numeric service name 2014-12-06 01:07:05 +09:00
Tatsuhiro Tsujikawa dcc7b23980 nghttpx: Remove cipher suite requirement
This makes the library h2-16 compatible now.
2014-11-30 22:52:34 +09:00
Tatsuhiro Tsujikawa b1f807abd1 Reformat lines with clang-format-3.5 2014-11-27 23:56:30 +09:00
Lucas Pardue 9cf1a0c77c Add features to logging, client and server port,
time_iso8601 and request_time.
2014-11-23 20:37:51 +00:00
Tatsuhiro Tsujikawa a2bc88f6db nghttpx: Check max length of ALPN field 2014-11-14 23:19:16 +09:00
Tatsuhiro Tsujikawa d98e9a63d0 src: Refactor code around ALPN setup 2014-11-14 23:14:39 +09:00
Tatsuhiro Tsujikawa ce71e65aee nghttpx: Replace WARNING with WARN for consistency 2014-11-08 10:51:56 +09:00
Lucas Pardue a067eb02a5 Add LOG_NOTICE level logging for application lifecycle events 2014-11-06 14:32:56 +00:00
Tatsuhiro Tsujikawa 03a2828fcf src: Disable SSL_MODE_ENABLE_PARTIAL_WRITE for apps which use libevent 2014-11-05 01:15:38 +09:00
Tatsuhiro Tsujikawa c6cfcc3c30 src: Disable insecure SSLv3 2014-10-22 23:14:07 +09:00
Tatsuhiro Tsujikawa 20de432725 nghttpx: Pool http downstream connection per thread 2014-10-13 21:09:00 +09:00
Tatsuhiro Tsujikawa e4751a798a Replace auto_delete* with defer 2014-09-16 23:39:38 +09:00
Tatsuhiro Tsujikawa 8890e593e6 src: Add util::array_size 2014-08-28 00:45:12 +09:00
Tatsuhiro Tsujikawa 0ce848a611 nghttpx: Rewrite logging system
This change rewrites logging system of nghttpx.  Previously access log
and error log are written to stderr or syslog and there was no option
to change stderr to something else.  With this change, file path of
access log and error log can be configured separately and logging to
regular file is now added.  To support rotating log, if SIGUSR1 signal
is received by nghttpx, it closes the current log files and reopen it
with the same name.  The format of access log is changed and has same
look of apache's.  But not all columns are not supported yet.
2014-07-05 18:43:24 +09:00
Tatsuhiro Tsujikawa a3334bb21c nghttpd: Use cipher suites recommended by Mozilla 2014-06-28 15:28:19 +09:00
Tatsuhiro Tsujikawa 479e15469c nghttpx: Add worker-frontend-connections option 2014-06-26 22:55:22 +09:00
Tatsuhiro Tsujikawa 2bfa772472 nghttpx: Update cipher suite list 2014-06-19 23:26:30 +09:00
Tatsuhiro Tsujikawa 87360b4f7d nghttpx: Require TLSv.12 for h2 2014-06-18 12:09:30 +09:00
Tatsuhiro Tsujikawa 041cec2d97 nghttpx: Check error from SSL_set_fd 2014-06-12 23:39:58 +09:00
Tatsuhiro Tsujikawa 21c4931197 nghttpx: Get rid of openssl filter
Libevent Openssl filter is very inconvenient in various respect.  The
most annoying thing is it somehow emits data when SSL_shutdown is
called.  The reason we introduced this filter solution is drop
connection if TLS renegotiation is detected.  This commit implements
renegotiation detection and drop connection without filtering.
2014-06-11 01:16:49 +09:00
Tatsuhiro Tsujikawa d6b5824c9c nghttpx: Don't check TLS requirement in ALPN cb cause cipher obj is nullptr
Also don't compare ALPN identifier with streq, since they are just
byte string.
2014-06-10 23:22:52 +09:00
Tatsuhiro Tsujikawa c204861dec nghttpx: Create NPN prefs only once 2014-06-10 23:22:23 +09:00
Tatsuhiro Tsujikawa 7b0ed5d9bd nghttpx: Only allow DHE, ECDHE + AEAD ciphers for HTTP/2
Cipher suites are chosen by DHE and ECDHE ciphers + GCM (AEAD).  Now
default cipher list is the one recommended by Mozilla web site.  The
--honor-cipher-order option is removed and now it is always assumed.
2014-06-10 22:47:22 +09:00
Tatsuhiro Tsujikawa 0fd5b2aa32 nghttpx: Use std::vector for tls_proto_list and npn_list
Now SSL/TLS option mask to disable particular SSL/TLS protocol
versions are pre-calculated and stored in Config.
2014-06-08 23:09:44 +09:00