Commit Graph

48 Commits

Author SHA1 Message Date
Tatsuhiro Tsujikawa feabd6f739 nghttpx: Delete unused delete_bio_method 2017-03-15 23:37:39 +09:00
Tatsuhiro Tsujikawa 1ea590c364 nghttpx: Return new BIO_METHOD object with OpenSSL < 1.1.0 2017-03-15 23:36:38 +09:00
Tatsuhiro Tsujikawa 9cc223d419 nghttpx: Use constexpr 2017-03-15 23:12:50 +09:00
Tatsuhiro Tsujikawa 3e0e3f5459 src: Fix typo 2017-03-10 23:10:13 +09:00
Tatsuhiro Tsujikawa e5b84fad09 nghttpx: Fix bug that old config is used during reloading config 2017-02-16 22:46:22 +09:00
Tatsuhiro Tsujikawa 6a8749873f nghttpx: Add detailed TLS connection logging 2017-01-09 23:32:35 +09:00
Tatsuhiro Tsujikawa 3c03024881 nghttpx: Add client-no-http2-cipher-black-list option
This commit adds client-no-http2-cipher-black-list option to disable
enforcement of HTTP/2 cipher black list on backend HTTP/2 connection.
Previously, existing no-http2-cipher-black-list option disables it for
both frontend and backend connections.  Now no-http2-cipher-black-list
option only disables it for frontend connection.
2017-01-08 22:33:19 +09:00
Tatsuhiro Tsujikawa 3933280d29 src: Fix assertion error with boringssl
boringssl says:

/* It is an error to clear any bits that have already been set. (We can't try
 * to get a second close_notify or send two.) */
assert((SSL_get_shutdown(ssl) & mode) == SSL_get_shutdown(ssl));
2017-01-02 11:48:38 +09:00
Tatsuhiro Tsujikawa e9ab75a386 nghttpx: Robust backend read timeout 2016-11-26 19:45:23 +09:00
Tatsuhiro Tsujikawa 0cf6848646 clang-format-3.9 2016-10-15 18:36:04 +09:00
Tatsuhiro Tsujikawa a3a6b91c5f src: Rename OPENSSL_101_API macro as OPENSSL_1_1_API 2016-09-11 00:38:20 +09:00
Tatsuhiro Tsujikawa 9aa26970be nghttpx: Comment out TCP logging since it is too verbose 2016-09-10 16:49:15 +09:00
Tatsuhiro Tsujikawa 27b250ac8e nghttpx: Add experimental TCP optimization for h2 frontend 2016-09-10 16:27:48 +09:00
Tatsuhiro Tsujikawa ded576f423 nghttpx: Fix bug that bytes are doubly counted for TLS connections 2016-09-04 17:28:50 +09:00
Tatsuhiro Tsujikawa f68dc02d6b nghttpx: Remove unused private field from Connection object 2016-05-28 22:46:56 +09:00
Tatsuhiro Tsujikawa 6d22898936 src: Compile with OpenSSL 1.1.0-pre5
* don't use CRYPTO_LOCK stuff (they are sorted out by openssl, and no
  application intervention is required, just like boringSSL)
* don't use OPENSSL_config
* use provided API to access BIO member
2016-05-07 16:18:58 +09:00
Tatsuhiro Tsujikawa 4aa4fe56e1 nghttpx: Destroy SSL object, and always lookup TLS session cache 2016-04-28 22:25:55 +09:00
Tatsuhiro Tsujikawa 0875e66aab src: Remove streq(const char *) overload 2016-03-25 00:02:07 +09:00
Tatsuhiro Tsujikawa 1832f78684 nghttpx: Move downstream proto to DownstreamAddrGroup 2016-02-28 16:56:14 +09:00
Tatsuhiro Tsujikawa 8741503db1 nghttpx: Add --no-http2-cipher-black-list to allow black listed cipher suite 2016-02-06 17:05:14 +09:00
Tatsuhiro Tsujikawa 85bb37ab7c Enable ConstructorInitializerAllOnOneLineOrOnePerLine for better diff 2016-01-27 21:14:07 +09:00
Tatsuhiro Tsujikawa 0402481be4 nghttpx: Organize connection related configuration into struct 2016-01-19 16:56:12 +09:00
Tatsuhiro Tsujikawa 0b2c139eaa clang-format-3.5 2015-10-25 17:04:54 +09:00
Lucas Pardue dcc9aaaa24 Add TLS dynamic record size behaviour command line options 2015-10-22 14:07:18 +00:00
Tatsuhiro Tsujikawa ed1e84fc0a nghttpx: Improve libssl error logging 2015-10-14 22:32:47 +09:00
Tatsuhiro Tsujikawa f0d2c9f94b Compile with BoringSSL
Compile with BoringSSL except for neverbleed and libnghttp2_asio.  The
former uses ENGINE and RSA_METHOD, and they are quite different
between OpenSSL and BoringSSL.  The latter uses boost::asio, which
calls OpenSSL functions deleted in BoringSSL.
2015-09-29 23:38:17 +09:00
Tatsuhiro Tsujikawa 4aaf111c58 nghttpx: Fix assertion failure on TLS handshake 2015-09-15 23:24:30 +09:00
Tatsuhiro Tsujikawa d70eb14ce0 nghttpx: Drop connection before TLS finish if h2 requirement is not fulfilled 2015-08-31 23:30:40 +09:00
Tatsuhiro Tsujikawa 473311269d nghttpx: Drop connection if client TLS handshake packet is too large 2015-08-13 01:24:59 +09:00
Tatsuhiro Tsujikawa e91a576179 nghttpx: Rewrite TLS async handshake using memchunk buffers 2015-08-13 00:42:59 +09:00
Tatsuhiro Tsujikawa f8c30d0229 nghttpx: Fix heap-use-after-free 2015-08-12 21:14:18 +09:00
Tatsuhiro Tsujikawa 020e66b9da nghttpx: Start read watcher after handshake 2015-08-11 23:14:48 +09:00
Tatsuhiro Tsujikawa d2a63a88a0 nghttpx: Fix stall if read buffer has app data when handshake finished 2015-08-11 22:37:15 +09:00
Tatsuhiro Tsujikawa 8410f684fb nghttpx: Drop connection if client hello is too large 2015-08-10 00:29:43 +09:00
Tatsuhiro Tsujikawa ff44e211ed nghttpx: Fix tls handshake bug
This fixes 2 things:
1. potential busy loop
2. disabling ticket is not working after resumption
2015-08-09 18:33:49 +09:00
Tatsuhiro Tsujikawa 6446660113 nghttpx: Make record size timeout more durable to high load situation 2015-07-29 20:57:11 +09:00
Tatsuhiro Tsujikawa d0a37d59a5 nghttpx: Disable TLS session ticket if ticket key is not available 2015-07-29 20:38:49 +09:00
Tatsuhiro Tsujikawa 1708d2e69e nghttpx: Add doc 2015-07-27 02:14:52 +09:00
Tatsuhiro Tsujikawa 90b4b48c7e nghttpx: Add shared session cache using memcached 2015-07-26 23:33:06 +09:00
Tatsuhiro Tsujikawa afbb99ecf7 nghttpx: Enable session resumption on HTTP/2 backend 2015-07-24 23:40:27 +09:00
Tatsuhiro Tsujikawa 0479f833fc Revert "nghttpx: Remove last write/read fields for TLS"
This reverts commit 585af93828.
2015-05-15 22:20:15 +09:00
Tatsuhiro Tsujikawa 38cfc5c47c Check more headers and funcs 2015-05-13 23:29:20 +09:00
Tatsuhiro Tsujikawa d42f31ca78 nghttpx: Fix bug that data buffered in SSL object are not read
This is same issue described in https://github.com/h2o/h2o/issues/268.
That is if SSL object has decrypted data buffered inside it, and
application does not read it for some reason (e.g., rate limit), we
have to check the existence of data using SSL_pending.  This is
because buffered data inside SSL is not notified by io watcher.  It is
obvious, but we totally missed it.

nghttpx code normally reads everything until SSL_read returns error
(want-read).  But if rate limit is involved, we stop reading early.
Also in HTTP/1 code, while processing one request, we just read until
buffer is filled up.  In these cases, we may suffer from this problem.

This commit fixes this problem, by performing SSL_pending() and if it
has buffered data and read io watcher is enabled, we feed event using
ev_feed_event().
2015-04-06 22:31:36 +09:00
Tatsuhiro Tsujikawa 585af93828 nghttpx: Remove last write/read fields for TLS
It seems that we don't care about this since we don't change buffer
pointer between would-block write/read and next write/read.  Somehow
we decided we need these fields.  As a precaution, we set
SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER in SSL_set_mode() for both server
and client contexts.
2015-03-10 00:11:11 +09:00
Tatsuhiro Tsujikawa c462093555 src: Use same convention for len parameter in TLS I/O with cleartext I/O 2015-02-11 23:22:53 +09:00
Tatsuhiro Tsujikawa 364772f508 src: Fix error reported by coverity scan 2015-02-11 23:20:13 +09:00
Tatsuhiro Tsujikawa 1216d7d912 nghttpx: Connection: Explicit assignment to double field 2015-02-05 21:26:55 +09:00
Tatsuhiro Tsujikawa b2fb888363 Share I/O code with all upstreams/downstream objects 2015-02-05 03:05:34 +09:00