Previously, the default minimum TLS version was TLSv1.1, but the
default cipher list didn't include any compatible ciphers with it.
This made handshake fail if TLSv1.1 was negotiated because there was
no shared ciphers. To make the default settings consistent, the
default minimum TLS version is now TLSv1.2.
At least we should make sure that the OCSP response is targeted to the
expected certificate. This is important because we pass the file path
to the external script, and if the file is replaced because of
renewal, and nghttpx has not reloaded its configuration, the
certificate nghttpx has loaded and the one included in the file
differ. Verifying the OCSP response detects this, and avoids to send
wrong OCSP response.
With --ocsp-startup option, nghttpx starts accepting connections after
initial attempts to get OCSP responses finish. It does not matter
some of the attempts fail. This feature is useful if OCSP responses
must be available before accepting connections.
This commit adds wildcard path matching. If path pattern given in
backend option ends with "*", it is considered as wildcard path. "*"
must match at least one character. All paths which include wildcard
path without last "*" as prefix, and are strictly longer than wildcard
path without last "*" are matched.
With this commit, SSL_TLSEXT_ERR_NOACK is returned from
servername_callback, which removes server_name extension from
ServerHello. CertLookupTree is now used even if the number of server
certificate is one. It is better to exercise it regularly.
Previously, for Via, X-Forwarded-For, and X-Forwarded-Proto header
field, nghttpx only forwarded the last header field of each. With
this commit, nghttpx forwards all of them if it is configured to do
so.
This commit adds 2 new options to handle X-Forwarded-Proto header
field. The --no-add-x-forwarded-proto option makes nghttpx not to
append X-Forwarded-Proto value. The
--no-strip-incoming-x-forwarded-proto option prevents nghttpx from
stripping the header field from client.
Previously, nghttpx always strips incoming header field, and set its
own header field. This commit preserves this behaviour, and adds
additional knobs.
Tatsuhiro Tsujikawa
Matt Way