Commit Graph

77 Commits

Author SHA1 Message Date
Tatsuhiro Tsujikawa 3849337b42 Bump ngtcp2 and nghttp3 2022-06-20 21:52:19 +09:00
Tatsuhiro Tsujikawa 09344eb1ad nghttp, nghttpd, nghttpx: Add ktls support 2022-05-07 18:53:59 +09:00
Tatsuhiro Tsujikawa 65d3c9047f Replace TLSv23_method with TLS_method 2021-10-17 17:21:09 +09:00
Tatsuhiro Tsujikawa 8c36971ea9 Compile with OPENSSL_NO_DEPRECATED and fix memory leaks 2021-10-17 17:12:14 +09:00
Tatsuhiro Tsujikawa 1ce9efc644 nghttpx: Set SCT data when built with boringssl 2021-10-15 23:06:24 +09:00
Tatsuhiro Tsujikawa 7055501efd src: Enable HTTP/3 with boringssl 2021-10-15 22:50:34 +09:00
Tatsuhiro Tsujikawa c790ee64a4 src: Prefer #ifdef for a single condition 2021-10-15 22:50:26 +09:00
Tatsuhiro Tsujikawa 0b6092446b src: Compile with boringssl for non-http3 build 2021-10-14 23:44:27 +09:00
Tatsuhiro Tsujikawa 19b4da6401 nghttpx: Support h3-29 2021-09-26 16:00:47 +09:00
Tatsuhiro Tsujikawa 886dc93f18 nghttpx: Fail h3 connection attempt if no ALPN is negotiated 2021-09-26 16:00:47 +09:00
Tatsuhiro Tsujikawa a2e2e46af3 Build with OpenSSL v3.0.0 2021-09-09 18:35:35 +09:00
Tatsuhiro Tsujikawa 50662c9c9e nghttpx: Guard TLS1_3_VERSION 2021-09-06 20:07:38 +09:00
Tatsuhiro Tsujikawa 9bda8e266e nghttpx: Remove BoringSSL early data for QUIC for now 2021-09-05 22:37:20 +09:00
Tatsuhiro Tsujikawa d977005126 nghttpx: Disable session cache for QUIC since it solely uses ticket 2021-09-05 22:36:43 +09:00
Tatsuhiro Tsujikawa 8b579bc7d0 nghttpx: Always renew TLS ticket for TLSv1.3 2021-09-05 22:26:45 +09:00
Tatsuhiro Tsujikawa ab16a11aa3 nghttpx: Add --frontend-quic-early-data, disable early data by default 2021-09-05 21:39:45 +09:00
Tatsuhiro Tsujikawa 4eced8a393 Build without HTTP/3 support 2021-08-22 23:54:29 +09:00
Tatsuhiro Tsujikawa 3ed2da562b nghttpx: Add HTTP3 skeleton and minor SSL_CTX fix 2021-08-21 18:34:07 +09:00
Tatsuhiro Tsujikawa e70f0db83c nghttpx: QUIC handshake now works 2021-08-21 18:34:07 +09:00
Tatsuhiro Tsujikawa ef53db201e nghttpx: Create QUIC SSL_CTX
We choose an easier route to duplicate SSL_CTX for QUIC.
2021-08-21 18:33:39 +09:00
Tatsuhiro Tsujikawa 81fb015391 nghttpx: Choose ECDSA cert if compatible signature algorithm available 2020-12-13 23:40:43 +09:00
Jacky Tian 4922bb41d6 static_cast size parameter in StringRef constructor to size_t 2020-03-31 00:54:08 -07:00
Jacky Tian aad8697575 Fix get_x509_serial for long serial numbers 2020-03-31 00:19:06 -07:00
Tatsuhiro Tsujikawa ec519f22dc
Merge pull request #1270 from baitisj/master
Fix for compilation against modern LibreSSL
2019-03-13 20:52:50 +09:00
Tatsuhiro Tsujikawa 371bc3a8f7 clang-format 2019-03-08 00:19:34 +09:00
Simon Frankenberger 34482ed4df Fix compilation with boringssl 2019-01-18 20:12:57 +01:00
Tatsuhiro Tsujikawa 11d0533cfc nghttpx: Ensure that cert serial does not exceed 20 bytes 2019-01-05 10:03:44 +09:00
Josh Braegger 5b2efc0a12 Fix getting long serial numbers for openssl < 1.1
From https://www.ietf.org/rfc/rfc5280.txt

> As noted in Section 4.1.2.2, serial numbers can be expected to
> contain long integers.  Certificate users MUST be able to handle
> serialNumber values up to 20 octets in length.  Conforming CAs MUST
> NOT use serialNumber values longer than 20 octets.

Without this, nghttpx will fatal.

    jbraeg$ openssl x509 -in ~/test_certs/client.crt -serial -noout
    serial=E0CFDFC7CEA10DF8AAF715C37FAEB410

    jbraeg$ curl -k --key ~/test_certs/client.key --cert ~/test_certs/client.crt https://192.168.98.100:3000/; echo
    curl: (56) Unexpected EOF

    ...
    Assertion failed: n == b.size() (shrpx_tls.cc: get_x509_serial: 2051)
    2019-01-03T20:25:21.289Z 1 1 f84316ae NOTICE (shrpx_log.cc:895) Worker process: [9] exited abnormally with status 0x06; exit status 0; signal Aborted(6)
    2019-01-03T20:25:21.290Z 1 1 f84316ae NOTICE (shrpx.cc:4311) Shutdown momentarily
2019-01-03 13:20:29 -08:00
Jeff 'Raid' Baitis 2c1570595e Fix for compilation against modern LibreSSL 2018-12-02 13:30:42 -08:00
Tatsuhiro Tsujikawa d68edf56c0 nghttpx: Convert MemcachedStatusCode to enum class 2018-11-02 14:14:48 +09:00
Tatsuhiro Tsujikawa 0c4e9fef29 nghttpx: Convert memcached op to enum class 2018-11-02 14:14:48 +09:00
Tatsuhiro Tsujikawa 1abfa3ca5f nghttpx: Make TLS handshake state enum class 2018-10-17 08:52:27 +09:00
Tatsuhiro Tsujikawa 20ea964f2f nghttpx: Convert shrpx_proto to enum class 2018-10-16 22:59:34 +09:00
Tatsuhiro Tsujikawa ec5729b1fa Use std::make_unique 2018-10-15 23:02:44 +09:00
Tatsuhiro Tsujikawa a63558a1eb nghttpx: Call OCSP_response_get1_basic only when OCSP status is successful 2018-09-16 22:19:27 +09:00
Tatsuhiro Tsujikawa 9c824b87fe nghttpx: Get rid of std::stringstream from Log 2018-09-14 22:58:48 +09:00
Tatsuhiro Tsujikawa cfe7fa9a75 nghttpx: Add --tls13-ciphers and --tls-client-ciphers options 2018-09-09 16:35:47 +09:00
Tatsuhiro Tsujikawa b8eccec62d nghttpx: Disable OpenSSL anti-replay 2018-09-08 19:10:59 +09:00
Tatsuhiro Tsujikawa 9f21258720 Specify SSL_CTX_set_max_early_data and add an option to change max value 2018-09-08 17:59:28 +09:00
Tatsuhiro Tsujikawa c5cdb78a95 nghttpx: Add TLSv1.3 0-RTT early data support 2018-09-08 17:54:35 +09:00
Tatsuhiro Tsujikawa 880f948684 Enable IndentPPDirectives 2018-06-09 16:21:30 +09:00
Tatsuhiro Tsujikawa 009646421c Use LIBRESSL_IN_USE instead of defined(LIBRESSL_VERSION_NUMBER) 2018-04-14 18:31:57 +09:00
Tatsuhiro Tsujikawa d8a34131e1 libressl 2.7 has SSL_CTX_get0_certificate 2018-04-14 18:31:57 +09:00
Tatsuhiro Tsujikawa 5db17d0af9 Compile with libressl 2.7.2 2018-04-14 18:09:47 +09:00
Tatsuhiro Tsujikawa 1bf69b5662 Define LIBRESSL_LEGACY_API and LIBRESSL_2_7_API
LIBRESSL_LEGACY_API is drop-in replacement for LIBRESSL_IN_USE.  In
the upcoming commits, we will add changes to support libressl 2.7.
2018-04-14 18:09:47 +09:00
Tatsuhiro Tsujikawa e65e7711ca Add comment on #endif 2018-04-03 21:39:44 +09:00
Tatsuhiro Tsujikawa 636ef51b0f Fix compile error with -Wunused-function 2018-04-03 21:33:09 +09:00
Bernard Spil 400934e5a3 [PATCH] Allow building without NPN
NPN has been superseeded by ALPN. OpenSSL provides a configure
option to disable npn (no-npn) which results in an OpenSSL
installation that defines OPENSSL_NO_NEXTPROTONEG in opensslconf.h

The #ifdef's look safe here (as the next_proto is initialized as
nullptr). Alteratively, macros could be defined for the used npn
methods that return a 0 for next_proto.

Signed-off-by: Bernard Spil <brnrd@FreeBSD.org>
2018-03-25 18:27:23 +02:00
Tatsuhiro Tsujikawa 39f0ce7c25
Merge pull request #1126 from nghttp2/nghttpx-expired-client-cert
nghttpx: Add an option to accept expired client certificate
2018-02-10 16:00:43 +09:00
Tatsuhiro Tsujikawa e8af7afc65 nghttpx: Add an option to accept expired client certificate 2018-02-08 16:51:23 +09:00