4eced8a393
Build without HTTP/3 support
2021-08-22 23:54:29 +09:00
3ed2da562b
nghttpx: Add HTTP3 skeleton and minor SSL_CTX fix
2021-08-21 18:34:07 +09:00
e70f0db83c
nghttpx: QUIC handshake now works
2021-08-21 18:34:07 +09:00
ef53db201e
nghttpx: Create QUIC SSL_CTX
...
We choose an easier route to duplicate SSL_CTX for QUIC.
2021-08-21 18:33:39 +09:00
81fb015391
nghttpx: Choose ECDSA cert if compatible signature algorithm available
2020-12-13 23:40:43 +09:00
4922bb41d6
static_cast size parameter in StringRef constructor to size_t
2020-03-31 00:54:08 -07:00
aad8697575
Fix get_x509_serial for long serial numbers
2020-03-31 00:19:06 -07:00
ec519f22dc
Merge pull request #1270 from baitisj/master
...
Fix for compilation against modern LibreSSL
2019-03-13 20:52:50 +09:00
371bc3a8f7
clang-format
2019-03-08 00:19:34 +09:00
34482ed4df
Fix compilation with boringssl
2019-01-18 20:12:57 +01:00
11d0533cfc
nghttpx: Ensure that cert serial does not exceed 20 bytes
2019-01-05 10:03:44 +09:00
5b2efc0a12
Fix getting long serial numbers for openssl < 1.1
...
From https://www.ietf.org/rfc/rfc5280.txt
> As noted in Section 4.1.2.2, serial numbers can be expected to
> contain long integers. Certificate users MUST be able to handle
> serialNumber values up to 20 octets in length. Conforming CAs MUST
> NOT use serialNumber values longer than 20 octets.
Without this, nghttpx will fatal.
jbraeg$ openssl x509 -in ~/test_certs/client.crt -serial -noout
serial=E0CFDFC7CEA10DF8AAF715C37FAEB410
jbraeg$ curl -k --key ~/test_certs/client.key --cert ~/test_certs/client.crt https://192.168.98.100:3000/ ; echo
curl: (56) Unexpected EOF
...
Assertion failed: n == b.size() (shrpx_tls.cc: get_x509_serial: 2051)
2019-01-03T20:25:21.289Z 1 1 f84316ae NOTICE (shrpx_log.cc:895) Worker process: [9] exited abnormally with status 0x06; exit status 0; signal Aborted(6)
2019-01-03T20:25:21.290Z 1 1 f84316ae NOTICE (shrpx.cc:4311) Shutdown momentarily
2019-01-03 13:20:29 -08:00
2c1570595e
Fix for compilation against modern LibreSSL
2018-12-02 13:30:42 -08:00
d68edf56c0
nghttpx: Convert MemcachedStatusCode to enum class
2018-11-02 14:14:48 +09:00
0c4e9fef29
nghttpx: Convert memcached op to enum class
2018-11-02 14:14:48 +09:00
1abfa3ca5f
nghttpx: Make TLS handshake state enum class
2018-10-17 08:52:27 +09:00
20ea964f2f
nghttpx: Convert shrpx_proto to enum class
2018-10-16 22:59:34 +09:00
ec5729b1fa
Use std::make_unique
2018-10-15 23:02:44 +09:00
a63558a1eb
nghttpx: Call OCSP_response_get1_basic only when OCSP status is successful
2018-09-16 22:19:27 +09:00
9c824b87fe
nghttpx: Get rid of std::stringstream from Log
2018-09-14 22:58:48 +09:00
cfe7fa9a75
nghttpx: Add --tls13-ciphers and --tls-client-ciphers options
2018-09-09 16:35:47 +09:00
b8eccec62d
nghttpx: Disable OpenSSL anti-replay
2018-09-08 19:10:59 +09:00
9f21258720
Specify SSL_CTX_set_max_early_data and add an option to change max value
2018-09-08 17:59:28 +09:00
c5cdb78a95
nghttpx: Add TLSv1.3 0-RTT early data support
2018-09-08 17:54:35 +09:00
880f948684
Enable IndentPPDirectives
2018-06-09 16:21:30 +09:00
009646421c
Use LIBRESSL_IN_USE instead of defined(LIBRESSL_VERSION_NUMBER)
2018-04-14 18:31:57 +09:00
d8a34131e1
libressl 2.7 has SSL_CTX_get0_certificate
2018-04-14 18:31:57 +09:00
5db17d0af9
Compile with libressl 2.7.2
2018-04-14 18:09:47 +09:00
1bf69b5662
Define LIBRESSL_LEGACY_API and LIBRESSL_2_7_API
...
LIBRESSL_LEGACY_API is drop-in replacement for LIBRESSL_IN_USE. In
the upcoming commits, we will add changes to support libressl 2.7.
2018-04-14 18:09:47 +09:00
e65e7711ca
Add comment on #endif
2018-04-03 21:39:44 +09:00
636ef51b0f
Fix compile error with -Wunused-function
2018-04-03 21:33:09 +09:00
400934e5a3
[PATCH] Allow building without NPN
...
NPN has been superseeded by ALPN. OpenSSL provides a configure
option to disable npn (no-npn) which results in an OpenSSL
installation that defines OPENSSL_NO_NEXTPROTONEG in opensslconf.h
The #ifdef's look safe here (as the next_proto is initialized as
nullptr). Alteratively, macros could be defined for the used npn
methods that return a 0 for next_proto.
Signed-off-by: Bernard Spil <brnrd@FreeBSD.org>
2018-03-25 18:27:23 +02:00
39f0ce7c25
Merge pull request #1126 from nghttp2/nghttpx-expired-client-cert
...
nghttpx: Add an option to accept expired client certificate
2018-02-10 16:00:43 +09:00
e8af7afc65
nghttpx: Add an option to accept expired client certificate
2018-02-08 16:51:23 +09:00
38abfd1863
nghttpx: Add mruby tls_client_not_before, and tls_client_not_after
2018-02-08 16:25:31 +09:00
ff3edc09ed
nghttpx: Fix potential memory leak
2018-02-03 18:21:42 +09:00
4d1139f653
Remove SPDY
2017-12-17 13:28:44 +09:00
48f574076c
nghttpx: Update doc
2017-12-16 00:13:27 +09:00
ff200bfcf3
clang-format-5.0
2017-11-23 14:19:12 +09:00
73344ae9aa
nghttpx: Use plain hex string format for client serial
2017-11-17 00:04:23 +09:00
cd55ab28ab
nghttpx: Add function to get serial number from certificate
2017-11-16 22:53:54 +09:00
22502182d0
Add tls_client_issuer_name log variable and expose it to mruby
2017-11-15 23:41:47 +09:00
7008afd40e
nghttpx: Refactor get_x509_fingerprint to accept hash function
2017-10-31 21:28:16 +09:00
9f80a82c1a
nghttpx: Add client fingerprint and subject name to mruby env
2017-10-29 19:54:42 +09:00
3be5856c82
nghttpx: Fix unused function warnings
2017-10-24 21:40:30 +09:00
323001238a
clang-format
2017-09-20 22:08:22 +09:00
a170023f23
nghttpx: Verify OCSP response using trusted CA certificates
2017-09-01 21:35:38 +09:00
4be4c0cddc
Revert "nghttpx: Verify OCSP response using trusted CA certificates"
...
This reverts commit 59c78d5809
2017-08-30 22:27:02 +09:00
5996798a34
Fix OCSP related error when building with BoringSSL
...
BoringSSL has no "openssl/ocsp.h" nor most OCSP related APIs used in
shrpx_tls.cc. This commit add ifdefs to disable related code to allow
building nghttp2 with BoringSSL (again).
It's possible to use !defined(OPENSSL_IS_BORINGSSL), but since BoringSSL
defines OPENSSL_NO_OCSP which is more specific, I chose to go with the
latter one.
2017-08-24 11:56:46 -04:00
59c78d5809
nghttpx: Verify OCSP response using trusted CA certificates
2017-06-13 23:00:26 +09:00
Tatsuhiro Tsujikawa
Jacky Tian
Tatsuhiro Tsujikawa
Simon Frankenberger
Josh Braegger
Jeff 'Raid' Baitis
Bernard Spil
Rick Lei