Hello community,
here is the log from the commit of package nghttp2 for openSUSE:Factory checked in at 2018-04-17 11:13:32
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/nghttp2 (Old)
and /work/SRC/openSUSE:Factory/.nghttp2.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "nghttp2"
Tue Apr 17 11:13:32 2018 rev:51 rq:596227 version:1.31.1
Changes:
--------
--- /work/SRC/openSUSE:Factory/nghttp2/nghttp2.changes 2018-03-01 12:06:08.685681750 +0100
+++ /work/SRC/openSUSE:Factory/.nghttp2.new/nghttp2.changes 2018-04-17 11:13:45.812972600 +0200
@@ -1,0 +2,30 @@
+Fri Apr 13 08:40:38 UTC 2018 - tchvatal@suse.com
+
+- Version umpdate to 1.31.1:
+ * Fix bsc#1088639 CVE-2018-1000168
+ * https://nghttp2.org/blog/2018/04/12/nghttp2-v1-31-1/
+
+-------------------------------------------------------------------
+Mon Apr 9 10:16:47 UTC 2018 - tchvatal@suse.com
+
+- Version update to 1.31.0:
+ * lib: Add nghttp2_session_set_user_data() public API function (GH-1137)
+ * src: Define nghttp2_inet_pton wrapper to avoid inet_pton macro (GH-1128)
+ * nghttpx: Close listening socket on graceful shutdown
+ * nghttpx: Add an option to accept expired client certificate (GH-1126)
+ * nghttpx: Add mruby tls_client_not_before, and tls_client_not_after (GH-1123)
+ * nghttpx: Fix potential memory leak
+ * lib: Allow PING frame to be sent after GOAWAY (GH-1103)
+ * nghttpx: Fix bug that h1 backend idle timeout expires sooner
+ * nghttpx: Stop overwrite of first header on mruby call to env.req.set_header(..) (Patch from Dylan Plecki) (GH-1119)
+ * nghttpx: Add upgrade-scheme parameter to backend option (GH-1099)
+ * nghttpx: Fix missing ALPN validation (--npn-list) (GH-1094)
+ * nghttpx: Remember which resource is pushed for RFC 8297 (GH-1101)
+
+-------------------------------------------------------------------
+Mon Apr 9 08:59:52 UTC 2018 - tchvatal@suse.com
+
+- Drop spdylay dependency as it is deprecated since version 1.28.0
+ and removed from cofnigure.ac since 1.29.0
+
+-------------------------------------------------------------------
Old:
----
nghttp2-1.29.0.tar.xz
New:
----
nghttp2-1.31.1.tar.xz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ nghttp2.spec ++++++
--- /var/tmp/diff_new_pack.db15sl/_old 2018-04-17 11:13:47.048914637 +0200
+++ /var/tmp/diff_new_pack.db15sl/_new 2018-04-17 11:13:47.052914449 +0200
@@ -21,7 +21,7 @@
%define soname_asio libnghttp2_asio
%define sover_asio 1
Name: nghttp2
-Version: 1.29.0
+Version: 1.31.1
Release: 0
Summary: Implementation of Hypertext Transfer Protocol version 2 in C
License: MIT
@@ -36,15 +36,14 @@
BuildRequires: gcc-c++
BuildRequires: libtool
BuildRequires: pkgconfig
+BuildRequires: python-rpm-macros
BuildRequires: python3-Cython
BuildRequires: python3-devel
-BuildRequires: python-rpm-macros
BuildRequires: python3-setuptools
BuildRequires: pkgconfig(cunit)
BuildRequires: pkgconfig(jansson)
BuildRequires: pkgconfig(libcares)
BuildRequires: pkgconfig(libev)
-BuildRequires: pkgconfig(libspdylay)
BuildRequires: pkgconfig(libsystemd)
BuildRequires: pkgconfig(libxml-2.0)
BuildRequires: pkgconfig(openssl)
@@ -122,6 +121,8 @@
%prep
%setup -q
%patch0 -p1
+# fix python shebang
+sed -i -e 's:#!%{_bindir}/env python:#!%{_bindir}/python3:g' script/fetch-ocsp-response
%build
autoreconf -fiv
++++++ nghttp2-1.29.0.tar.xz -> nghttp2-1.31.1.tar.xz ++++++
++++ 2013 lines of diff (skipped)
++++ retrying with extended exclude list
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/nghttp2-1.29.0/AUTHORS new/nghttp2-1.31.1/AUTHORS
--- old/nghttp2-1.29.0/AUTHORS 2017-12-19 15:35:50.000000000 +0100
+++ new/nghttp2-1.31.1/AUTHORS 2018-04-12 16:46:47.000000000 +0200
@@ -35,6 +35,7 @@
David Beitey
David Weekly
Dmitriy Vetutnev
+Dylan Plecki
Etienne Cimon
Fabian Möller
Fabian Wiesel
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/nghttp2-1.29.0/CMakeLists.txt new/nghttp2-1.31.1/CMakeLists.txt
--- old/nghttp2-1.29.0/CMakeLists.txt 2017-12-19 15:35:50.000000000 +0100
+++ new/nghttp2-1.31.1/CMakeLists.txt 2018-04-12 16:46:47.000000000 +0200
@@ -24,13 +24,13 @@
cmake_minimum_required(VERSION 3.0)
# XXX using 1.8.90 instead of 1.9.0-DEV
-project(nghttp2 VERSION 1.29.0)
+project(nghttp2 VERSION 1.31.1)
# See versioning rule:
# http://www.gnu.org/software/libtool/manual/html_node/Updating-version-info.h...
-set(LT_CURRENT 29)
+set(LT_CURRENT 30)
set(LT_REVISION 1)
-set(LT_AGE 15)
+set(LT_AGE 16)
set(CMAKE_MODULE_PATH "${CMAKE_CURRENT_SOURCE_DIR}/cmake" ${CMAKE_MODULE_PATH})
include(Version)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/nghttp2-1.29.0/ChangeLog new/nghttp2-1.31.1/ChangeLog
--- old/nghttp2-1.29.0/ChangeLog 2017-12-19 15:36:03.000000000 +0100
+++ new/nghttp2-1.31.1/ChangeLog 2018-04-12 16:48:28.000000000 +0200
@@ -1,204 +1,23 @@
-commit 439b9b6c6a3120da7a75ace62e9223751f4342c0 (HEAD, tag: v1.29.0, origin/master, origin/HEAD, master)
+commit 1e22b36c61d52bb0446a63f5994b1fbe8c7ce0db (HEAD, tag: v1.31.1, origin/v1.31.x, origin/HEAD, v1.31.x)
Author: Tatsuhiro Tsujikawa
-AuthorDate: 2017-12-19
+AuthorDate: 2018-04-07
Commit: Tatsuhiro Tsujikawa
-CommitDate: 2017-12-19
+CommitDate: 2018-04-07
Update manual pages
-commit 48498452925b7d0bc5d883a3f76d01855d53d0cf
+commit 0f818baf61c5762093d23520f7ee513d6e9e942e
Author: Tatsuhiro Tsujikawa
-AuthorDate: 2017-12-19
+AuthorDate: 2018-04-07
Commit: Tatsuhiro Tsujikawa
-CommitDate: 2017-12-19
+CommitDate: 2018-04-07
- Bump up version number to v1.29.0, LT revision to 29:1:15
+ Bump up version number to 1.31.1
-commit d30f38163c996d7aae43519d9245d7d87fd9a783
+commit c411d16945d658a181d92ca36bfea30853edab37
Author: Tatsuhiro Tsujikawa
-AuthorDate: 2017-12-17
+AuthorDate: 2018-04-07
Commit: Tatsuhiro Tsujikawa
-CommitDate: 2017-12-17
+CommitDate: 2018-04-07
- Update manual pages
-
-commit cff9ebe1ddf53d61dd2c66d4f68b7b7265ecdac0
-Merge: 48f57407 4d1139f6
-Author: Tatsuhiro Tsujikawa
-AuthorDate: 2017-12-17
-Commit: GitHub
-CommitDate: 2017-12-17
-
- Merge pull request #1091 from nghttp2/remove-spdy
-
- Remove SPDY
-
-commit 4d1139f65399c437700cf51bec98832e05a89f06
-Author: Tatsuhiro Tsujikawa
-AuthorDate: 2017-12-17
-Commit: Tatsuhiro Tsujikawa
-CommitDate: 2017-12-17
-
- Remove SPDY
-
-commit 48f574076c9ef0104ed6e73ef02e30de46bd7b74
-Author: Tatsuhiro Tsujikawa
-AuthorDate: 2017-12-16
-Commit: Tatsuhiro Tsujikawa
-CommitDate: 2017-12-16
-
- nghttpx: Update doc
-
-commit c1f14d73c7ae64391c024c3187984fbda2a51bbf
-Author: Tatsuhiro Tsujikawa
-AuthorDate: 2017-12-14
-Commit: Tatsuhiro Tsujikawa
-CommitDate: 2017-12-14
-
- Update manual pages
-
-commit 216f4dad83a0fb0778b915c9d29f957438b0ba18
-Author: Tatsuhiro Tsujikawa
-AuthorDate: 2017-12-14
-Commit: Tatsuhiro Tsujikawa
-CommitDate: 2017-12-14
-
- nghttpx: Remove redundant check
-
-commit a4e27d766b57ebb8ac4c34db9b6da2026252a0d8
-Author: Tatsuhiro Tsujikawa
-AuthorDate: 2017-12-14
-Commit: Tatsuhiro Tsujikawa
-CommitDate: 2017-12-14
-
- Revert "nghttpx: Use an existing h2 backend connection as much as possible"
-
- This reverts commit f507b5eee4b40a6621b39e8519c22a8d741794de.
-
- Balancing load is more important at the moment.
-
-commit 96df14d2ecb87e87e802d16e5b1388c0958c01e6
-Merge: 96ea9cda 2365f12e
-Author: Tatsuhiro Tsujikawa
-AuthorDate: 2017-12-14
-Commit: GitHub
-CommitDate: 2017-12-14
-
- Merge pull request #1084 from dvetutnev/cmake_module_path
-
- Fix CMAKE_MODULE_PATH
-
-commit 2365f12e394541d22ba806f23313d73d4e976830
-Author: Dmitriy Vetutnev
-AuthorDate: 2017-12-06
-Commit: Dmitriy Vetutnev
-CommitDate: 2017-12-06
-
- Fix CMAKE_MODULE_PATH
-
-commit 96ea9cdaf78cefcbc220c6cad03d644061cfce16
-Merge: a9416999 03f7ec0f
-Author: Tatsuhiro Tsujikawa
-AuthorDate: 2017-12-03
-Commit: GitHub
-CommitDate: 2017-12-03
-
- Merge pull request #1083 from nghttp2/nghttpx-api-tmp-file
-
- nghttpx: Write API request body in temporary file
-
-commit 03f7ec0f60dd75121578a15d8320ace7def3a279
-Author: Tatsuhiro Tsujikawa
-AuthorDate: 2017-12-02
-Commit: Tatsuhiro Tsujikawa
-CommitDate: 2017-12-03
-
- nghttpx: Write API request body in temporary file
-
-commit a9416999628c5fa6cc226e5dffdfe750de30637e
-Merge: 04348ff2 2056e812
-Author: Tatsuhiro Tsujikawa
-AuthorDate: 2017-12-02
-Commit: GitHub
-CommitDate: 2017-12-02
-
- Merge pull request #1082 from nghttp2/nghttpx-increase-api-max-request-body
-
- nghttpx: Increase api-max-request-body
-
-commit 2056e812bd6cbf3d4918d1d65d85cb02bde8220c
-Author: Tatsuhiro Tsujikawa
-AuthorDate: 2017-12-02
-Commit: Tatsuhiro Tsujikawa
-CommitDate: 2017-12-02
-
- nghttpx: Increase api-max-request-body
-
-commit 04348ff20e42db67a1819dda03f709e45985cdad
-Merge: d8e378fe 1ebb6810
-Author: Tatsuhiro Tsujikawa
-AuthorDate: 2017-12-01
-Commit: GitHub
-CommitDate: 2017-12-01
-
- Merge pull request #1081 from nghttp2/nghttpx-faster-parse-config
-
- nghttpx: Faster configuration loading with lots of backends
-
-commit d8e378fea95780e66394dc9d471facbc7e891e34
-Merge: 2a694b27 a3ebeeaf
-Author: Tatsuhiro Tsujikawa
-AuthorDate: 2017-12-01
-Commit: GitHub
-CommitDate: 2017-12-01
-
- Merge pull request #1080 from nghttp2/nghttpx-fix-crash-with-backend-http-proxy-uri
-
- nghttpx: Fix crash with --backend-http-proxy-uri option
-
-commit 1ebb6810a1aca7ec641e602924fb2ecb90f59f51
-Author: Tatsuhiro Tsujikawa
-AuthorDate: 2017-12-01
-Commit: Tatsuhiro Tsujikawa
-CommitDate: 2017-12-01
-
- nghttpx: Faster configuration loading with lots of backends
-
-commit 2a694b270a37806e3f7431b0f64949fdd047c559
-Merge: 97f1735c 422ad1be
-Author: Tatsuhiro Tsujikawa
-AuthorDate: 2017-12-01
-Commit: GitHub
-CommitDate: 2017-12-01
-
- Merge pull request #1077 from nghttp2/refused-stream
-
- Use NGHTTP2_REFUSED_STREAM for streams which are closed by GOAWAY
-
-commit a3ebeeafbab4c871a7856e2a6e4fdde497b24060
-Author: Tatsuhiro Tsujikawa
-AuthorDate: 2017-12-01
-Commit: Tatsuhiro Tsujikawa
-CommitDate: 2017-12-01
-
- nghttpx: Fix crash with --backend-http-proxy-uri option
-
-commit 422ad1be3253fb263a70b159e2e85d803f8a2d85
-Author: Tatsuhiro Tsujikawa
-AuthorDate: 2017-11-30
-Commit: Tatsuhiro Tsujikawa
-CommitDate: 2017-11-30
-
- Use NGHTTP2_REFUSED_STREAM for streams which are closed by GOAWAY
-
- The error code NGHTTP2_REFUSED_STREAM is passed to
- nghttp2_on_stream_close callback when a stream is closed because its
- stream ID is strictly larger than incoming or outgoing GOAWAY.
-
-commit 97f1735cf5a15ae107aeed9bbf8d06ad7dc5a3c2
-Author: Tatsuhiro Tsujikawa
-AuthorDate: 2017-11-25
-Commit: Tatsuhiro Tsujikawa
-CommitDate: 2017-11-25
-
- Bump up version number to 1.29.0
+ Fix frame handling
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/nghttp2-1.29.0/configure.ac new/nghttp2-1.31.1/configure.ac
--- old/nghttp2-1.29.0/configure.ac 2017-12-19 15:35:50.000000000 +0100
+++ new/nghttp2-1.31.1/configure.ac 2018-04-12 16:46:47.000000000 +0200
@@ -25,7 +25,7 @@
dnl http://www.gnu.org/software/automake/manual/html_node/Flag-Variables-Orderin...
AC_PREREQ(2.61)
-AC_INIT([nghttp2], [1.29.0], [t-tujikawa@users.sourceforge.net])
+AC_INIT([nghttp2], [1.31.1], [t-tujikawa@users.sourceforge.net])
AC_CONFIG_AUX_DIR([.])
AC_CONFIG_MACRO_DIR([m4])
AC_CONFIG_HEADERS([config.h])
@@ -44,9 +44,9 @@
dnl See versioning rule:
dnl http://www.gnu.org/software/libtool/manual/html_node/Updating-version-info.h...
-AC_SUBST(LT_CURRENT, 29)
+AC_SUBST(LT_CURRENT, 30)
AC_SUBST(LT_REVISION, 1)
-AC_SUBST(LT_AGE, 15)
+AC_SUBST(LT_AGE, 16)
major=`echo $PACKAGE_VERSION |cut -d. -f1 | sed -e "s/[^0-9]//g"`
minor=`echo $PACKAGE_VERSION |cut -d. -f2 | sed -e "s/[^0-9]//g"`
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/nghttp2-1.29.0/doc/Makefile.am new/nghttp2-1.31.1/doc/Makefile.am
--- old/nghttp2-1.29.0/doc/Makefile.am 2017-12-19 15:35:50.000000000 +0100
+++ new/nghttp2-1.31.1/doc/Makefile.am 2018-04-12 16:46:47.000000000 +0200
@@ -143,6 +143,7 @@
nghttp2_session_set_local_window_size.rst \
nghttp2_session_set_next_stream_id.rst \
nghttp2_session_set_stream_user_data.rst \
+ nghttp2_session_set_user_data.rst \
nghttp2_session_terminate_session.rst \
nghttp2_session_terminate_session2.rst \
nghttp2_session_upgrade.rst \
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/nghttp2-1.29.0/doc/bash_completion/nghttpx new/nghttp2-1.31.1/doc/bash_completion/nghttpx
--- old/nghttp2-1.29.0/doc/bash_completion/nghttpx 2017-12-19 15:35:50.000000000 +0100
+++ new/nghttp2-1.31.1/doc/bash_completion/nghttpx 2018-04-12 16:46:47.000000000 +0200
@@ -8,7 +8,7 @@
_get_comp_words_by_ref cur prev
case $cur in
-*)
- COMPREPLY=( $( compgen -W '--worker-read-rate --include --frontend-http2-dump-response-header --tls-ticket-key-file --verify-client-cacert --max-response-header-fields --backend-http2-window-size --frontend-keep-alive-timeout --backend-request-buffer --max-request-header-fields --fastopen --backend-connect-timeout --tls-max-proto-version --conf --dns-lookup-timeout --backend-http2-max-concurrent-streams --worker-write-burst --npn-list --dns-max-try --fetch-ocsp-response-file --no-via --tls-session-cache-memcached-cert-file --no-http2-cipher-black-list --mruby-file --client-no-http2-cipher-black-list --stream-read-timeout --client-ciphers --ocsp-update-interval --forwarded-for --accesslog-syslog --dns-cache-timeout --frontend-http2-read-timeout --listener-disable-timeout --ciphers --client-psk-secrets --strip-incoming-x-forwarded-for --no-server-rewrite --private-key-passwd-file --backend-keep-alive-timeout --backend-http-proxy-uri --frontend-max-requests --rlimit-nofile --no-strip-incoming-x-forwarded-proto --tls-ticket-key-memcached-cert-file --no-verify-ocsp --forwarded-by --tls-session-cache-memcached-private-key-file --error-page --ocsp-startup --backend-write-timeout --tls-dyn-rec-warmup-threshold --tls-ticket-key-memcached-max-retry --frontend-http2-window-size --http2-no-cookie-crumbling --worker-read-burst --dh-param-file --accesslog-format --errorlog-syslog --redirect-https-port --request-header-field-buffer --api-max-request-body --frontend-http2-decoder-dynamic-table-size --errorlog-file --frontend-http2-max-concurrent-streams --psk-secrets --frontend-write-timeout --tls-ticket-key-cipher --read-burst --no-add-x-forwarded-proto --backend --server-name --insecure --backend-max-backoff --log-level --host-rewrite --tls-ticket-key-memcached-interval --frontend-http2-setting-timeout --frontend-http2-connection-window-size --worker-frontend-connections --syslog-facility --no-server-push --no-location-rewrite --single-thread --tls-session-cache-memcached --no-ocsp --backend-response-buffer --tls-min-proto-version --workers --add-forwarded --worker-write-rate --add-request-header --backend-http2-settings-timeout --subcert --ecdh-curves --no-kqueue --help --frontend-frame-debug --tls-sct-dir --pid-file --frontend-http2-dump-request-header --daemon --write-rate --altsvc --backend-http2-decoder-dynamic-table-size --user --add-x-forwarded-for --frontend-read-timeout --tls-ticket-key-memcached-max-fail --backlog --write-burst --backend-connections-per-host --response-header-field-buffer --tls-ticket-key-memcached-address-family --padding --tls-session-cache-memcached-address-family --stream-write-timeout --cacert --tls-ticket-key-memcached-private-key-file --accesslog-write-early --backend-address-family --backend-http2-connection-window-size --version --add-response-header --backend-read-timeout --frontend-http2-optimize-window-size --frontend --accesslog-file --http2-proxy --backend-http2-encoder-dynamic-table-size --client-private-key-file --single-process --client-cert-file --tls-ticket-key-memcached --tls-dyn-rec-idle-timeout --frontend-http2-optimize-write-buffer-size --verify-client --frontend-http2-encoder-dynamic-table-size --read-rate --backend-connections-per-frontend --strip-incoming-forwarded ' -- "$cur" ) )
+ COMPREPLY=( $( compgen -W '--worker-read-rate --include --frontend-http2-dump-response-header --tls-ticket-key-file --verify-client-cacert --max-response-header-fields --backend-http2-window-size --frontend-keep-alive-timeout --backend-request-buffer --max-request-header-fields --backend-connect-timeout --tls-max-proto-version --conf --dns-lookup-timeout --backend-http2-max-concurrent-streams --worker-write-burst --npn-list --dns-max-try --fetch-ocsp-response-file --no-via --tls-session-cache-memcached-cert-file --no-http2-cipher-black-list --mruby-file --add-forwarded --client-no-http2-cipher-black-list --stream-read-timeout --client-ciphers --ocsp-update-interval --forwarded-for --accesslog-syslog --dns-cache-timeout --frontend-http2-read-timeout --listener-disable-timeout --ciphers --client-psk-secrets --strip-incoming-x-forwarded-for --no-server-rewrite --private-key-passwd-file --backend-keep-alive-timeout --backend-http-proxy-uri --frontend-max-requests --rlimit-nofile --no-strip-incoming-x-forwarded-proto --tls-ticket-key-memcached-cert-file --no-verify-ocsp --forwarded-by --tls-session-cache-memcached-private-key-file --error-page --ocsp-startup --backend-write-timeout --tls-dyn-rec-warmup-threshold --tls-ticket-key-memcached-max-retry --frontend-http2-window-size --http2-no-cookie-crumbling --worker-read-burst --dh-param-file --accesslog-format --errorlog-syslog --redirect-https-port --request-header-field-buffer --api-max-request-body --frontend-http2-decoder-dynamic-table-size --errorlog-file --frontend-http2-max-concurrent-streams --psk-secrets --frontend-write-timeout --tls-ticket-key-cipher --read-burst --no-add-x-forwarded-proto --backend --server-name --insecure --backend-max-backoff --log-level --host-rewrite --tls-ticket-key-memcached-interval --frontend-http2-setting-timeout --frontend-http2-connection-window-size --worker-frontend-connections --syslog-facility --fastopen --no-location-rewrite --single-thread --tls-session-cache-memcached --no-ocsp --backend-response-buffer --tls-min-proto-version --workers --add-x-forwarded-for --no-server-push --worker-write-rate --add-request-header --backend-http2-settings-timeout --subcert --ecdh-curves --no-kqueue --help --frontend-frame-debug --tls-sct-dir --pid-file --frontend-http2-dump-request-header --daemon --write-rate --altsvc --backend-http2-decoder-dynamic-table-size --user --verify-client-tolerate-expired --frontend-read-timeout --tls-ticket-key-memcached-max-fail --backlog --write-burst --backend-connections-per-host --response-header-field-buffer --tls-ticket-key-memcached-address-family --padding --tls-session-cache-memcached-address-family --stream-write-timeout --cacert --tls-ticket-key-memcached-private-key-file --accesslog-write-early --backend-address-family --backend-http2-connection-window-size --version --add-response-header --backend-read-timeout --frontend-http2-optimize-window-size --frontend --accesslog-file --http2-proxy --backend-http2-encoder-dynamic-table-size --client-private-key-file --single-process --client-cert-file --tls-ticket-key-memcached --tls-dyn-rec-idle-timeout --frontend-http2-optimize-write-buffer-size --verify-client --frontend-http2-encoder-dynamic-table-size --read-rate --backend-connections-per-frontend --strip-incoming-forwarded ' -- "$cur" ) )
;;
*)
_filedir
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/nghttp2-1.29.0/doc/h2load.1 new/nghttp2-1.31.1/doc/h2load.1
--- old/nghttp2-1.29.0/doc/h2load.1 2017-12-19 15:35:50.000000000 +0100
+++ new/nghttp2-1.31.1/doc/h2load.1 2018-04-12 16:46:47.000000000 +0200
@@ -1,6 +1,6 @@
.\" Man page generated from reStructuredText.
.
-.TH "H2LOAD" "1" "Dec 19, 2017" "1.29.0" "nghttp2"
+.TH "H2LOAD" "1" "Apr 07, 2018" "1.31.1" "nghttp2"
.SH NAME
h2load \- HTTP/2 benchmarking tool
.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/nghttp2-1.29.0/doc/nghttp.1 new/nghttp2-1.31.1/doc/nghttp.1
--- old/nghttp2-1.29.0/doc/nghttp.1 2017-12-19 15:35:50.000000000 +0100
+++ new/nghttp2-1.31.1/doc/nghttp.1 2018-04-12 16:46:47.000000000 +0200
@@ -1,6 +1,6 @@
.\" Man page generated from reStructuredText.
.
-.TH "NGHTTP" "1" "Dec 19, 2017" "1.29.0" "nghttp2"
+.TH "NGHTTP" "1" "Apr 07, 2018" "1.31.1" "nghttp2"
.SH NAME
nghttp \- HTTP/2 client
.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/nghttp2-1.29.0/doc/nghttp2_session_set_user_data.rst new/nghttp2-1.31.1/doc/nghttp2_session_set_user_data.rst
--- old/nghttp2-1.29.0/doc/nghttp2_session_set_user_data.rst 1970-01-01 01:00:00.000000000 +0100
+++ new/nghttp2-1.31.1/doc/nghttp2_session_set_user_data.rst 2018-04-12 16:50:00.000000000 +0200
@@ -0,0 +1,15 @@
+
+nghttp2_session_set_user_data
+=============================
+
+Synopsis
+--------
+
+*#include *
+
+.. function:: void nghttp2_session_set_user_data(nghttp2_session *session, void *user_data)
+
+
+ Sets *user_data* to *session*, overwriting the existing user data
+ specified in `nghttp2_session_client_new()`, or
+ `nghttp2_session_server_new()`.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/nghttp2-1.29.0/doc/nghttpd.1 new/nghttp2-1.31.1/doc/nghttpd.1
--- old/nghttp2-1.29.0/doc/nghttpd.1 2017-12-19 15:35:50.000000000 +0100
+++ new/nghttp2-1.31.1/doc/nghttpd.1 2018-04-12 16:46:47.000000000 +0200
@@ -1,6 +1,6 @@
.\" Man page generated from reStructuredText.
.
-.TH "NGHTTPD" "1" "Dec 19, 2017" "1.29.0" "nghttp2"
+.TH "NGHTTPD" "1" "Apr 07, 2018" "1.31.1" "nghttp2"
.SH NAME
nghttpd \- HTTP/2 server
.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/nghttp2-1.29.0/doc/nghttpx.1 new/nghttp2-1.31.1/doc/nghttpx.1
--- old/nghttp2-1.29.0/doc/nghttpx.1 2017-12-19 15:35:50.000000000 +0100
+++ new/nghttp2-1.31.1/doc/nghttpx.1 2018-04-12 16:46:47.000000000 +0200
@@ -1,6 +1,6 @@
.\" Man page generated from reStructuredText.
.
-.TH "NGHTTPX" "1" "Dec 19, 2017" "1.29.0" "nghttp2"
+.TH "NGHTTPX" "1" "Apr 07, 2018" "1.31.1" "nghttp2"
.SH NAME
nghttpx \- HTTP/2 proxy
.
@@ -228,6 +228,13 @@
"redirect\-if\-no\-tls" parameter to all backends
explicitly if this feature is desired.
.sp
+If "upgrade\-scheme" parameter is used along with "tls"
+parameter, HTTP/2 :scheme pseudo header field is changed
+to "https" from "http" when forwarding a request to this
+particular backend. This is a workaround for a backend
+server which requires "https" :scheme pseudo header
+field on TLS encrypted connection.
+.sp
Since ";" and ":" are used as delimiter, <PATTERN> must
not contain these characters. Since ";" has special
meaning in shell, the option value must be quoted.
@@ -691,6 +698,14 @@
.UNINDENT
.INDENT 0.0
.TP
+.B \-\-verify\-client\-tolerate\-expired
+Accept expired client certificate. Operator should
+handle the expired client certificate by some means
+(e.g., mruby script). Otherwise, this option might
+cause a security risk.
+.UNINDENT
+.INDENT 0.0
+.TP
.B \-\-client\-private\-key\-file=<PATH>
Path to file that contains client private key used in
backend client authentication.
@@ -989,7 +1004,7 @@
Set the maximum number of the concurrent streams in one
frontend HTTP/2 session.
.sp
-Default: \(ga\(ga 100\(ga\(ga
+Default: \fB100\fP
.UNINDENT
.INDENT 0.0
.TP
@@ -2023,6 +2038,18 @@
.UNINDENT
.INDENT 7.0
.TP
+.B attribute [R] tls_client_not_before
+Return the start date of a client certificate in seconds since
+the epoch.
+.UNINDENT
+.INDENT 7.0
+.TP
+.B attribute [R] tls_client_not_after
+Return the end date of a client certificate in seconds since
+the epoch.
+.UNINDENT
+.INDENT 7.0
+.TP
.B attribute [R] tls_cipher
Return a TLS cipher negotiated in this connection.
.UNINDENT
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/nghttp2-1.29.0/doc/nghttpx.1.rst new/nghttp2-1.31.1/doc/nghttpx.1.rst
--- old/nghttp2-1.29.0/doc/nghttpx.1.rst 2017-12-19 15:35:50.000000000 +0100
+++ new/nghttp2-1.31.1/doc/nghttpx.1.rst 2018-04-12 16:46:47.000000000 +0200
@@ -212,6 +212,13 @@
"redirect-if-no-tls" parameter to all backends
explicitly if this feature is desired.
+ If "upgrade-scheme" parameter is used along with "tls"
+ parameter, HTTP/2 :scheme pseudo header field is changed
+ to "https" from "http" when forwarding a request to this
+ particular backend. This is a workaround for a backend
+ server which requires "https" :scheme pseudo header
+ field on TLS encrypted connection.
+
Since ";" and ":" are used as delimiter, <PATTERN> must
not contain these characters. Since ";" has special
meaning in shell, the option value must be quoted.
@@ -637,6 +644,13 @@
client certificate. The file must be in PEM format. It
can contain multiple certificates.
+.. option:: --verify-client-tolerate-expired
+
+ Accept expired client certificate. Operator should
+ handle the expired client certificate by some means
+ (e.g., mruby script). Otherwise, this option might
+ cause a security risk.
+
.. option:: --client-private-key-file=<PATH>
Path to file that contains client private key used in
@@ -910,7 +924,7 @@
Set the maximum number of the concurrent streams in one
frontend HTTP/2 session.
- Default: `` 100``
+ Default: ``100``
.. option:: --backend-http2-max-concurrent-streams=<N>
@@ -1852,6 +1866,16 @@
Return the serial number of a client certificate.
+ .. rb:attr_reader:: tls_client_not_before
+
+ Return the start date of a client certificate in seconds since
+ the epoch.
+
+ .. rb:attr_reader:: tls_client_not_after
+
+ Return the end date of a client certificate in seconds since
+ the epoch.
+
.. rb:attr_reader:: tls_cipher
Return a TLS cipher negotiated in this connection.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/nghttp2-1.29.0/lib/includes/nghttp2/nghttp2.h new/nghttp2-1.31.1/lib/includes/nghttp2/nghttp2.h
--- old/nghttp2-1.29.0/lib/includes/nghttp2/nghttp2.h 2017-12-19 15:35:50.000000000 +0100
+++ new/nghttp2-1.31.1/lib/includes/nghttp2/nghttp2.h 2018-04-12 16:46:47.000000000 +0200
@@ -3084,6 +3084,16 @@
/**
* @function
*
+ * Sets |user_data| to |session|, overwriting the existing user data
+ * specified in `nghttp2_session_client_new()`, or
+ * `nghttp2_session_server_new()`.
+ */
+NGHTTP2_EXTERN void nghttp2_session_set_user_data(nghttp2_session *session,
+ void *user_data);
+
+/**
+ * @function
+ *
* Returns the number of frames in the outbound queue. This does not
* include the deferred DATA frames.
*/
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/nghttp2-1.29.0/lib/includes/nghttp2/nghttp2ver.h new/nghttp2-1.31.1/lib/includes/nghttp2/nghttp2ver.h
--- old/nghttp2-1.29.0/lib/includes/nghttp2/nghttp2ver.h 2017-12-19 15:36:24.000000000 +0100
+++ new/nghttp2-1.31.1/lib/includes/nghttp2/nghttp2ver.h 2018-04-12 16:49:58.000000000 +0200
@@ -29,7 +29,7 @@
* @macro
* Version number of the nghttp2 library release
*/
-#define NGHTTP2_VERSION "1.29.0"
+#define NGHTTP2_VERSION "1.31.1"
/**
* @macro
@@ -37,6 +37,6 @@
* release. This is a 24 bit number with 8 bits for major number, 8 bits
* for minor and 8 bits for patch. Version 1.2.3 becomes 0x010203.
*/
-#define NGHTTP2_VERSION_NUM 0x011d00
+#define NGHTTP2_VERSION_NUM 0x011f01
#endif /* NGHTTP2VER_H */
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/nghttp2-1.29.0/lib/nghttp2_frame.c new/nghttp2-1.31.1/lib/nghttp2_frame.c
--- old/nghttp2-1.29.0/lib/nghttp2_frame.c 2017-12-19 15:35:50.000000000 +0100
+++ new/nghttp2-1.31.1/lib/nghttp2_frame.c 2018-04-12 16:46:47.000000000 +0200
@@ -215,6 +215,9 @@
nghttp2_ext_altsvc *altsvc;
altsvc = frame->payload;
+ if (altsvc == NULL) {
+ return;
+ }
/* We use the same buffer for altsvc->origin and
altsvc->field_value. */
nghttp2_mem_free(mem, altsvc->origin);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/nghttp2-1.29.0/lib/nghttp2_session.c new/nghttp2-1.31.1/lib/nghttp2_session.c
--- old/nghttp2-1.29.0/lib/nghttp2_session.c 2017-12-19 15:35:50.000000000 +0100
+++ new/nghttp2-1.31.1/lib/nghttp2_session.c 2018-04-12 16:46:47.000000000 +0200
@@ -2225,8 +2225,9 @@
assert(session->obq_flood_counter_ > 0);
--session->obq_flood_counter_;
}
-
- if (session_is_closing(session)) {
+ /* PING frame is allowed to be sent unless termination GOAWAY is
+ sent */
+ if (session->goaway_flags & NGHTTP2_GOAWAY_TERM_ON_SEND) {
return NGHTTP2_ERR_SESSION_CLOSING;
}
nghttp2_frame_pack_ping(&session->aob.framebufs, &frame->ping);
@@ -7520,3 +7521,7 @@
nghttp2_session_get_hd_deflate_dynamic_table_size(nghttp2_session *session) {
return nghttp2_hd_deflate_get_dynamic_table_size(&session->hd_deflater);
}
+
+void nghttp2_session_set_user_data(nghttp2_session *session, void *user_data) {
+ session->user_data = user_data;
+}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/nghttp2-1.29.0/src/http2.cc new/nghttp2-1.31.1/src/http2.cc
--- old/nghttp2-1.29.0/src/http2.cc 2017-12-19 15:35:50.000000000 +0100
+++ new/nghttp2-1.31.1/src/http2.cc 2018-04-12 16:46:47.000000000 +0200
@@ -36,6 +36,8 @@
return StringRef::from_lit("Continue");
case 101:
return StringRef::from_lit("Switching Protocols");
+ case 103:
+ return StringRef::from_lit("Early Hints");
case 200:
return StringRef::from_lit("OK");
case 201:
@@ -140,6 +142,8 @@
return StringRef::from_lit("100");
case 101:
return StringRef::from_lit("101");
+ case 103:
+ return StringRef::from_lit("103");
case 200:
return StringRef::from_lit("200");
case 201:
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/nghttp2-1.29.0/src/shrpx.cc new/nghttp2-1.31.1/src/shrpx.cc
--- old/nghttp2-1.29.0/src/shrpx.cc 2017-12-19 15:35:50.000000000 +0100
+++ new/nghttp2-1.31.1/src/shrpx.cc 2018-04-12 16:46:47.000000000 +0200
@@ -573,9 +573,14 @@
case EXEC_BINARY_SIGNAL:
exec_binary();
return;
- case GRACEFUL_SHUTDOWN_SIGNAL:
+ case GRACEFUL_SHUTDOWN_SIGNAL: {
+ auto &listenerconf = get_config()->conn.listener;
+ for (auto &addr : listenerconf.addrs) {
+ close(addr.fd);
+ }
ipc_send(wp, SHRPX_IPC_GRACEFUL_SHUTDOWN);
return;
+ }
case RELOAD_SIGNAL:
reload_config(wp);
return;
@@ -1815,6 +1820,13 @@
"redirect-if-no-tls" parameter to all backends
explicitly if this feature is desired.
+ If "upgrade-scheme" parameter is used along with "tls"
+ parameter, HTTP/2 :scheme pseudo header field is changed
+ to "https" from "http" when forwarding a request to this
+ particular backend. This is a workaround for a backend
+ server which requires "https" :scheme pseudo header
+ field on TLS encrypted connection.
+
Since ";" and ":" are used as delimiter, <PATTERN> must
not contain these characters. Since ";" has special
meaning in shell, the option value must be quoted.
@@ -2130,6 +2142,11 @@
Path to file that contains CA certificates to verify
client certificate. The file must be in PEM format. It
can contain multiple certificates.
+ --verify-client-tolerate-expired
+ Accept expired client certificate. Operator should
+ handle the expired client certificate by some means
+ (e.g., mruby script). Otherwise, this option might
+ cause a security risk.
--client-private-key-file=<PATH>
Path to file that contains client private key used in
backend client authentication.
@@ -2349,7 +2366,7 @@
-c, --frontend-http2-max-concurrent-streams=<N>
Set the maximum number of the concurrent streams in one
frontend HTTP/2 session.
- Default: )"
+ Default: )"
<< config->http2.upstream.max_concurrent_streams << R"(
--backend-http2-max-concurrent-streams=<N>
Set the maximum number of the concurrent streams in one
@@ -3399,6 +3416,8 @@
{SHRPX_OPT_NO_STRIP_INCOMING_X_FORWARDED_PROTO.c_str(), no_argument,
&flag, 158},
{SHRPX_OPT_SINGLE_PROCESS.c_str(), no_argument, &flag, 159},
+ {SHRPX_OPT_VERIFY_CLIENT_TOLERATE_EXPIRED.c_str(), no_argument, &flag,
+ 160},
{nullptr, 0, nullptr, 0}};
int option_index = 0;
@@ -4160,6 +4179,11 @@
cmdcfgs.emplace_back(SHRPX_OPT_SINGLE_PROCESS,
StringRef::from_lit("yes"));
break;
+ case 160:
+ // --verify-client-tolerate-expired
+ cmdcfgs.emplace_back(SHRPX_OPT_VERIFY_CLIENT_TOLERATE_EXPIRED,
+ StringRef::from_lit("yes"));
+ break;
default:
break;
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/nghttp2-1.29.0/src/shrpx_client_handler.cc new/nghttp2-1.31.1/src/shrpx_client_handler.cc
--- old/nghttp2-1.29.0/src/shrpx_client_handler.cc 2017-12-19 15:35:50.000000000 +0100
+++ new/nghttp2-1.31.1/src/shrpx_client_handler.cc 2018-04-12 16:46:47.000000000 +0200
@@ -556,28 +556,20 @@
}
#endif // OPENSSL_VERSION_NUMBER >= 0x10002000L
- if (next_proto == nullptr) {
- if (LOG_ENABLED(INFO)) {
- CLOG(INFO, this) << "No protocol negotiated. Fallback to HTTP/1.1";
- }
+ StringRef proto;
- upstream_ = make_unique<HttpsUpstream>(this);
- alpn_ = StringRef::from_lit("http/1.1");
+ if (next_proto) {
+ proto = StringRef{next_proto, next_proto_len};
- // At this point, input buffer is already filled with some bytes.
- // The read callback is not called until new data come. So consume
- // input buffer here.
- if (on_read() != 0) {
- return -1;
+ if (LOG_ENABLED(INFO)) {
+ CLOG(INFO, this) << "The negotiated next protocol: " << proto;
+ }
+ } else {
+ if (LOG_ENABLED(INFO)) {
+ CLOG(INFO, this) << "No protocol negotiated. Fallback to HTTP/1.1";
}
- return 0;
- }
-
- auto proto = StringRef{next_proto, next_proto_len};
-
- if (LOG_ENABLED(INFO)) {
- CLOG(INFO, this) << "The negotiated next protocol: " << proto;
+ proto = StringRef::from_lit("http/1.1");
}
if (!tls::in_proto_list(get_config()->tls.npn_list, proto)) {
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/nghttp2-1.29.0/src/shrpx_config.cc new/nghttp2-1.31.1/src/shrpx_config.cc
--- old/nghttp2-1.29.0/src/shrpx_config.cc 2017-12-19 15:35:50.000000000 +0100
+++ new/nghttp2-1.31.1/src/shrpx_config.cc 2018-04-12 16:46:47.000000000 +0200
@@ -814,6 +814,7 @@
bool tls;
bool dns;
bool redirect_if_not_tls;
+ bool upgrade_scheme;
};
namespace {
@@ -918,6 +919,8 @@
out.dns = true;
} else if (util::strieq_l("redirect-if-not-tls", param)) {
out.redirect_if_not_tls = true;
+ } else if (util::strieq_l("upgrade-scheme", param)) {
+ out.upgrade_scheme = true;
} else if (!param.empty()) {
LOG(ERROR) << "backend: " << param << ": unknown keyword";
return -1;
@@ -977,6 +980,7 @@
addr.tls = params.tls;
addr.sni = make_string_ref(downstreamconf.balloc, params.sni);
addr.dns = params.dns;
+ addr.upgrade_scheme = params.upgrade_scheme;
auto &routerconf = downstreamconf.router;
auto &router = routerconf.router;
@@ -2169,6 +2173,11 @@
break;
case 30:
switch (name[29]) {
+ case 'd':
+ if (util::strieq_l("verify-client-tolerate-expire", name, 29)) {
+ return SHRPX_OPTID_VERIFY_CLIENT_TOLERATE_EXPIRED;
+ }
+ break;
case 'r':
if (util::strieq_l("strip-incoming-x-forwarded-fo", name, 29)) {
return SHRPX_OPTID_STRIP_INCOMING_X_FORWARDED_FOR;
@@ -3551,6 +3560,10 @@
config->tls.ocsp.no_verify = util::strieq_l("yes", optarg);
return 0;
+ case SHRPX_OPTID_VERIFY_CLIENT_TOLERATE_EXPIRED:
+ config->tls.client_verify.tolerate_expired = util::strieq_l("yes", optarg);
+
+ return 0;
case SHRPX_OPTID_CONF:
LOG(WARN) << "conf: ignored";
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/nghttp2-1.29.0/src/shrpx_config.h new/nghttp2-1.31.1/src/shrpx_config.h
--- old/nghttp2-1.29.0/src/shrpx_config.h 2017-12-19 15:35:50.000000000 +0100
+++ new/nghttp2-1.31.1/src/shrpx_config.h 2018-04-12 16:46:47.000000000 +0200
@@ -343,6 +343,8 @@
StringRef::from_lit("no-strip-incoming-x-forwarded-proto");
constexpr auto SHRPX_OPT_OCSP_STARTUP = StringRef::from_lit("ocsp-startup");
constexpr auto SHRPX_OPT_NO_VERIFY_OCSP = StringRef::from_lit("no-verify-ocsp");
+constexpr auto SHRPX_OPT_VERIFY_CLIENT_TOLERATE_EXPIRED =
+ StringRef::from_lit("verify-client-tolerate-expired");
constexpr size_t SHRPX_OBFUSCATED_NODE_LENGTH = 8;
@@ -461,6 +463,10 @@
bool tls;
// true if dynamic DNS is enabled
bool dns;
+ // true if :scheme pseudo header field should be upgraded to secure
+ // variant (e.g., "https") when forwarding request to a backend
+ // connected by TLS connection.
+ bool upgrade_scheme;
};
// Mapping hash to idx which is an index into
@@ -598,6 +604,8 @@
// certificate validation
StringRef cacert;
bool enabled;
+ // true if we accept an expired client certificate.
+ bool tolerate_expired;
} client_verify;
// Client (backend connection) TLS configuration.
@@ -1121,6 +1129,7 @@
SHRPX_OPTID_USER,
SHRPX_OPTID_VERIFY_CLIENT,
SHRPX_OPTID_VERIFY_CLIENT_CACERT,
+ SHRPX_OPTID_VERIFY_CLIENT_TOLERATE_EXPIRED,
SHRPX_OPTID_WORKER_FRONTEND_CONNECTIONS,
SHRPX_OPTID_WORKER_READ_BURST,
SHRPX_OPTID_WORKER_READ_RATE,
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/nghttp2-1.29.0/src/shrpx_connection_handler.cc new/nghttp2-1.31.1/src/shrpx_connection_handler.cc
--- old/nghttp2-1.29.0/src/shrpx_connection_handler.cc 2017-12-19 15:35:50.000000000 +0100
+++ new/nghttp2-1.31.1/src/shrpx_connection_handler.cc 2018-04-12 16:46:47.000000000 +0200
@@ -452,6 +452,8 @@
acceptors_.push_back(std::move(h));
}
+void ConnectionHandler::delete_acceptor() { acceptors_.clear(); }
+
void ConnectionHandler::enable_acceptor() {
for (auto &a : acceptors_) {
a->enable();
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/nghttp2-1.29.0/src/shrpx_connection_handler.h new/nghttp2-1.31.1/src/shrpx_connection_handler.h
--- old/nghttp2-1.29.0/src/shrpx_connection_handler.h 2017-12-19 15:35:50.000000000 +0100
+++ new/nghttp2-1.31.1/src/shrpx_connection_handler.h 2018-04-12 16:46:47.000000000 +0200
@@ -117,6 +117,7 @@
struct ev_loop *get_loop() const;
Worker *get_single_worker() const;
void add_acceptor(std::unique_ptr<AcceptHandler> h);
+ void delete_acceptor();
void enable_acceptor();
void disable_acceptor();
void sleep_acceptor(ev_tstamp t);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/nghttp2-1.29.0/src/shrpx_downstream.h new/nghttp2-1.31.1/src/shrpx_downstream.h
--- old/nghttp2-1.29.0/src/shrpx_downstream.h 2017-12-19 15:35:50.000000000 +0100
+++ new/nghttp2-1.31.1/src/shrpx_downstream.h 2018-04-12 16:46:47.000000000 +0200
@@ -32,6 +32,7 @@
#include <string>
#include <memory>
#include <chrono>
+#include <algorithm>
#include
@@ -207,7 +208,40 @@
unconsumed_body_length -= len;
}
+ // returns true if a resource denoted by scheme, authority, and path
+ // has already been pushed.
+ bool is_resource_pushed(const StringRef &scheme, const StringRef &authority,
+ const StringRef &path) const {
+ if (!pushed_resources) {
+ return false;
+ }
+ return std::find(std::begin(*pushed_resources), std::end(*pushed_resources),
+ std::make_tuple(scheme, authority, path)) !=
+ std::end(*pushed_resources);
+ }
+
+ // remember that a resource denoted by scheme, authority, and path
+ // is pushed.
+ void resource_pushed(const StringRef &scheme, const StringRef &authority,
+ const StringRef &path) {
+ if (!pushed_resources) {
+ pushed_resources = make_unique<
+ std::vector>>();
+ }
+ pushed_resources->emplace_back(scheme, authority, path);
+ }
+
FieldStore fs;
+ // array of the tuple of scheme, authority, and path of pushed
+ // resource. This is required because RFC 8297 says that server
+ // typically includes header fields appeared in non-final response
+ // header fields in final response header fields. Without checking
+ // that a particular resource has already been pushed, or not, we
+ // end up pushing the same resource at least twice. It is unknown
+ // that we should use more complex data structure (e.g., std::set)
+ // to find the resources faster.
+ std::unique_ptr>>
+ pushed_resources;
// the length of response body received so far
int64_t recv_body_length;
// The number of bytes not consumed by the application yet. This is
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/nghttp2-1.29.0/src/shrpx_http2_downstream_connection.cc new/nghttp2-1.31.1/src/shrpx_http2_downstream_connection.cc
--- old/nghttp2-1.29.0/src/shrpx_http2_downstream_connection.cc 2017-12-19 15:35:50.000000000 +0100
+++ new/nghttp2-1.31.1/src/shrpx_http2_downstream_connection.cc 2018-04-12 16:46:47.000000000 +0200
@@ -291,7 +291,14 @@
if (req.method != HTTP_CONNECT) {
assert(!req.scheme.empty());
- nva.push_back(http2::make_nv_ls_nocopy(":scheme", req.scheme));
+ auto addr = http2session_->get_addr();
+ assert(addr);
+ // We will handle more protocol scheme upgrade in the future.
+ if (addr->tls && addr->upgrade_scheme && req.scheme == "http") {
+ nva.push_back(http2::make_nv_ll(":scheme", "https"));
+ } else {
+ nva.push_back(http2::make_nv_ls_nocopy(":scheme", req.scheme));
+ }
if (req.method == HTTP_OPTIONS && req.path.empty()) {
nva.push_back(http2::make_nv_ll(":path", "*"));
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/nghttp2-1.29.0/src/shrpx_http2_upstream.cc new/nghttp2-1.31.1/src/shrpx_http2_upstream.cc
--- old/nghttp2-1.29.0/src/shrpx_http2_upstream.cc 2017-12-19 15:35:50.000000000 +0100
+++ new/nghttp2-1.31.1/src/shrpx_http2_upstream.cc 2018-04-12 16:46:47.000000000 +0200
@@ -2039,7 +2039,7 @@
int rv;
const auto &req = downstream->request();
- const auto &resp = downstream->response();
+ auto &resp = downstream->response();
auto base = http2::get_pure_path_component(req.path);
if (base.empty()) {
@@ -2069,10 +2069,16 @@
authority = req.authority;
}
+ if (resp.is_resource_pushed(scheme, authority, path)) {
+ continue;
+ }
+
rv = submit_push_promise(scheme, authority, path, downstream);
if (rv != 0) {
return -1;
}
+
+ resp.resource_pushed(scheme, authority, path);
}
}
return 0;
@@ -2182,12 +2188,20 @@
authority = req.authority;
}
+ auto &resp = downstream->response();
+
+ if (resp.is_resource_pushed(scheme, authority, path)) {
+ return 0;
+ }
+
rv = submit_push_promise(scheme, authority, path, downstream);
if (rv != 0) {
return -1;
}
+ resp.resource_pushed(scheme, authority, path);
+
return 0;
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/nghttp2-1.29.0/src/shrpx_http_downstream_connection.cc new/nghttp2-1.31.1/src/shrpx_http_downstream_connection.cc
--- old/nghttp2-1.29.0/src/shrpx_http_downstream_connection.cc 2017-12-19 15:35:50.000000000 +0100
+++ new/nghttp2-1.31.1/src/shrpx_http_downstream_connection.cc 2018-04-12 16:46:47.000000000 +0200
@@ -782,8 +782,10 @@
auto conn = static_cast(w->data);
auto dconn = static_cast(conn->data);
- // We don't have to check conn->expired_rt() since we restart timer
- // when connection gets idle.
+ if (w == &conn->rt && !conn->expired_rt()) {
+ return;
+ }
+
if (LOG_ENABLED(INFO)) {
DCLOG(INFO, dconn) << "Idle connection timeout";
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/nghttp2-1.29.0/src/shrpx_mruby_module_env.cc new/nghttp2-1.31.1/src/shrpx_mruby_module_env.cc
--- old/nghttp2-1.29.0/src/shrpx_mruby_module_env.cc 2017-12-19 15:35:50.000000000 +0100
+++ new/nghttp2-1.31.1/src/shrpx_mruby_module_env.cc 2018-04-12 16:46:47.000000000 +0200
@@ -260,6 +260,58 @@
} // namespace
namespace {
+mrb_value env_get_tls_client_not_before(mrb_state *mrb, mrb_value self) {
+ auto data = static_cast(mrb->ud);
+ auto downstream = data->downstream;
+ auto upstream = downstream->get_upstream();
+ auto handler = upstream->get_client_handler();
+ auto ssl = handler->get_ssl();
+
+ if (!ssl) {
+ return mrb_fixnum_value(0);
+ }
+
+ auto x = SSL_get_peer_certificate(ssl);
+ if (!x) {
+ return mrb_fixnum_value(0);
+ }
+
+ time_t t;
+ if (tls::get_x509_not_before(t, x) != 0) {
+ return mrb_fixnum_value(0);
+ }
+
+ return mrb_fixnum_value(t);
+}
+} // namespace
+
+namespace {
+mrb_value env_get_tls_client_not_after(mrb_state *mrb, mrb_value self) {
+ auto data = static_cast(mrb->ud);
+ auto downstream = data->downstream;
+ auto upstream = downstream->get_upstream();
+ auto handler = upstream->get_client_handler();
+ auto ssl = handler->get_ssl();
+
+ if (!ssl) {
+ return mrb_fixnum_value(0);
+ }
+
+ auto x = SSL_get_peer_certificate(ssl);
+ if (!x) {
+ return mrb_fixnum_value(0);
+ }
+
+ time_t t;
+ if (tls::get_x509_not_after(t, x) != 0) {
+ return mrb_fixnum_value(0);
+ }
+
+ return mrb_fixnum_value(t);
+}
+} // namespace
+
+namespace {
mrb_value env_get_tls_cipher(mrb_state *mrb, mrb_value self) {
auto data = static_cast(mrb->ud);
auto downstream = data->downstream;
@@ -374,6 +426,10 @@
env_get_tls_client_subject_name, MRB_ARGS_NONE());
mrb_define_method(mrb, env_class, "tls_client_serial",
env_get_tls_client_serial, MRB_ARGS_NONE());
+ mrb_define_method(mrb, env_class, "tls_client_not_before",
+ env_get_tls_client_not_before, MRB_ARGS_NONE());
+ mrb_define_method(mrb, env_class, "tls_client_not_after",
+ env_get_tls_client_not_after, MRB_ARGS_NONE());
mrb_define_method(mrb, env_class, "tls_cipher", env_get_tls_cipher,
MRB_ARGS_NONE());
mrb_define_method(mrb, env_class, "tls_protocol", env_get_tls_protocol,
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/nghttp2-1.29.0/src/shrpx_mruby_module_request.cc new/nghttp2-1.31.1/src/shrpx_mruby_module_request.cc
--- old/nghttp2-1.29.0/src/shrpx_mruby_module_request.cc 2017-12-19 15:35:50.000000000 +0100
+++ new/nghttp2-1.31.1/src/shrpx_mruby_module_request.cc 2018-04-12 16:46:47.000000000 +0200
@@ -246,8 +246,9 @@
continue;
}
if (i != p) {
- headers[p++] = std::move(kv);
+ headers[p] = std::move(kv);
}
+ ++p;
}
headers.resize(p);
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/nghttp2-1.29.0/src/shrpx_mruby_module_response.cc new/nghttp2-1.31.1/src/shrpx_mruby_module_response.cc
--- old/nghttp2-1.29.0/src/shrpx_mruby_module_response.cc 2017-12-19 15:35:50.000000000 +0100
+++ new/nghttp2-1.31.1/src/shrpx_mruby_module_response.cc 2018-04-12 16:46:47.000000000 +0200
@@ -138,8 +138,9 @@
continue;
}
if (i != p) {
- headers[p++] = std::move(kv);
+ headers[p] = std::move(kv);
}
+ ++p;
}
headers.resize(p);
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/nghttp2-1.29.0/src/shrpx_tls.cc new/nghttp2-1.31.1/src/shrpx_tls.cc
--- old/nghttp2-1.29.0/src/shrpx_tls.cc 2017-12-19 15:35:50.000000000 +0100
+++ new/nghttp2-1.31.1/src/shrpx_tls.cc 2018-04-12 16:46:47.000000000 +0200
@@ -64,6 +64,7 @@
#include "tls.h"
#include "template.h"
#include "ssl_compat.h"
+#include "timegm.h"
using namespace nghttp2;
@@ -94,6 +95,12 @@
if (!preverify_ok) {
int err = X509_STORE_CTX_get_error(ctx);
int depth = X509_STORE_CTX_get_error_depth(ctx);
+ if (err == X509_V_ERR_CERT_HAS_EXPIRED && depth == 0 &&
+ get_config()->tls.client_verify.tolerate_expired) {
+ LOG(INFO) << "The client certificate has expired, but is accepted by "
+ "configuration";
+ return 1;
+ }
LOG(ERROR) << "client certificate verify error:num=" << err << ":"
<< X509_verify_cert_error_string(err) << ":depth=" << depth;
}
@@ -1934,6 +1941,8 @@
return StringRef{};
}
+ auto b_deleter = defer(BIO_free, b);
+
// Not documented, but it seems that X509_NAME_print_ex returns the
// number of bytes written into b.
auto slen = X509_NAME_print_ex(b, nm, 0, XN_FLAG_RFC2253);
@@ -1943,7 +1952,6 @@
auto iov = make_byte_ref(balloc, slen + 1);
BIO_read(b, iov.base, slen);
- BIO_free(b);
iov.base[slen] = '\0';
return StringRef{iov.base, static_cast(slen)};
}
@@ -1991,6 +1999,74 @@
#endif // !OPENSSL_1_1_API
}
+namespace {
+// Performs conversion from |at| to time_t. The result is stored in
+// |t|. This function returns 0 if it succeeds, or -1.
+int time_t_from_asn1_time(time_t &t, const ASN1_TIME *at) {
+ int rv;
+
+#if OPENSSL_1_1_1_API
+ struct tm tm;
+ rv = ASN1_TIME_to_tm(at, &tm);
+ if (rv != 1) {
+ return -1;
+ }
+
+ t = nghttp2_timegm(&tm);
+#else // !OPENSSL_1_1_1_API
+ auto b = BIO_new(BIO_s_mem());
+ if (!b) {
+ return -1;
+ }
+
+ auto bio_deleter = defer(BIO_free, b);
+
+ rv = ASN1_TIME_print(b, at);
+ if (rv != 1) {
+ return -1;
+ }
+
+ unsigned char *s;
+ auto slen = BIO_get_mem_data(b, &s);
+ auto tt = util::parse_openssl_asn1_time_print(
+ StringRef{s, static_cast(slen)});
+ if (tt == 0) {
+ return -1;
+ }
+
+ t = tt;
+#endif // !OPENSSL_1_1_1_API
+
+ return 0;
+}
+} // namespace
+
+int get_x509_not_before(time_t &t, X509 *x) {
+#if OPENSSL_1_1_API
+ auto at = X509_get0_notBefore(x);
+#else // !OPENSSL_1_1_API
+ auto at = X509_get_notBefore(x);
+#endif // !OPENSSL_1_1_API
+ if (!at) {
+ return -1;
+ }
+
+ return time_t_from_asn1_time(t, at);
+}
+
+int get_x509_not_after(time_t &t, X509 *x) {
+#if OPENSSL_1_1_API
+ auto at = X509_get0_notAfter(x);
+#else // !OPENSSL_1_1_API
+ auto at = X509_get_notAfter(x);
+#endif // !OPENSSL_1_1_API
+ if (!at) {
+ return -1;
+ }
+
+ return time_t_from_asn1_time(t, at);
+}
+
} // namespace tls
} // namespace shrpx
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/nghttp2-1.29.0/src/shrpx_tls.h new/nghttp2-1.31.1/src/shrpx_tls.h
--- old/nghttp2-1.29.0/src/shrpx_tls.h 2017-12-19 15:35:50.000000000 +0100
+++ new/nghttp2-1.31.1/src/shrpx_tls.h 2018-04-12 16:46:47.000000000 +0200
@@ -288,6 +288,14 @@
// number, it returns an empty string. number
StringRef get_x509_serial(BlockAllocator &balloc, X509 *x);
+// Fills NotBefore of |x| in |t|. This function returns 0 if it
+// succeeds, or -1.
+int get_x509_not_before(time_t &t, X509 *x);
+
+// Fills NotAfter of |x| in |t|. This function returns 0 if it
+// succeeds, or -1.
+int get_x509_not_after(time_t &t, X509 *x);
+
} // namespace tls
} // namespace shrpx
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/nghttp2-1.29.0/src/shrpx_worker.cc new/nghttp2-1.31.1/src/shrpx_worker.cc
--- old/nghttp2-1.29.0/src/shrpx_worker.cc 2017-12-19 15:35:50.000000000 +0100
+++ new/nghttp2-1.31.1/src/shrpx_worker.cc 2018-04-12 16:46:47.000000000 +0200
@@ -70,10 +70,10 @@
// DownstreamKey is used to index SharedDownstreamAddr in order to
// find the same configuration.
-using DownstreamKey =
- std::tuple>,
- bool, int, StringRef, StringRef, int>;
+using DownstreamKey = std::tuple<
+ std::vector>,
+ bool, int, StringRef, StringRef, int>;
namespace {
DownstreamKey create_downstream_key(
@@ -93,6 +93,7 @@
std::get<6>(*p) = a.host_unix;
std::get<7>(*p) = a.tls;
std::get<8>(*p) = a.dns;
+ std::get<9>(*p) = a.upgrade_scheme;
++p;
}
std::sort(std::begin(addrs), std::end(addrs));
@@ -220,6 +221,7 @@
dst_addr.fall = src_addr.fall;
dst_addr.rise = src_addr.rise;
dst_addr.dns = src_addr.dns;
+ dst_addr.upgrade_scheme = src_addr.upgrade_scheme;
auto shared_addr_ptr = shared_addr.get();
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/nghttp2-1.29.0/src/shrpx_worker.h new/nghttp2-1.31.1/src/shrpx_worker.h
--- old/nghttp2-1.29.0/src/shrpx_worker.h 2017-12-19 15:35:50.000000000 +0100
+++ new/nghttp2-1.31.1/src/shrpx_worker.h 2018-04-12 16:46:47.000000000 +0200
@@ -115,6 +115,10 @@
bool tls;
// true if dynamic DNS is enabled
bool dns;
+ // true if :scheme pseudo header field should be upgraded to secure
+ // variant (e.g., "https") when forwarding request to a backend
+ // connected by TLS connection.
+ bool upgrade_scheme;
};
// Simplified weighted fair queuing. Actually we don't use queue here
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/nghttp2-1.29.0/src/shrpx_worker_process.cc new/nghttp2-1.31.1/src/shrpx_worker_process.cc
--- old/nghttp2-1.29.0/src/shrpx_worker_process.cc 2017-12-19 15:35:50.000000000 +0100
+++ new/nghttp2-1.31.1/src/shrpx_worker_process.cc 2018-04-12 16:46:47.000000000 +0200
@@ -114,12 +114,10 @@
conn_handler->set_graceful_shutdown(true);
- conn_handler->disable_acceptor();
-
- // After disabling accepting new connection, dispatch incoming
- // connection in backlog.
-
+ // TODO What happens for the connections not established in the
+ // kernel?
conn_handler->accept_pending_connection();
+ conn_handler->delete_acceptor();
conn_handler->graceful_shutdown_worker();
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/nghttp2-1.29.0/src/util.cc new/nghttp2-1.31.1/src/util.cc
--- old/nghttp2-1.29.0/src/util.cc 2017-12-19 15:35:50.000000000 +0100
+++ new/nghttp2-1.31.1/src/util.cc 2018-04-12 16:46:47.000000000 +0200
@@ -70,9 +70,16 @@
namespace util {
-#ifdef _WIN32
+#ifndef _WIN32
+namespace {
+int nghttp2_inet_pton(int af, const char *src, void *dst) {
+ return inet_pton(af, src, dst);
+}
+} // namespace
+#else // _WIN32
+namespace {
// inet_pton-wrapper for Windows
-static int inet_pton(int af, const char *src, void *dst) {
+int nghttp2_inet_pton(int af, const char *src, void *dst) {
#if _WIN32_WINNT >= 0x0600
return InetPtonA(af, src, dst);
#else
@@ -88,6 +95,7 @@
return 0;
#endif
}
+} // namespace
#endif // _WIN32
const char UPPER_XDIGITS[] = "0123456789ABCDEF";
@@ -407,6 +415,15 @@
#endif // !_WIN32
}
+time_t parse_openssl_asn1_time_print(const StringRef &s) {
+ tm tm{};
+ auto r = strptime(s.c_str(), "%b %d %H:%M:%S %Y GMT", &tm);
+ if (r == nullptr) {
+ return 0;
+ }
+ return nghttp2_timegm_without_yday(&tm);
+}
+
char upcase(char c) {
if ('a' <= c && c <= 'z') {
return c - 'a' + 'A';
@@ -653,7 +670,7 @@
int rv;
std::array dst;
- rv = inet_pton(family, hostname, dst.data());
+ rv = nghttp2_inet_pton(family, hostname, dst.data());
return rv == 1;
}
@@ -950,7 +967,7 @@
bool ipv6_numeric_addr(const char *host) {
uint8_t dst[16];
- return inet_pton(AF_INET6, host, dst) == 1;
+ return nghttp2_inet_pton(AF_INET6, host, dst) == 1;
}
namespace {
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/nghttp2-1.29.0/src/util.h new/nghttp2-1.31.1/src/util.h
--- old/nghttp2-1.29.0/src/util.h 2017-12-19 15:35:50.000000000 +0100
+++ new/nghttp2-1.31.1/src/util.h 2018-04-12 16:46:47.000000000 +0200
@@ -196,6 +196,11 @@
time_t parse_http_date(const StringRef &s);
+// Parses time formatted as "MMM DD HH:MM:SS YYYY [GMT]" (e.g., Feb 3
+// 00:55:52 2015 GMT), which is specifically used by OpenSSL
+// ASN1_TIME_print().
+time_t parse_openssl_asn1_time_print(const StringRef &s);
+
char upcase(char c);
inline char lowcase(char c) {
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/nghttp2-1.29.0/tests/nghttp2_session_test.c new/nghttp2-1.31.1/tests/nghttp2_session_test.c
--- old/nghttp2-1.29.0/tests/nghttp2_session_test.c 2017-12-19 15:35:50.000000000 +0100
+++ new/nghttp2-1.31.1/tests/nghttp2_session_test.c 2018-04-12 16:46:47.000000000 +0200
@@ -2297,6 +2297,31 @@
nghttp2_session_del(session);
+ /* send too large frame */
+ nghttp2_buf_reset(&buf);
+
+ nghttp2_session_client_new2(&session, &callbacks, &ud, option);
+
+ session->local_settings.max_frame_size = NGHTTP2_MAX_FRAME_SIZE_MIN - 1;
+
+ nghttp2_frame_hd_init(&hd, NGHTTP2_MAX_FRAME_SIZE_MIN + 1, NGHTTP2_ALTSVC,
+ NGHTTP2_FLAG_NONE, 0);
+ nghttp2_frame_pack_frame_hd(buf.last, &hd);
+ buf.last += NGHTTP2_FRAME_HDLEN;
+ nghttp2_put_uint16be(buf.last, sizeof(origin) - 1);
+ buf.last += 2;
+ buf.last = nghttp2_cpymem(buf.last, origin, sizeof(origin) - 1);
+ memset(buf.last, 0, nghttp2_buf_avail(&buf));
+ buf.last += nghttp2_buf_avail(&buf);
+
+ ud.frame_recv_cb_called = 0;
+ rv = nghttp2_session_mem_recv(session, buf.pos, nghttp2_buf_len(&buf));
+
+ CU_ASSERT((ssize_t)nghttp2_buf_len(&buf) == rv);
+ CU_ASSERT(0 == ud.frame_recv_cb_called);
+
+ nghttp2_session_del(session);
+
/* received by server */
nghttp2_buf_reset(&buf);