nginx-0.3.45-RELEASE import

    *) Feature: the "ssl_verify_client", "ssl_verify_depth", and
       "ssl_client_certificate" directives.

    *) Change: the $request_method variable now returns the main request
       method.

    *) Change: the ° symbol codes were changed in koi-win conversion
       table.

    *) Feature: the euro and N symbols were added to koi-win conversion
       table.

    *) Bugfix: if nginx distributed the requests among several backends and
       some backend failed, then requests intended for this backend was
       directed to one live backend only instead of being distributed among
       the rest.

conf/koi-win

@@ -1,12 +1,12 @@
 
 charset_map  koi8-r  windows-1251 {
 
+    80  88 ; # euro
+
     95  95 ; # bullet
 
     9A  A0 ; #  
 
-    9C  B0 ; # °
-
     9E  B7 ; # ·
 
     A3  B8 ; # small yo
@@ -18,12 +18,16 @@ charset_map  koi8-r  windows-1251 {
     AD  B4 ; # small Ukrainian soft g
     AE  A2 ; # small Byelorussian short u
 
+    B0  B0 ; # °
+
     B3  A8 ; # capital YO
     B4  AA ; # capital Ukrainian YE
 
     B6  B2 ; # capital Ukrainian I
     B7  AF ; # capital Ukrainian J
 
+    B9  B9 ; # No
+
     BD  A5 ; # capital Ukrainian soft G
     BE  A1 ; # capital Byelorussian short U
 

docs/xml/nginx/changes.xml

@@ -9,6 +9,61 @@
 <title lang="en">nginx changelog</title>
 
 
+<changes ver="0.3.45" date="06.05.2006">
+
+<change type="feature">
+<para lang="ru">
+ÄÉÒÅËÔÉ×Ù ssl_verify_client, ssl_verify_depth É ssl_client_certificate.
+</para>
+<para lang="en">
+the "ssl_verify_client", "ssl_verify_depth", and "ssl_client_certificate"
+directives.
+</para>
+</change>
+
+<change type="change">
+<para lang="ru">
+ÔÅÐÅÒØ ÐÅÒÅÍÅÎÎÁÑ $request_method ×ÏÚ×ÒÁÝÁÅÔ ÍÅÔÏÄ ÔÏÌØËÏ ÏÓÎÏ×ÎÏÇÏ ÚÁÐÒÏÓÁ.
+</para>
+<para lang="en">
+the $request_method variable now returns the main request method.
+</para>
+</change>
+
+<change type="change">
+<para lang="ru">
+× ÔÁÂÌÉÃÅ ÐÅÒÅËÏÄÉÒÏ×ËÉ koi-win ÉÚÍÅÎÅÎÙ ËÏÄÙ ÓÉÍ×ÏÌÁ &amp;deg;.
+</para>
+<para lang="en">
+the &amp;deg; symbol codes were changed in koi-win conversion table.
+</para>
+</change>
+
+<change type="feature">
+<para lang="ru">
+× ÔÁÂÌÉÃÕ ÐÅÒÅËÏÄÉÒÏ×ËÉ koi-win ÄÏÂÁ×ÌÅÎÙ ÓÉÍ×ÏÌÙ Å×ÒÏ É ÎÏÍÅÒÁ.
+</para>
+<para lang="en">
+the euro É N symbols were added to koi-win conversion table.
+</para>
+</change>
+
+<change type="bugfix">
+<para lang="ru">
+ÅÓÌÉ nginx ÒÁÓÐÒÅÄÅÌÑÌ ÚÁÐÒÏÓÙ ÎÁ ÎÅÓËÏÌØËÏ ÍÁÛÉÎ, ÔÏ ÐÒÉ ÐÁÄÅÎÉÉ
+ÏÄÎÏÊ ÉÚ ÎÉÈ ÚÁÐÒÏÓÙ, ÐÒÅÄÎÁÚÎÁÞÅÎÎÙÅ ÄÌÑ ÜÔÏÊ ÍÁÛÉÎÙ, ÐÅÒÅÎÁÐÒÁ×ÌÑÌÉÓØ ÔÏÌØËÏ
+ÎÁ ÏÄÎÕ ÍÁÛÉÎÕ ×ÍÅÓÔÏ ÔÏÇÏ, ÞÔÏÂÙ ÒÁ×ÎÏÍÅÒÎÏ ÒÁÓÐÒÅÄÅÌÑÔØÓÑ ÍÅÖÄÕ ÏÓÔÁÌØÎÙÍÉ.
+</para>
+<para lang="en">
+if nginx distributed the requests among several backends and some backend
+failed, then requests intended for this backend was directed to one live
+backend only instead of being distributed among the rest.
+</para>
+</change>
+
+</changes>
+
+
 <changes ver="0.3.44" date="04.05.2006">
 
 <change type="feature">

src/core/nginx.h

@@ -8,7 +8,7 @@
 #define _NGINX_H_INCLUDED_
 
 
-#define NGINX_VER          "nginx/0.3.44"
+#define NGINX_VER          "nginx/0.3.45"
 
 #define NGINX_VAR          "NGINX"
 #define NGX_OLDPID_EXT     ".oldbin"

src/event/ngx_event_connect.c

@@ -61,54 +61,75 @@ ngx_event_connect_peer(ngx_peer_connection_t *pc)
 
             /* it's a first try - get a current peer */
 
-            pc->cur_peer = pc->peers->current;
+            for ( ;; ) {
+                pc->cur_peer = pc->peers->current;
 
-            pc->peers->weight--;
+                peer = &pc->peers->peer[pc->cur_peer];
+
+                if (peer->max_fails == 0 || peer->fails <= peer->max_fails) {
+                    break;
+                }
+
+                if (now - peer->accessed > peer->fail_timeout) {
+                    peer->fails = 0;
+                    break;
+                }
 
-            if (pc->peers->weight == 0) {
                 pc->peers->current++;
-            }
 
-            if (pc->peers->current >= pc->peers->number) {
-                pc->peers->current = 0;
-            }
+                if (pc->peers->current >= pc->peers->number) {
+                    pc->peers->current = 0;
+                }
 
-            if (pc->peers->weight == 0) {
                 pc->peers->weight = pc->peers->peer[pc->peers->current].weight;
-            }
-        }
 
-        for ( ;; ) {
-            peer = &pc->peers->peer[pc->cur_peer];
+                pc->tries--;
 
-            if (peer->max_fails == 0 || peer->fails <= peer->max_fails) {
-                break;
-            }
+                if (pc->tries) {
+                    continue;
+                }
 
-            if (now - peer->accessed > peer->fail_timeout) {
-                peer->fails = 0;
-                break;
+                goto failed;
             }
 
-            pc->cur_peer++;
+            pc->peers->weight--;
 
-            if (pc->cur_peer >= pc->peers->number) {
-                pc->cur_peer = 0;
+            if (pc->peers->weight == 0) {
+                pc->peers->current++;
+
+                if (pc->peers->current >= pc->peers->number) {
+                    pc->peers->current = 0;
+                }
+
+                pc->peers->weight = pc->peers->peer[pc->peers->current].weight;
             }
 
-            pc->tries--;
+        } else {
+            for ( ;; ) {
+                peer = &pc->peers->peer[pc->cur_peer];
 
-            if (pc->tries == 0) {
+                if (peer->max_fails == 0 || peer->fails <= peer->max_fails) {
+                    break;
+                }
+
+                if (now - peer->accessed > peer->fail_timeout) {
+                    peer->fails = 0;
+                    break;
+                }
 
-                /* all peers failed, mark them as live for quick recovery */
+                pc->cur_peer++;
 
-                for (i = 0; i < pc->peers->number; i++) {
-                    pc->peers->peer[i].fails = 0;
+                if (pc->cur_peer >= pc->peers->number) {
+                    pc->cur_peer = 0;
                 }
 
-                /* ngx_unlock_mutex(pc->peers->mutex); */
+                pc->tries--;
+
+                if (pc->tries) {
+                    continue;
+                }
 
-                return NGX_BUSY;
+                goto failed;
             }
         }
     }
@@ -319,6 +340,18 @@ ngx_event_connect_peer(ngx_peer_connection_t *pc)
     wev->ready = 1;
 
     return NGX_OK;
+
+failed:
+
+    /* all peers failed, mark them as live for quick recovery */
+
+    for (i = 0; i < pc->peers->number; i++) {
+        pc->peers->peer[i].fails = 0;
+    }
+
+    /* ngx_unlock_mutex(pc->peers->mutex); */
+
+    return NGX_BUSY;
 }
 
 

src/event/ngx_event_openssl.c

@@ -164,7 +164,8 @@ ngx_ssl_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert,
     }
 
     if (SSL_CTX_use_PrivateKey_file(ssl->ctx, (char *) key->data,
-                                    SSL_FILETYPE_PEM) == 0)
+                                    SSL_FILETYPE_PEM)
+        == 0)
     {
         ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
                       "SSL_CTX_use_PrivateKey_file(\"%s\") failed", key->data);
@@ -175,6 +176,26 @@ ngx_ssl_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert,
 }
 
 
+ngx_int_t
+ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert)
+{
+    if (ngx_conf_full_name(cf->cycle, cert) == NGX_ERROR) {
+        return NGX_ERROR;
+    }
+
+    if (SSL_CTX_load_verify_locations(ssl->ctx, (char *) cert->data, NULL)
+        == 0)
+    {
+        ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
+                      "SSL_CTX_load_verify_locations(\"%s\") failed",
+                      cert->data);
+        return NGX_ERROR;
+    }
+
+    return NGX_OK;
+}
+
+
 ngx_int_t
 ngx_ssl_generate_rsa512_key(ngx_ssl_t *ssl)
 {
@@ -1023,6 +1044,88 @@ ngx_ssl_get_cipher_name(ngx_connection_t *c)
 }
 
 
+ngx_int_t
+ngx_ssl_get_subject_dn(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
+{
+    char       *p;
+    size_t      len;
+    X509       *cert;
+    X509_NAME  *name;
+
+    s->len = 0;
+
+    cert = SSL_get_peer_certificate(c->ssl->connection);
+
+    if (cert == NULL) {
+        return NGX_OK;
+    }
+
+    name = X509_get_subject_name(cert);
+
+    if (name == NULL) {
+        return NGX_ERROR;
+    }
+
+    p = X509_NAME_oneline(name, NULL, 0);
+
+    for (len = 0; p[len]; len++) { /* void */ }
+
+    s->len = len;
+    s->data = ngx_palloc(pool, len);
+    if (s->data == NULL) {
+        OPENSSL_free(p);
+        return NGX_ERROR;
+    }
+
+    ngx_memcpy(s->data, p, len);
+
+    OPENSSL_free(p);
+
+    return NGX_OK;
+}
+
+
+ngx_int_t
+ngx_ssl_get_issuer_dn(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
+{
+    char       *p;
+    size_t      len;
+    X509       *cert;
+    X509_NAME  *name;
+
+    s->len = 0;
+
+    cert = SSL_get_peer_certificate(c->ssl->connection);
+
+    if (cert == NULL) {
+        return NGX_OK;
+    }
+
+    name = X509_get_issuer_name(cert);
+
+    if (name == NULL) {
+        return NGX_ERROR;
+    }
+
+    p = X509_NAME_oneline(name, NULL, 0);
+
+    for (len = 0; p[len]; len++) { /* void */ }
+
+    s->len = len;
+    s->data = ngx_palloc(pool, len);
+    if (s->data == NULL) {
+        OPENSSL_free(p);
+        return NGX_ERROR;
+    }
+
+    ngx_memcpy(s->data, p, len);
+
+    OPENSSL_free(p);
+
+    return NGX_OK;
+}
+
+
 static void *
 ngx_openssl_create_conf(ngx_cycle_t *cycle)
 {

src/event/ngx_event_openssl.h

@@ -31,6 +31,7 @@ typedef struct {
 
 typedef struct {
     SSL                        *connection;
+
     ngx_int_t                   last;
     ngx_buf_t                  *buf;
 
@@ -60,10 +61,15 @@ typedef struct {
 #define NGX_SSL_BUFSIZE  16384
 
 
+#define NGX_SSL_VERIFY   SSL_VERIFY_PEER
+
+
 ngx_int_t ngx_ssl_init(ngx_log_t *log);
 ngx_int_t ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols);
 ngx_int_t ngx_ssl_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl,
     ngx_str_t *cert, ngx_str_t *key);
+ngx_int_t ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl,
+    ngx_str_t *cert);
 ngx_int_t ngx_ssl_generate_rsa512_key(ngx_ssl_t *ssl);
 ngx_int_t ngx_ssl_create_connection(ngx_ssl_t *ssl, ngx_connection_t *c,
     ngx_uint_t flags);
@@ -75,6 +81,11 @@ ngx_int_t ngx_ssl_set_session(ngx_connection_t *c, ngx_ssl_session_t *session);
 
 u_char *ngx_ssl_get_protocol(ngx_connection_t *c);
 u_char *ngx_ssl_get_cipher_name(ngx_connection_t *c);
+ngx_int_t ngx_ssl_get_subject_dn(ngx_connection_t *c, ngx_pool_t *pool,
+    ngx_str_t *s);
+ngx_int_t ngx_ssl_get_issuer_dn(ngx_connection_t *c, ngx_pool_t *pool,
+    ngx_str_t *s);
+
 
 
 ngx_int_t ngx_ssl_handshake(ngx_connection_t *c);