Ukukhishwa kwegatsha eliyinhloko le-nginx 1.29.2 kushicilelwe, lapho ukuthuthukiswa kwezici ezintsha kuqhubeka. Ngokuhambisanayo, igatsha elizinzile elithi 1.28.x liyasekelwa, izinguquko ezihlobene kuphela nokuqedwa kwamaphutha amakhulu kanye nokuba sengozini okwenziwayo. Esikhathini esizayo, igatsha elizinzile 1.29 lizokwakhiwa ngesisekelo segatsha elikhulu 1.30.x. Ikhodi yephrojekthi ibhalwe ngo-C futhi isatshalaliswa ngaphansi kwelayisensi ye-BSD.
Ekukhishweni okusha:
- Kwengezwe ikhono lokwakha ngomtapo wolwazi we-cryptographic we-AWS-LC, othuthukiswe yi-Amazon.
- Inkinga ngesiqondiso "ssl_protocols" isixazululiwe. iseva ebonakalayo, ngaphandle kweseva ezenzakalelayo. Inkinga ivele ngesikhathi kusetshenziswa i-OpenSSL 1.1.1 kanye nokukhishwa kwakamuva.
- Kulungiswe ukwehluleka kwezingxoxo zokuxhumanisa i-TLSv1.3 ekucushweni nge-OpenSSL kanye nezitifiketi zeklayenti. Ukwehluleka kwenzeke lapho kuqalwa kabusha iseshini ngevelu ehlukile ye-SNI.
- Kulungiswe isiphazamisi esibangele ukuthi "kuziba iphutha le-SSL elidala lomhlaba" lifakwe uma kusetshenziswa iphrothokholi ye-QUIC kanye nomyalelo we-"ssl_reject_handshake".
- Kulungiswe inkinga ngokuphatha amanani asuselwa kusikhathi kunhlokweni ye-Cache-Control HTTP ebuyiswe yi-backend.
- Ukusetshenziswa kombhalo wekhodi we-xtext kumyalo we-XCLIENT sekusunguliwe.
- Kulungiswe inkinga yokugcina isikhashana Izitifiketi ze-TLS ngesikhathi sokuhlela kabusha.
Ukwengeza, kufanelekile ukuqaphela ukukhishwa kwe-FreeNginx 1.29.2, imfoloko ye-Nginx. Ukuthuthukiswa kwemfoloko kuholwa nguMaxim Dunin, omunye wabathuthukisi ababalulekile be-Nginx. IFreeNginx izibeka njengephrojekthi engeyona eyentengiso, eqinisekisa ukuthuthukiswa kwekhodibase ye-Nginx ngaphandle kokuphazanyiswa yinkampani. Ikhodi ye-FreeNginx iyaqhubeka nokunikezwa ilayisense ngaphansi kwelayisensi ye-BSD. Izinguquko ku-FreeNginx 1.29.2 zifaka phakathi ukwengezwa kosekelo lwesandiso se-TLS ye-ECH (Encrypted Client Hello).
Source: opennet.ru
