Arvanresty 1.17.2

Master

pull request from arvanresty

bugfix: applied the patch for security advisory to NGINX cores < 1.14.1 and < 1.15.6 (CVE-2019-9511 CVE-2019-9513 CVE-2019-9516).

bugfix: applied the patch for security advisory to NGINX cores < 1.14.1 and < 1.15.6 (CVE-2018-16843 CVE-2018-16844).

bugfix: applied the patch for security advisory to NGINX cores < 1.14.1 and < 1.15.6 (CVE-2018-16845).

Signed-off-by: Thibault Charbonnier <thibaultcha@me.com>

merge 1.17

Arvanresty 1.17.0

optimize: added an NGINX core patch to ensure unused listening fds are closed when 'reuseport' is used.

When `reuseport` is enabled in the `listen` directive, Nginx will create
a listening fd for each worker process in the master process.

These fds will be inherited by the worker processes, but most of them
are unused. For example, considering we have 32 listening ip:port
configurations and 64 worker processes, each worker process will inherit
2048 (32 * 64) listening fds, but only 32 fds are used. By closing the
unused fds, this change could save up to 2016 (32 * 63) fds in a worker
process.

It doesn't affect the listening socket, since there is only one used fd
which associates to the socket with or without this change.

Co-authored-by: Thibault Charbonnier <thibaultcha@me.com>

Signed-off-by: Thibault Charbonnier <thibaultcha@me.com>

Previously, we used the OpenSSL 1.1.1 ClientHello callback to do ssl
session fetching non-blockingly. However, this way cannot handle an edge
case: the ssl session resumption via session ticket might fail, and the
client fallbacks to session ID resumption. The ClientHello callback is
run too early to know if the client will fallback to use session ID
resumption.

Therefore, we have to take back the OpenSSL sess_set_get_cb_yield patch
and upgrade it to adapt OpenSSL 1.1.1.

Thanks Yongjian Xu and crasyangel for their help.

See 08e9e507

.

Signed-off-by: Thibault Charbonnier <thibaultcha@me.com>

change: renamed the 'ssl_pending_session' patch to 'ssl_sess_cb_yield' for NGINX cores 1.17.1 and above.

Its naming is now aligned with the `ssl_cert_cb_yield` patch.

See 08e9e507 for details on why this renaming was reverted for the 1.15.8
version of this patch.

Revert "feature: updated the NGINX patches for async SSL session fetching to support OpenSSL 1.1.1."

This reverts commit 9e834398.

Support for OpenSSL 1.1.1 will come with the 1.17.1 series of NGINX
patches. Since no other 1.15.8.* releases are planned, we are reverting
the state of the 1.15.8 patches to that of the 1.15.8.1 release.

The patch was also renamed from `ssl_pending_session.patch` to
`ssl_sess_cb_yield.patch` (similarly to the existing
`ssl_cert_cb_yield.patch` one).

Signed-off-by: Thibault Charbonnier <thibaultcha@me.com>

Update ver

Master