October 2025 – CodeIT Technical blog

NGINX 1.29.3 Mainline with Brotli, TLS 1.3, OpenSSL 3.5.4, HTTP/2 and HTTP/3 for Red Hat Enterprise Linux, CentOS, Rocky, Oracle, Alma Linux EL7/EL8/EL9/EL10

nginx 1.29.3 Mainline with HTTP/3 support added to EL7, EL8, EL9, EL10 repositories. brotli compression module from Google, http2, ngx cache purge and ngx http geoip2 modules added or built-in. OpenSSL built dynamically using official OpenSSL 3.5.1 with QUIC support.

Our OpenSSL 3.5.4 builds break compatibility with nginx 1.28.x and earlier versions, as they are compiled against quictls project with their own APIs. Thus, to upgrade OpenSSL QUIC libs, please use nginx >= 1.29.0.

SSL: support for compressed server certificates with BoringSSL. by @pluknet in #823
HTTP CONNECT infrastructure by @arut in #935
Upstream: reset local address in case of error. by @arut in #942
SSL: $ssl_sigalg, $ssl_client_sigalg. by @pluknet in #932, initial work by @willmafh in #554
Geo: the “volatile” parameter. by @dplotnikov-f5 in #943
Inheritance control for add_header and add_trailer. by @arut in #918
OCSP: fixed invalid type for the ‘ssl_ocsp’ directive. by @roman-f5 in #938
Fixed compilation warnings on Windows after c93a0c4. by @arut in #954
Modules compatibility: increased compat section size. by @arut in #952
nginx-1.29.3 changes by @arut in #953

brotli 1.2.0 rpms added to the repository

brotli and libbrotli 1.2.0 added to the repository to all supported platforms

nghttp2 1.68.0 rpms released

nghttp2 1.68.0 rpms released and added to all supported platforms.

OpenSSL 3.5.4 rpms released

openssl 3.5.4 rpms released and added to all supported platforms (Alma Linux, Rocky Linux, RedHat Enterprise Linux RHEL, Oracle Linux).

CVE-2025-9230 – Fix Out-of-bounds read & write in RFC 3211 KEK Unwrap.
CVE-2025-9231 – Fix Timing side-channel in SM2 algorithm on 64-bit ARM.
CVE-2025-9232 – Fix Out-of-bounds read in HTTP client no_proxy handling.

OpenSSL 3.5 is a release featuring QUIC server support.

We continue to build libs with quic support as a separate non-conflicting package openssl-quic-libs, files have separate .so.81.3 suffix to avoid conflicts with the official .so.3.

ngtcp2 1.17.0 rpms released

ngtcp2 1.17.0 rpms released and added to all supported platforms.

ngtcp2 libraries stack built with OpenSSL 3.5.1. quic client name is osslclient.

NGINX 1.29.2 Mainline with Brotli, TLS 1.3, OpenSSL 3.5.1, HTTP/2 and HTTP/3 for Red Hat Enterprise Linux, CentOS, Rocky, Oracle, Alma Linux EL7/EL8/EL9/EL10

nginx 1.29.2 Mainline with HTTP/3 support added to EL7, EL8, EL9, EL10 repositories. brotli compression module from Google, http2, ngx cache purge and ngx http geoip2 modules added or built-in. OpenSSL built dynamically using official OpenSSL 3.5.1 with QUIC support.

Our OpenSSL 3.5.1 builds break compatibility with nginx 1.28.x and earlier versions, as they are compiled against quictls project with their own APIs. Thus, to upgrade OpenSSL QUIC libs, please use nginx >= 1.29.0.

Added a previously missed changes entry in 1.29.1 relnotes. by @pluknet in #844
Removed legacy charset directive from default config example. by @MohamedKarrab in #829
QUIC: fixed ssl_reject_handshake error handling. by @pluknet in #889
Updated link to xslscript. by @pluknet in #854
Fixed inaccurate index directive error report by @willmafh in #881
SNI: using ClientHello callback. by @pluknet in #562
AWS-LC support changes by @pluknet in #848
Upstream: overflow detection in Cache-Control delta-seconds. by @pluknet in #898
Mail: xtext encoding (RFC 3461) in XCLIENT LOGIN. by @pluknet in #893
SSL: fixed “key values mismatch” with object cache inheritance. by @pluknet in #740
nginx-1.29.2 changes by @pluknet in #919