Skip to content

Commit

Permalink
Merge pull request #3006 from ElvinEfendi/nginx-patch-for-cert-by-lua
Browse files Browse the repository at this point in the history
apply nginx patch to make ssl_certificate_by_lua_block work properly
  • Loading branch information
k8s-ci-robot authored Aug 29, 2018
2 parents 355b793 + 0408d66 commit 91eecde
Show file tree
Hide file tree
Showing 3 changed files with 46 additions and 1 deletion.
2 changes: 1 addition & 1 deletion images/nginx/Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@
# limitations under the License.

# 0.0.0 shouldn't clobber any released builds
TAG ?= 0.60
TAG ?= 0.61
REGISTRY ?= quay.io/kubernetes-ingress-controller
ARCH ?= $(shell go env GOARCH)
DOCKER ?= docker
Expand Down
3 changes: 3 additions & 0 deletions images/nginx/rootfs/build.sh
Original file line number Diff line number Diff line change
Expand Up @@ -421,6 +421,9 @@ Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-999-EXCLUSION-RULES-AFTE
# build nginx
cd "$BUILD_PATH/nginx-$NGINX_VERSION"

# apply Nginx patches
patch -p1 < /patches/openresty-ssl_cert_cb_yield.patch

WITH_FLAGS="--with-debug \
--with-compat \
--with-pcre-jit \
Expand Down
42 changes: 42 additions & 0 deletions images/nginx/rootfs/patches/openresty-ssl_cert_cb_yield.patch
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
# HG changeset patch
# User Yichun Zhang <[email protected]>
# Date 1451762084 28800
# Sat Jan 02 11:14:44 2016 -0800
# Node ID 449f0461859c16e95bdb18e8be6b94401545d3dd
# Parent 78b4e10b4367b31367aad3c83c9c3acdd42397c4
SSL: handled SSL_CTX_set_cert_cb() callback yielding.

OpenSSL 1.0.2+ introduces SSL_CTX_set_cert_cb() to allow custom
callbacks to serve the SSL certificiates and private keys dynamically
and lazily. The callbacks may yield for nonblocking I/O or sleeping.
Here we added support for such usage in NGINX 3rd-party modules
(like ngx_lua) in NGINX's event handlers for downstream SSL
connections.

diff -r 78b4e10b4367 -r 449f0461859c src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c Thu Dec 17 16:39:15 2015 +0300
+++ b/src/event/ngx_event_openssl.c Sat Jan 02 11:14:44 2016 -0800
@@ -1210,6 +1210,23 @@
return NGX_AGAIN;
}

+#if OPENSSL_VERSION_NUMBER >= 0x10002000L
+ if (sslerr == SSL_ERROR_WANT_X509_LOOKUP) {
+ c->read->handler = ngx_ssl_handshake_handler;
+ c->write->handler = ngx_ssl_handshake_handler;
+
+ if (ngx_handle_read_event(c->read, 0) != NGX_OK) {
+ return NGX_ERROR;
+ }
+
+ if (ngx_handle_write_event(c->write, 0) != NGX_OK) {
+ return NGX_ERROR;
+ }
+
+ return NGX_AGAIN;
+ }
+#endif
+
err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0;

c->ssl->no_wait_shutdown = 1;

0 comments on commit 91eecde

Please sign in to comment.