feature: added ssl_certificiate_by_lua* directives to allow controlling downstream SSL handshakes with Lua #637
Conversation
…y_lua_file directives. also added the Lua module ngx.ssl under the lua/ directory.
…y_lua_file directives. also added the Lua module ngx.ssl under the lua/ directory.
…d cert_pem_to_der().
…RORS/lua-nginx-module into ssl-cert-by-lua Conflicts: lua/ngx/ssl.lua src/ngx_http_lua_sslcertby.c t/130-ssl-cert-by.t
…e ngx.ssl module.
…tus_req", for sending the status request in the TLS status extension.
…p_run_posted_requests. we now avoid running the openssl handshake dispatcher directly in our fake connection's pool cleanup handler by means of posting an event.
…tls1_version_str().
…context. also ensure Lua runtime errors are properly propagated.
…tion fails. thanks Piotr Sikora for the report.
…ection is closed prematurely.
…lient: xxx, server: xxx" context info. thanks Piotr Sikora for the suggestion.
…ted tests since they are now going to lua-resty-core.
…g the nginx core. yay!
…l_certificate_by_lua*.
…ks yejingx for the patch in #537.
|
@lziest @lordnynex @bungle @doujiang24 @andrea-spoldi @moseleymark @marklkelly @yejingx and others (sorry if I didn't mention your names explicitly). Please review this PR for me :) Thanks! |
| ngx_event_handler_pt saved_read_handler; | ||
| ngx_event_handler_pt saved_write_handler; | ||
|
|
||
| + void *lua_ctx; /* used by 3rd-party modules */ |
There was a problem hiding this comment.
@lziest Oh, this patch is already obsolete. I've just removed the whole patch file :) Thanks for the catch.
|
lgtm |
|
Hi, On ssl.t there are lines like this: Should it really be: |
|
If I change that Is it because of my configs or something? (ocsp.t runs with all test passed) |
|
I also added some locals to ocsp.lua and ssl.lua here: |
|
@bungle The https://github.com/openresty/lua-nginx-module/blob/master/util/build2.sh To run the tests on Mac OS X, we have to add 127.0.0.2 to the loopback device, via the following command: |
|
@bungle The failed raw_server_addr tests on Mac OS X reveal a bug in my implementation. I'll commit a fix soon :) Thanks! |
… the ABI, which is not portable. thanks Aapo Talvensaari for the report.
|
Okay, this branch has just been merged into master. I'm closing this. Further issues should go to separate tickets :) |
This pull request relies on the following nginx core patch:
https://github.com/openresty/ngx_openresty/blob/master/patches/nginx-1.9.7-ssl_cert_cb_yield.patch
(already proposed to the nginx-devel mailing list: http://mailman.nginx.org/pipermail/nginx-devel/2016-January/007748.html )
This pull request couples with the
ssl-cert-by-lua-2branch oflua-resty-core. See the following pull request oflua-resty-corefor the Lua API:openresty/lua-resty-core#12
Related new documentation:
https://github.com/openresty/lua-nginx-module/tree/ssl-cert-by-lua-2#ssl_certificate_by_lua_block
See #331 for more details on the requirements and development history.