feature: ssl.create_ctx and tcp:setsslctx#89
feature: ssl.create_ctx and tcp:setsslctx#89detailyang wants to merge 26 commits intoopenresty:masterfrom
Conversation
|
After refactor the codebase, these is a little different things. We remove the |
lib/ngx/ssl.lua
Outdated
| _M.PROTOCOL_TLSv1 = 0x0008 | ||
| _M.PROTOCOL_TLSv1_1 = 0x0010 | ||
| _M.PROTOCOL_TLSv1_2 = 0x0020 | ||
| local default_protocols = bor(bor(bor(_M.PROTOCOL_SSLv3,_M.PROTOCOL_TLSv1), |
There was a problem hiding this comment.
bor can accept multiple arguments, like:
resty -e " ngx.say(bit.bor(1, 2, 4)); "
7
lib/ngx/ssl.lua
Outdated
| local protocols = default_protocols | ||
|
|
||
| if options.protocols ~= nil then | ||
| protocols = options.protocols |
There was a problem hiding this comment.
I think local protocols = options.protocols or options.protocols can be simpler :)
There was a problem hiding this comment.
gotcha local protocols = options.protocols or default_protocols
lib/resty/core/socket/tcp.lua
Outdated
|
|
||
| local rc = C.ngx_http_lua_ffi_socket_tcp_setsslctx(r, tcp, ssl_ctx, errmsg) | ||
| if rc ~= FFI_OK then | ||
| return false, ffi_str(errmsg[0]) |
There was a problem hiding this comment.
better use nil instead false here?
There was a problem hiding this comment.
Agree. I found other statements is also using nil rather than false.
|
CI passed after merge newest commit on master branch :D |
lib/ngx/ssl.lua
Outdated
| _M.PROTOCOL_TLSv1 = 0x0008 | ||
| _M.PROTOCOL_TLSv1_1 = 0x0010 | ||
| _M.PROTOCOL_TLSv1_2 = 0x0020 | ||
| local default_protocols = bor(_M.PROTOCOL_SSLv3, _M.PROTOCOL_TLSv1, |
There was a problem hiding this comment.
Better put a blank line before this line for aesthetic considerations.
lib/resty/core/socket/tcp.lua
Outdated
|
|
||
| int | ||
| ngx_http_lua_ffi_socket_tcp_setsslctx(ngx_http_request_t *r, | ||
| void *u, void *cdata_ctx, char **err); |
There was a problem hiding this comment.
Please be consistent with the style in lib/ngx/ssl.lua.
t/ssl-ctx.t
Outdated
| local cert = ssl.parse_pem_cert(read_file("$TEST_NGINX_HTML_DIR/client.crt")) | ||
| local priv_key = ssl.parse_pem_priv_key(read_file("$TEST_NGINX_HTML_DIR/client.unsecure.key")) | ||
|
|
||
| local ssl_ctx, err = ssl.create_ctx({ |
There was a problem hiding this comment.
You know that we can safely omit the parentheses here?
lib/ngx/ssl.lua
Outdated
| return nil, ffi_str(errmsg[0]) | ||
| end | ||
|
|
||
| ctx = ffi_gc(ctx, C.ngx_http_lua_ffi_ssl_ctx_free) |
There was a problem hiding this comment.
We do not need to assign to ctx here.
lib/ngx/ssl.lua
Outdated
| _M.PROTOCOL_SSLv3 = 0x0004 | ||
| _M.PROTOCOL_TLSv1 = 0x0008 | ||
| _M.PROTOCOL_TLSv1_1 = 0x0010 | ||
| _M.PROTOCOL_TLSv1_2 = 0x0020 |
There was a problem hiding this comment.
I thikn we can just omit the PROTOCOL_ prefix from these keys. They are not really needed IMHO.
Signed-off-by: detailyang <detailyang@gmail.com>
Signed-off-by: detailyang <detailyang@gmail.com>
Signed-off-by: detailyang <detailyang@gmail.com>
detailyang
force-pushed
the
lua-ffi-api-sslctx
branch
from
bb43bbb to
9ebd5b6
Compare
…a-resty-core into lua-ffi-api-sslctx
|
Fix the issue as the following and rebase the newest codebase:
Sorry for duplicated commits because of wrong usage of |
3 participants
This is a sister PR at lua-nginx-module/pull/997.
I refer to Node.js JS Design as a guide. Now the API is the fowllong:
Now we proivde 3 arguments as the follwoing to feed
SSL_CTXobject.Openssl protocols are listed as OPENSSL PROTOCOL METHODS
Optional certificate in PEM format which can be parsed by
ssl.parse_pem_certOptional private keys in PEM format which can be parsed by
ssl.parse_pem_priv_keyIt 's convenient that if we want to expose more arguments to user in future if we want.
Now it is not ready to provide the README document. when we agree on the API Design, I will provide.
@agentzh @thibaultcha @doujiang24
Can have a look at this PR ? Many thanks :D