feature: add lua_ssl_conf_command directive for setting arbitrary Ope… (#252)

Author: catbro666

README.md

@@ -160,6 +160,7 @@ behavior.
 * [lua_ssl_protocols](https://github.com/openresty/lua-nginx-module#lua_ssl_protocols)
 * [lua_ssl_trusted_certificate](https://github.com/openresty/lua-nginx-module#lua_ssl_trusted_certificate)
 * [lua_ssl_verify_depth](https://github.com/openresty/lua-nginx-module#lua_ssl_verify_depth)
+* [lua_ssl_conf_command](https://github.com/openresty/lua-nginx-module#lua_ssl_conf_command)
 * [lua_check_client_abort](https://github.com/openresty/lua-nginx-module#lua_check_client_abort)
 * [lua_max_pending_timers](https://github.com/openresty/lua-nginx-module#lua_max_pending_timers)
 * [lua_max_running_timers](https://github.com/openresty/lua-nginx-module#lua_max_running_timers)

src/ngx_stream_lua_common.h

@@ -249,6 +249,9 @@ struct ngx_stream_lua_srv_conf_s {
     ngx_uint_t              ssl_verify_depth;
     ngx_str_t               ssl_trusted_certificate;
     ngx_str_t               ssl_crl;
+#if (nginx_version >= 1019004)
+    ngx_array_t            *ssl_conf_commands;
+#endif
 
     struct {
         ngx_stream_lua_srv_conf_handler_pt           ssl_cert_handler;

src/ngx_stream_lua_module.c

@@ -48,14 +48,23 @@ static char *ngx_stream_lua_lowat_check(ngx_conf_t *cf, void *post, void *data);
 #if (NGX_STREAM_SSL)
 static ngx_int_t ngx_stream_lua_set_ssl(ngx_conf_t *cf,
     ngx_stream_lua_loc_conf_t *llcf);
+#if (nginx_version >= 1019004)
+static char *ngx_stream_lua_ssl_conf_command_check(ngx_conf_t *cf, void *post,
+    void *data);
+#endif
 #endif
 static char *ngx_stream_lua_malloc_trim(ngx_conf_t *cf, ngx_command_t *cmd,
     void *conf);
 
 
 static ngx_conf_post_t  ngx_stream_lua_lowat_post =
     { ngx_stream_lua_lowat_check };
-
+#if (NGX_STREAM_SSL)
+#if (nginx_version >= 1019004)
+static ngx_conf_post_t  ngx_stream_lua_ssl_conf_command_post =
+    { ngx_stream_lua_ssl_conf_command_check };
+#endif
+#endif
 
 
 
@@ -412,6 +421,14 @@ static ngx_command_t ngx_stream_lua_cmds[] = {
       offsetof(ngx_stream_lua_srv_conf_t, ssl_crl),
       NULL },
 
+#if (nginx_version >= 1019004)
+    { ngx_string("lua_ssl_conf_command"),
+      NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE2,
+      ngx_conf_set_keyval_slot,
+      NGX_STREAM_SRV_CONF_OFFSET,
+      offsetof(ngx_stream_lua_srv_conf_t, ssl_conf_commands),
+      &ngx_stream_lua_ssl_conf_command_post },
+#endif
 #endif  /* NGX_STREAM_SSL */
 
      { ngx_string("lua_malloc_trim"),
@@ -854,6 +871,10 @@ ngx_stream_lua_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
     ngx_conf_merge_str_value(conf->ssl_trusted_certificate,
                              prev->ssl_trusted_certificate, "");
     ngx_conf_merge_str_value(conf->ssl_crl, prev->ssl_crl, "");
+#if (nginx_version >= 1019004)
+    ngx_conf_merge_ptr_value(conf->ssl_conf_commands, prev->ssl_conf_commands,
+                             NULL);
+#endif
 
     if (ngx_stream_lua_set_ssl(cf, conf) != NGX_OK) {
         return NGX_CONF_ERROR;
@@ -951,9 +972,26 @@ ngx_stream_lua_set_ssl(ngx_conf_t *cf, ngx_stream_lua_srv_conf_t *lscf)
         return NGX_ERROR;
     }
 
+#if (nginx_version >= 1019004)
+    if (ngx_ssl_conf_commands(cf, lscf->ssl, lscf->ssl_conf_commands)
+        != NGX_OK) {
+        return NGX_ERROR;
+    }
+#endif
     return NGX_OK;
 }
 
+#if (nginx_version >= 1019004)
+static char *
+ngx_stream_lua_ssl_conf_command_check(ngx_conf_t *cf, void *post, void *data)
+{
+#ifndef SSL_CONF_FLAG_FILE
+    return "is not supported on this platform";
+#endif
+
+    return NGX_CONF_OK;
+}
+#endif
 #endif  /* NGX_STREAM_SSL */
 
 

t/129-ssl-socket.t

@@ -6,7 +6,7 @@ use File::Basename;
 
 repeat_each(2);
 
-plan tests => repeat_each() * 216;
+plan tests => repeat_each() * (blocks() * 7 + 2);
 
 $ENV{TEST_NGINX_HTML_DIR} ||= html_dir();
 $ENV{TEST_NGINX_MEMCACHED_PORT} ||= 11211;
@@ -2487,3 +2487,266 @@ lua ssl certificate verify error: (18: self signed certificate)
 SSL reused session
 [alert]
 --- timeout: 5
+
+
+
+=== TEST 32: default cipher - TLSv1.3
+--- skip_openssl: 8: < 1.1.1
+--- http_config
+    server {
+        listen              unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl;
+        server_name         test.com;
+        ssl_certificate     $TEST_NGINX_CERT_DIR/cert/test.crt;
+        ssl_certificate_key $TEST_NGINX_CERT_DIR/cert/test.key;
+        ssl_protocols       TLSv1.3;
+
+        location / {
+            content_by_lua_block {
+                ngx.exit(200)
+            }
+        }
+    }
+--- stream_server_config
+    lua_ssl_protocols TLSv1.3;
+
+    content_by_lua_block {
+        local sock = ngx.socket.tcp()
+        sock:settimeout(2000)
+
+        do
+            local ok, err = sock:connect("unix:$TEST_NGINX_HTML_DIR/nginx.sock")
+            if not ok then
+                ngx.say("failed to connect: ", err)
+                return
+            end
+
+            ngx.say("connected: ", ok)
+
+            local session, err = sock:sslhandshake(nil, "test.com")
+            if not session then
+                ngx.say("failed to do SSL handshake: ", err)
+                return
+            end
+
+            ngx.say("ssl handshake: ", type(session))
+
+            local req = "GET / HTTP/1.1\r\nHost: test.com\r\nConnection: close\r\n\r\n"
+            local bytes, err = sock:send(req)
+            if not bytes then
+                ngx.say("failed to send stream request: ", err)
+                return
+            end
+
+            ngx.say("sent stream request: ", bytes, " bytes.")
+
+            local line, err = sock:receive()
+            if not line then
+                ngx.say("failed to recieve response status line: ", err)
+                return
+            end
+
+            ngx.say("received: ", line)
+
+            local ok, err = sock:close()
+            ngx.say("close: ", ok, " ", err)
+        end  -- do
+        collectgarbage()
+    }
+
+--- stream_response
+connected: 1
+ssl handshake: userdata
+sent stream request: 53 bytes.
+received: HTTP/1.1 200 OK
+close: 1 nil
+
+--- log_level: debug
+--- grep_error_log eval: qr/lua ssl (?:set|save|free) session: [0-9A-F]+/
+--- grep_error_log_out eval
+qr/^lua ssl save session: ([0-9A-F]+)
+lua ssl free session: ([0-9A-F]+)
+$/
+--- error_log eval
+[
+'lua ssl server name: "test.com"',
+qr/SSL: TLSv1.3, cipher: "TLS_AES_256_GCM_SHA384 TLSv1.3/,
+]
+--- no_error_log
+SSL reused session
+[error]
+[alert]
+--- timeout: 10
+
+
+
+=== TEST 33: explicit cipher configuration - TLSv1.3
+--- skip_openssl: 8: < 1.1.1
+--- skip_nginx: 8: < 1.19.4
+--- http_config
+    server {
+        listen              unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl;
+        server_name         test.com;
+        ssl_certificate     $TEST_NGINX_CERT_DIR/cert/test.crt;
+        ssl_certificate_key $TEST_NGINX_CERT_DIR/cert/test.key;
+        ssl_protocols       TLSv1.3;
+
+        location / {
+            content_by_lua_block {
+                ngx.exit(200)
+            }
+        }
+    }
+--- stream_server_config
+    lua_ssl_protocols TLSv1.3;
+    lua_ssl_conf_command Ciphersuites TLS_AES_128_GCM_SHA256;
+
+    content_by_lua_block {
+        local sock = ngx.socket.tcp()
+        sock:settimeout(2000)
+
+        do
+            local ok, err = sock:connect("unix:$TEST_NGINX_HTML_DIR/nginx.sock")
+            if not ok then
+                ngx.say("failed to connect: ", err)
+                return
+            end
+
+            ngx.say("connected: ", ok)
+
+            local session, err = sock:sslhandshake(nil, "test.com")
+            if not session then
+                ngx.say("failed to do SSL handshake: ", err)
+                return
+            end
+
+            ngx.say("ssl handshake: ", type(session))
+
+            local req = "GET / HTTP/1.1\r\nHost: test.com\r\nConnection: close\r\n\r\n"
+            local bytes, err = sock:send(req)
+            if not bytes then
+                ngx.say("failed to send stream request: ", err)
+                return
+            end
+
+            ngx.say("sent stream request: ", bytes, " bytes.")
+
+            local line, err = sock:receive()
+            if not line then
+                ngx.say("failed to recieve response status line: ", err)
+                return
+            end
+
+            ngx.say("received: ", line)
+
+            local ok, err = sock:close()
+            ngx.say("close: ", ok, " ", err)
+        end  -- do
+        collectgarbage()
+    }
+
+--- stream_response
+connected: 1
+ssl handshake: userdata
+sent stream request: 53 bytes.
+received: HTTP/1.1 200 OK
+close: 1 nil
+
+--- log_level: debug
+--- grep_error_log eval: qr/lua ssl (?:set|save|free) session: [0-9A-F]+/
+--- grep_error_log_out eval
+qr/^lua ssl save session: ([0-9A-F]+)
+lua ssl free session: ([0-9A-F]+)
+$/
+--- error_log eval
+['lua ssl server name: "test.com"',
+qr/SSL: TLSv1.3, cipher: "TLS_AES_128_GCM_SHA256 TLSv1.3/]
+--- no_error_log
+SSL reused session
+[error]
+[alert]
+--- timeout: 10
+
+
+
+=== TEST 34: explicit cipher configuration not in the default list - TLSv1.3
+--- skip_openssl: 8: < 1.1.1
+--- skip_nginx: 8: < 1.19.4
+--- http_config
+    server {
+        listen              unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl;
+        server_name         test.com;
+        ssl_certificate     $TEST_NGINX_CERT_DIR/cert/test.crt;
+        ssl_certificate_key $TEST_NGINX_CERT_DIR/cert/test.key;
+        ssl_protocols       TLSv1.3;
+
+        location / {
+            content_by_lua_block {
+                ngx.exit(200)
+            }
+        }
+    }
+--- stream_server_config
+    lua_ssl_protocols TLSv1.3;
+    lua_ssl_conf_command Ciphersuites TLS_AES_128_CCM_SHA256;
+
+    content_by_lua_block {
+        local sock = ngx.socket.tcp()
+        sock:settimeout(2000)
+
+        do
+            local ok, err = sock:connect("unix:$TEST_NGINX_HTML_DIR/nginx.sock")
+            if not ok then
+                ngx.say("failed to connect: ", err)
+                return
+            end
+
+            ngx.say("connected: ", ok)
+
+            local session, err = sock:sslhandshake(nil, "test.com")
+            if not session then
+                ngx.say("failed to do SSL handshake: ", err)
+                return
+            end
+
+            ngx.say("ssl handshake: ", type(session))
+
+            local req = "GET / HTTP/1.1\r\nHost: test.com\r\nConnection: close\r\n\r\n"
+            local bytes, err = sock:send(req)
+            if not bytes then
+                ngx.say("failed to send stream request: ", err)
+                return
+            end
+
+            ngx.say("sent stream request: ", bytes, " bytes.")
+
+            local line, err = sock:receive()
+            if not line then
+                ngx.say("failed to recieve response status line: ", err)
+                return
+            end
+
+            ngx.say("received: ", line)
+
+            local ok, err = sock:close()
+            ngx.say("close: ", ok, " ", err)
+        end  -- do
+        collectgarbage()
+    }
+
+--- stream_response
+connected: 1
+failed to do SSL handshake: handshake failed
+
+--- log_level: debug
+--- grep_error_log eval: qr/lua ssl (?:set|save|free) session: [0-9A-F]+/
+--- grep_error_log_out
+--- error_log eval
+[
+qr/\[info\] .*?SSL_do_handshake\(\) failed .*?no shared cipher/,
+'lua ssl server name: "test.com"',
+]
+--- no_error_log
+SSL reused session
+[alert]
+[emerg]
+--- timeout: 10