Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ngx.sleep() does not work in ssl_client_hello_by_lua* #438

Open
ltning opened this issue Aug 25, 2023 · 13 comments
Open

ngx.sleep() does not work in ssl_client_hello_by_lua* #438

ltning opened this issue Aug 25, 2023 · 13 comments

Comments

@ltning
Copy link

ltning commented Aug 25, 2023

When trying to call ngx.sleep() in a ssl_client_hello_by_lua_block, the TCP connection is instantly dropped (FIN). Nginx built with --with-debug and --with-debuglog. Logs at end of report.

OS: FreeBSD 13.2-RELEASE

# nginx -V
nginx version: nginx/1.24.0
built with OpenSSL 1.1.1o-freebsd  3 May 2022 (running with OpenSSL 1.1.1t-freebsd  7 Feb 2023)
TLS SNI support enabled
configure arguments: --prefix=/usr/local/etc/nginx --with-cc-opt='-I /usr/local/include' --conf-path=/usr/local/etc/nginx/nginx.conf --sbin-path=/usr/local/sbin/nginx --pid-path=/var/run/nginx.pid --error-log-path=/var/log/nginx/error.log --user=www --group=www --with-compat --with-pcre --with-debug --modules-path=/usr/local/libexec/nginx --with-file-aio --with-google_perftools_module --http-client-body-temp-path=/var/tmp/nginx/client_body_temp --http-fastcgi-temp-path=/var/tmp/nginx/fastcgi_temp --http-proxy-temp-path=/var/tmp/nginx/proxy_temp --http-scgi-temp-path=/var/tmp/nginx/scgi_temp --http-uwsgi-temp-path=/var/tmp/nginx/uwsgi_temp --http-log-path=/var/log/nginx/access.log --with-http_v2_module --with-http_addition_module --with-http_auth_request_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_realip_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_xslt_module --without-mail_pop3_module --with-mail_ssl_module --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-threads --with-http_image_filter_module=dynamic --with-http_xslt_module=dynamic --with-mail=dynamic --with-stream=dynamic --add-dynamic-module=/wrkdirs/usr/ports/www/nginx/work/ngx_devel_kit-0.3.2 --add-dynamic-module=/wrkdirs/usr/ports/www/nginx/work/ngx_brotli-9aec15e --add-dynamic-module=/wrkdirs/usr/ports/www/nginx/work/ngx_http_auth_pam_module-1.5.3 --add-dynamic-module=/wrkdirs/usr/ports/www/nginx/work/ngx-fancyindex-0.5.2 --add-dynamic-module=/wrkdirs/usr/ports/www/nginx/work/lua-nginx-module-0.10.25 --add-dynamic-module=/wrkdirs/usr/ports/www/nginx/work/ModSecurity-nginx-1.0.3 --add-dynamic-module=/wrkdirs/usr/ports/www/nginx/work/set-misc-nginx-module-3937e7b --add-dynamic-module=/wrkdirs/usr/ports/www/nginx/work/nginx-module-vts-bf64dbf --add-dynamic-module=/wrkdirs/usr/ports/www/nginx/work/passenger-6.0.17/src/nginx_module --with-ld-opt='-L /usr/local/lib -lpcre'

# pkg info | grep -E 'nginx|lua'
lua-resty-core-0.1.27          New FFI-based Lua API for OpenResty NGINX Lua modules
lua-resty-lrucache-0.13        Lua-land LRU cache based on the LuaJIT FFI
luajit-openresty-2.1.20230410_1 Just-In-Time Compiler for Lua (OpenResty branch)
nginx-1.24.0_11,3              Robust and small WWW server

Code:

ssl_client_hello_by_lua_block {
    function mysleep(n)
        ngx.sleep(n)
    end

    -- local semaphore = require "ngx.semaphore"
    -- local sema = semaphore.new()
    -- sema:wait(5)

    local ssl_clt = require "ngx.ssl.clienthello"
    ngx.log(ngx.ERR, "ssl_clt: ", type(ssl_clt))

    local host, err = ssl_clt.get_client_hello_server_name()
    if not host then
        ngx.log(ngx.ERR, "failed to get the SNI name: ", err)
    else
        ngx.log(ngx.ERR, "SNI name: ", host)
    end

    mysleep(5)
}

Logs:

2023/08/25 12:21:33 [debug] 18678#977527: kevent set event: 11: ft:-1 fl:0005
2023/08/25 12:21:35 [debug] 18678#977527: accept on 0.0.0.0:443, ready: 1
2023/08/25 12:21:35 [debug] 18678#977527: posix_memalign: 00000008448DA600:512 @16
2023/08/25 12:21:35 [debug] 18678#977527: *2 accept: 10.4.6.51:16175 fd:16
2023/08/25 12:21:35 [debug] 18678#977527: *2 event timer add: 16: 5000:9188270397
2023/08/25 12:21:35 [debug] 18678#977527: *2 reusable connection: 1
2023/08/25 12:21:35 [debug] 18678#977527: *2 kevent set event: 16: ft:-1 fl:0025
2023/08/25 12:21:35 [debug] 18678#977527: *2 http check ssl handshake
2023/08/25 12:21:35 [debug] 18678#977527: *2 http recv(): 1
2023/08/25 12:21:35 [debug] 18678#977527: *2 https ssl handshake: 0x16
2023/08/25 12:21:35 [debug] 18678#977527: *2 tcp_nodelay
2023/08/25 12:21:35 [debug] 18678#977527: *2 reusable connection: 0
2023/08/25 12:21:35 [debug] 18678#977527: *2 ssl client hello: connection reusable: 0
2023/08/25 12:21:35 [debug] 18678#977527: *3 code cache lookup (key='ssl_client_hello_by_lua_nhli_c9375228ccf6e2b45269933b001ca1f7', ref=-1)
2023/08/25 12:21:35 [debug] 18678#977527: *3 code cache miss (key='ssl_client_hello_by_lua_nhli_c9375228ccf6e2b45269933b001ca1f7', ref=-1)
2023/08/25 12:21:35 [debug] 18678#977527: *3 lua creating new thread
2023/08/25 12:21:35 [debug] 18678#977527: *3 lua run thread, top:9 c:1
2023/08/25 12:21:35 [warn] 18678#977527: *3 [lua] _G write guard:12: __newindex(): writing a global Lua variable ('mysleep') which may lead to race conditions between concurrent requests, so prefer the use of 'local' variables
stack traceback:
        ssl_client_hello_by_lua(...-acs.ci.modirum.com-443.conf:21):2: in main chunk, context: ssl_client_hello_by_lua*, client: 10.4.6.51, server: 0.0.0.0:443
2023/08/25 12:21:35 [error] 18678#977527: *3 [lua] ssl_client_hello_by_lua(...-acs.ci.modirum.com-443.conf:21):11: ssl_clt: table, context: ssl_client_hello_by_lua*, client: 10.4.6.51, server: 0.0.0.0:443
2023/08/25 12:21:35 [error] 18678#977527: *3 [lua] ssl_client_hello_by_lua(...-acs.ci.modirum.com-443.conf:21):17: SNI name: oracle-acs.ci.modirum.com, context: ssl_client_hello_by_lua*, client: 10.4.6.51, server: 0.0.0.0:443
2023/08/25 12:21:35 [debug] 18678#977527: *3 event timer add: 0: 5000:9188270397
2023/08/25 12:21:35 [debug] 18678#977527: *3 lua ready to sleep for 5000 ms
2023/08/25 12:21:35 [debug] 18678#977527: *3 lua resume returned 1
2023/08/25 12:21:35 [debug] 18678#977527: *3 lua thread yielded
2023/08/25 12:21:35 [debug] 18678#977527: *3 http lua finalize fake request: -4, a:1, c:2
2023/08/25 12:21:35 [debug] 18678#977527: *3 http lua fake request count:2
2023/08/25 12:21:35 [debug] 18678#977527: *2 add cleanup: 00000008448DA7B8
2023/08/25 12:21:35 [debug] 18678#977527: *2 SSL_do_handshake: -1
2023/08/25 12:21:35 [debug] 18678#977527: *2 SSL_get_error: 11
2023/08/25 12:21:35 [info] 18678#977527: *2 peer closed connection in SSL handshake while loading SSL client hello by lua, client: 10.4.6.51, server: 0.0.0.0:443
2023/08/25 12:21:35 [debug] 18678#977527: *2 close http connection: 16
2023/08/25 12:21:35 [debug] 18678#977527: *2 event timer del: 16: 9188270397
2023/08/25 12:21:35 [debug] 18678#977527: *2 reusable connection: 0
2023/08/25 12:21:35 [debug] 18678#977527: *2 run cleanup: 00000008448DA7B8
2023/08/25 12:21:35 [debug] 18678#977527: *2 lua_client_hello_by_lua: client hello cb aborted
2023/08/25 12:21:35 [debug] 18678#977527: *3 http lua finalize fake request: -1, a:1, c:1
2023/08/25 12:21:35 [debug] 18678#977527: *3 http lua fake request count:1
2023/08/25 12:21:35 [debug] 18678#977527: *3 http lua close fake request
2023/08/25 12:21:35 [debug] 18678#977527: *3 http lua close fake http connection 000000083EC90A20
2023/08/25 12:21:35 [debug] 18678#977527: *3 lua request cleanup: forcible=0
2023/08/25 12:21:35 [debug] 18678#977527: *3 http lua finalize threads
2023/08/25 12:21:35 [debug] 18678#977527: *3 event timer del: 0: 9188270397
2023/08/25 12:21:35 [debug] 18678#977527: *3 lua deleting light thread 0000000845A47360 (ref 1)
2023/08/25 12:21:35 [debug] 18678#977527: *3 lua caching unused lua thread 0000000845A47360 (ref 1)
2023/08/25 12:21:35 [debug] 18678#977527: *2 free: 00000008448DA600, unused: 48
@zhuizhuhaomeng
Copy link
Contributor

We'll try to reproduce the problem

@lynch1981
Copy link
Contributor

Which http client are you using? I guess the client ended the SSL session abnormally.

@ltning
Copy link
Author

ltning commented Nov 18, 2023
edited
Loading

Sorry for being tardy here, it's been busy.
Doesn't matter which client is used (curl, wget, fetch, browser). It's the call to sleep that causes the connection to drop, and it happens instantly (regardless of the length of the sleep).

Note that for the below I changed the config to prefix my sleep function with local to avoid the warning about accessing globals.
Wrapping ngx.sleep() in a function was an attempt at working around this issue based on random finds on the internet. It makes no difference.

For testing right now, I'm running tail *error.log | sed 's/^/ NGINX: /g' & and then curl returns (with error log lines from the tail prefixed by NGINX:, everything else is curloutput):

# curl -vko - https://localhost:443/logos/soidfsdf/tokentest.txt
*   Trying 127.0.0.1:443...
* Connected to localhost (10.4.6.44) port 443
    NGINX: 
    NGINX: ==> /var/log/nginx/ssl-3ds-acs.ci.modirum.com-443.error.log <==
    NGINX: 2023/11/18 13:44:49 [debug] 20076#651526: post event 000000083B459C40
    NGINX: 2023/11/18 13:44:49 [debug] 20076#651526: delete posted event 000000083B459C40
    NGINX: 2023/11/18 13:44:49 [debug] 20076#651526: accept on 0.0.0.0:443, ready: 1
    NGINX: 2023/11/18 13:44:49 [debug] 20076#651526: posix_memalign: 00000008407AB200:512 @16
*     NGINX: 2023/11/18 13:44:49 [debug] 20076#651526: *6 accept: 10.4.6.44:58770 fd:29
ALPN: curl offers h2,http/1.1
    NGINX: 2023/11/18 13:44:49 [debug] 20076#651526: *6 event timer add: 29: 5000:16537264000
    NGINX: 2023/11/18 13:44:49 [debug] 20076#651526: *6 reusable connection: 1
    NGINX: 2023/11/18 13:44:49 [debug] 20076#651526: *6 kevent set event: 29: ft:-1 fl:0025
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
    NGINX: 2023/11/18 13:44:49 [debug] 20076#651526: *6 post event 000000083B45A050
    NGINX: 2023/11/18 13:44:49 [debug] 20076#651526: *6 delete posted event 000000083B45A050
    NGINX: 2023/11/18 13:44:49 [debug] 20076#651526: *6 http check ssl handshake
    NGINX: 2023/11/18 13:44:49 [debug] 20076#651526: *6 http recv(): 1
    NGINX: 2023/11/18 13:44:49 [debug] 20076#651526: *6 https ssl handshake: 0x16
    NGINX: 2023/11/18 13:44:49 [debug] 20076#651526: *6 tcp_nodelay
    NGINX: 2023/11/18 13:44:49 [debug] 20076#651526: *6 reusable connection: 0
    NGINX: 2023/11/18 13:44:49 [debug] 20076#651526: *6 ssl client hello: connection reusable: 0
    NGINX: 2023/11/18 13:44:49 [debug] 20076#651526: *7 code cache lookup (key='ssl_client_hello_by_lua_nhli_f3d7b9e9ddc9a91d02d18db147f0ebb8', ref=1)
    NGINX: 2023/11/18 13:44:49 [debug] 20076#651526: *7 code cache hit (key='ssl_client_hello_by_lua_nhli_f3d7b9e9ddc9a91d02d18db147f0ebb8', ref=1)
    NGINX: 2023/11/18 13:44:49 [debug] 20076#651526: *7 lua creating new thread
    NGINX: 2023/11/18 13:44:49 [debug] 20076#651526: *7 lua reusing cached lua thread 0000000842C2C168 (ref 1)
    NGINX: 2023/11/18 13:44:49 [debug] 20076#651526: *7 lua run thread, top:9 c:1
    NGINX: 2023/11/18 13:44:49 [error] 20076#651526: *7 [lua] ssl_client_hello_by_lua(...-acs.ci.modirum.com-443.conf:38):11: ssl_clt: table, context: ssl_client_hello_by_lua*, client: 10.4.6.44, server: 0.0.0.0:443
    NGINX: 2023/11/18 13:44:49 [error] 20076#651526: *7 [lua] ssl_client_hello_by_lua(...-acs.ci.modirum.com-443.conf:38):17: SNI name: localhost, context: ssl_client_hello_by_lua*, client: 10.4.6.44, server: 0.0.0.0:443
    NGINX: 2023/11/18 13:44:49 [debug] 20076#651526: *7 event timer add: 0: 5000:16537264000
    NGINX: 2023/11/18 13:44:49 [debug] 20076#651526: *7 lua ready to sleep for 5000 ms
    NGINX: 2023/11/18 13:44:49 [debug] 20076#651526: *7 lua resume returned 1
    NGINX: 2023/11/18 13:44:49 [debug] 20076#651526: *7 lua thread yielded
    NGINX: 2023/11/18 13:44:49 [debug] 20076#651526: *7 http lua finalize fake request: -4, a:1, c:2
    NGINX: 2023/11/18 13:44:49 [debug] 20076#651526: *7 http lua fake request count:2
* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to localhost:443 
    NGINX: 2023/11/18 13:44:49 [debug] 20076#651526: *6 add cleanup: 00000008407AB3B8
    NGINX: 2023/11/18 13:44:49 [debug] 20076#651526: *6 SSL_do_handshake: -1
* Closing connection
    NGINX: 2023/11/18 13:44:49 [debug] 20076#651526: *6 SSL_get_error: 11
    NGINX: 2023/11/18 13:44:49 [info] 20076#651526: *6 peer closed connection in SSL handshake while loading SSL client hello by lua, client: 10.4.6.44, server: 0.0.0.0:443
    NGINX: 2023/11/18 13:44:49 [debug] 20076#651526: *6 close http connection: 29
    NGINX: 2023/11/18 13:44:49 [debug] 20076#651526: *6 event timer del: 29: 16537264000
    NGINX: 2023/11/18 13:44:49 [debug] 20076#651526: *6 reusable connection: 0
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to localhost:443 
    NGINX: 2023/11/18 13:44:49 [debug] 20076#651526: *6 run cleanup: 00000008407AB3B8
    NGINX: 2023/11/18 13:44:49 [debug] 20076#651526: *6 lua_client_hello_by_lua: client hello cb aborted
    NGINX: 2023/11/18 13:44:49 [debug] 20076#651526: *7 http lua finalize fake request: -1, a:1, c:1
    NGINX: 2023/11/18 13:44:49 [debug] 20076#651526: *7 http lua fake request count:1
    NGINX: 2023/11/18 13:44:49 [debug] 20076#651526: *7 http lua close fake request
    NGINX: 2023/11/18 13:44:49 [debug] 20076#651526: *7 http lua close fake http connection 000000083B3D8870
    NGINX: 2023/11/18 13:44:49 [debug] 20076#651526: *7 lua request cleanup: forcible=0
    NGINX: 2023/11/18 13:44:49 [debug] 20076#651526: *7 http lua finalize threads
    NGINX: 2023/11/18 13:44:49 [debug] 20076#651526: *7 event timer del: 0: 16537264000
    NGINX: 2023/11/18 13:44:49 [debug] 20076#651526: *7 lua deleting light thread 0000000842C2C168 (ref 1)
    NGINX: 2023/11/18 13:44:49 [debug] 20076#651526: *7 lua caching unused lua thread 0000000842C2C168 (ref 1)
    NGINX: 2023/11/18 13:44:49 [debug] 20076#651526: *6 free: 00000008407AB200, unused: 48

For comparison, removing the sleep call yields:

# curl -vko - https://localhost:443/logos/soidfsdf/tokentest.txt             
*   Trying 127.0.0.1:443...
* Connected to localhost (10.4.6.44) port 443
    NGINX: 2023/11/18 13:47:14 [debug] 20687#110451: post event 0000000885E52800
    NGINX: 2023/11/18 13:47:14 [debug] 20687#110451: delete posted event 0000000885E52800
    NGINX: 2023/11/18 13:47:14 [debug] 20687#110451: accept on 0.0.0.0:443, ready: 1
    NGINX: 2023/11/18 13:47:14 [debug] 20687#110451: posix_memalign: 000000082C4AE600:512 @16
    NGINX: 2023/11/18 13:47:14 [debug] 20687#110451: *10 accept: 10.4.6.44:17085 fd:19
    NGINX: 2023/11/18 13:47:14 [debug] 20687#110451: *10 event timer add: 19: 5000:16537409616
    NGINX: 2023/11/18 13:47:14 [debug] 20687#110451: *10 reusable connection: 1
    NGINX: 2023/11/18 13:47:14 [debug] 20687#110451: *10 kevent set event: 19: ft:-1 fl:0025
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
    NGINX: 2023/11/18 13:47:14 [debug] 20687#110451: *10 post event 0000000885E52AD8
    NGINX: 2023/11/18 13:47:14 [debug] 20687#110451: *10 delete posted event 0000000885E52AD8
    NGINX: 2023/11/18 13:47:14 [debug] 20687#110451: *10 http check ssl handshake
    NGINX: 2023/11/18 13:47:14 [debug] 20687#110451: *10 http recv(): 1
    NGINX: 2023/11/18 13:47:14 [debug] 20687#110451: *10 https ssl handshake: 0x16
    NGINX: 2023/11/18 13:47:14 [debug] 20687#110451: *10 tcp_nodelay
    NGINX: 2023/11/18 13:47:14 [debug] 20687#110451: *10 reusable connection: 0
    NGINX: 2023/11/18 13:47:14 [debug] 20687#110451: *10 ssl client hello: connection reusable: 0
    NGINX: 2023/11/18 13:47:14 [debug] 20687#110451: *11 code cache lookup (key='ssl_client_hello_by_lua_nhli_e46d52b46923e869f5a9a589b9771547', ref=-1)
    NGINX: 2023/11/18 13:47:14 [debug] 20687#110451: *11 code cache miss (key='ssl_client_hello_by_lua_nhli_e46d52b46923e869f5a9a589b9771547', ref=-1)
    NGINX: 2023/11/18 13:47:14 [debug] 20687#110451: *11 lua creating new thread
    NGINX: 2023/11/18 13:47:14 [debug] 20687#110451: *11 lua run thread, top:9 c:1
    NGINX: 2023/11/18 13:47:14 [error] 20687#110451: *11 [lua] ssl_client_hello_by_lua(...-acs.ci.modirum.com-443.conf:38):11: ssl_clt: table, context: ssl_client_hello_by_lua*, client: 10.4.6.44, server: 0.0.0.0:443
    NGINX: 2023/11/18 13:47:14 [error] 20687#110451: *11 [lua] ssl_client_hello_by_lua(...-acs.ci.modirum.com-443.conf:38):17: SNI name: localhost, context: ssl_client_hello_by_lua*, client: 10.4.6.44, server: 0.0.0.0:443
    NGINX: 2023/11/18 13:47:14 [debug] 20687#110451: *11 lua resume returned 0
    NGINX: 2023/11/18 13:47:14 [debug] 20687#110451: *11 lua light thread ended normally
    NGINX: 2023/11/18 13:47:14 [debug] 20687#110451: *11 lua deleting light thread 000000088A4973A0 (ref 1)
    NGINX: 2023/11/18 13:47:14 [debug] 20687#110451: *11 lua caching unused lua thread 000000088A4973A0 (ref 1)
    NGINX: 2023/11/18 13:47:14 [debug] 20687#110451: *11 http lua finalize fake request: 0, a:1, c:1
    NGINX: 2023/11/18 13:47:14 [debug] 20687#110451: *11 http lua fake request count:1
    NGINX: 2023/11/18 13:47:14 [debug] 20687#110451: *11 http lua close fake request
    NGINX: 2023/11/18 13:47:14 [debug] 20687#110451: *11 http lua close fake http connection 0000000885DD1BC0
    NGINX: 2023/11/18 13:47:14 [debug] 20687#110451: *11 lua request cleanup: forcible=0
    NGINX: 2023/11/18 13:47:14 [debug] 20687#110451: *11 http lua finalize threads
    NGINX: 2023/11/18 13:47:14 [debug] 20687#110451: *10 lua_client_hello_by_lua: handler return value: 0, client hello cb exit code: 1
    NGINX: 2023/11/18 13:47:14 [debug] 20687#110451: *10 ssl get session: 0215FD58:32
    NGINX: 2023/11/18 13:47:14 [debug] 20687#110451: *10 SSL server name: "localhost"
    NGINX: 2023/11/18 13:47:14 [debug] 20687#110451: *10 SSL ALPN supported by client: h2
    NGINX: 2023/11/18 13:47:14 [debug] 20687#110451: *10 SSL ALPN supported by client: http/1.1
    NGINX: 2023/11/18 13:47:14 [debug] 20687#110451: *10 SSL ALPN selected: h2
* TLSv1.3 (IN), TLS handshake, Server hello (2):
    NGINX: 2023/11/18 13:47:14 [debug] 20687#110451: *10 SSL_do_handshake: -1
    NGINX: 2023/11/18 13:47:14 [debug] 20687#110451: *10 SSL_get_error: 2
* TLSv1.2 (IN), TLS handshake, Certificate (11):
.....

@lynch1981
Copy link
Contributor

Have you applied openresty/patches/nginx-1.25.1-ssl_client_hello_cb_yield.patch?
Without this patch, ngx_http_lua_ssl_client_hello_handler() will not be called again when the ssl handshake is suspended by the yield function.

@ltning
Copy link
Author

ltning commented Nov 21, 2023

I don't think that's among the patches the FreeBSD port ships with, so we'd have to update the port with that, int hat case. But is this the reason for the failure? There is no sleep happening, the failure is instant.
Also, our nginx is 1.24.0. We're not on the odd releases.

@lynch1981
Copy link
Contributor

lynch1981 commented Nov 22, 2023
edited
Loading

Yes, it is the reason for the failre. I reproduced the problem and when I tried to fix it, I checked the patch file maintained by openresty and found it.

@ltning
Copy link
Author

ltning commented Nov 23, 2023
edited
Loading

It doesn't apply cleanly to 1.25.3 (it seems); and not on 1.24 either:

$ cat work/nginx-1.24.0/src/event/ngx_event_openssl.c.rej
@@ -1712,6 +1712,9 @@
     if (sslerr == SSL_ERROR_WANT_X509_LOOKUP
 #   ifdef SSL_ERROR_PENDING_SESSION
         || sslerr == SSL_ERROR_PENDING_SESSION
+#   endif
+#   ifdef SSL_ERROR_WANT_CLIENT_HELLO_CB
+        || sslerr == SSL_ERROR_WANT_CLIENT_HELLO_CB
 #   endif
        )
     {

I can't find SSL_ERROR_WANT_X509_LOOKUP in any relevant place, not sure what's missing.

@lynch1981
Copy link
Contributor

lynch1981 commented Dec 11, 2023
edited
Loading

@ltning Sorry for the late reply as I've been busy settling in lately.
I found that @zhuizhuhaomeng added patchs for nginx-1.25.1, if you update your nginx version you can use it

I think the easiest way is to use nginx that comes in the openresty bundle which is fully patched

@ltning
Copy link
Author

ltning commented Dec 11, 2023

Hey, no problem, thanks for returning to me on this. I'll give that a go; any idea when it'll be merged to an even-numbered nginx version?

@lynch1981
Copy link
Contributor

no idea :)

@ltning
Copy link
Author

ltning commented Dec 11, 2023

It still doesn't work; behaviour is exactly the same as before.

As a side note: I installed nginx-devel (1.25.3), which has
--add-dynamic-module=/wrkdirs/usr/ports/www/nginx-devel/work/lua-nginx-module-0.10.26rc1

but on startup I get:

NGINX: 2023/12/11 16:47:43 [alert] 39096#300544: failed to load the 'resty.core' module (https://github.com/openresty/lua-resty-core); ensure you are using an OpenResty release from https://openresty.org/en/download.html (reason: /usr/local/share/lua/5.1/resty/core/base.lua:24: ngx_http_lua_module 0.10.25 required) in /usr/local/etc/nginx/nginx.conf:143

I've checked base.lua around line 24, and added some debugging, and found that it needs to read
or ngx.config.ngx_lua_version ~= 10026
to match the current version.

@lynch1981
Copy link
Contributor

I tested it and found that ssl patches can be installed successfully in this order.

patch -p1 < ~/git/openresty/patches/nginx-1.25.1-ssl_cert_cb_yield.patch
patch -p1 < ~/git/openresty/patches/nginx-1.25.1-ssl_sess_cb_yield.patch
patch -p1 < ~/git/openresty/patches/nginx-1.25.1-ssl_client_hello_cb_yield.patch

@lynch1981
Copy link
Contributor

I found this bash script (openresty/util/mirror-tarballs) that uses this sequence to apply the ssl patches

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ltning @zhuizhuhaomeng @lynch1981