From 7a7cb2b3b745eadb0c2d3d7ee5789931f1731209 Mon Sep 17 00:00:00 2001 From: Alessandro Ghedini Date: Tue, 13 Sep 2016 22:31:32 +0100 Subject: [PATCH 1/6] bugfix: ssl: don't use SSLv3 in tests OpenSSL 1.1.0 disables SSLv3 by default. In order to disable SSL session tickets set ssl_session_tickets to off instead. --- t/142-ssl-session-store.t | 24 +++++++++++------------- t/143-ssl-session-fetch.t | 26 +++++++++++++------------- 2 files changed, 24 insertions(+), 26 deletions(-) diff --git a/t/142-ssl-session-store.t b/t/142-ssl-session-store.t index 5c9fad3..b595519 100644 --- a/t/142-ssl-session-store.t +++ b/t/142-ssl-session-store.t @@ -32,7 +32,7 @@ __DATA__ server_name test.com; ssl_certificate $TEST_NGINX_CERT_DIR/cert/test.crt; ssl_certificate_key $TEST_NGINX_CERT_DIR/cert/test.key; - ssl_protocols SSLv3; + ssl_session_tickets off; server_tokens off; } @@ -102,7 +102,7 @@ ssl_session_store_by_lua_block:1: ssl session store by lua is running! server_name test.com; ssl_certificate $TEST_NGINX_CERT_DIR/cert/test.crt; ssl_certificate_key $TEST_NGINX_CERT_DIR/cert/test.key; - ssl_protocols SSLv3; + ssl_session_tickets off; server_tokens off; } @@ -177,7 +177,7 @@ API disabled in the context of ssl_session_store_by_lua* server_name test.com; ssl_certificate $TEST_NGINX_CERT_DIR/cert/test.crt; ssl_certificate_key $TEST_NGINX_CERT_DIR/cert/test.key; - ssl_protocols SSLv3; + ssl_session_tickets off; server_tokens off; } @@ -267,9 +267,9 @@ my timer run! listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; server_name test.com; - ssl_protocols SSLv3; ssl_certificate $TEST_NGINX_CERT_DIR/cert/test.crt; ssl_certificate_key $TEST_NGINX_CERT_DIR/cert/test.key; + ssl_session_tickets off; server_tokens off; } @@ -335,9 +335,9 @@ API disabled in the context of ssl_session_store_by_lua* server { listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; server_name test.com; - ssl_protocols SSLv3; ssl_certificate $TEST_NGINX_CERT_DIR/cert/test.crt; ssl_certificate_key $TEST_NGINX_CERT_DIR/cert/test.key; + ssl_session_tickets off; server_tokens off; } @@ -407,9 +407,9 @@ ngx.exit does not yield and the error code is eaten. server { listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; server_name test.com; - ssl_protocols SSLv3; ssl_certificate $TEST_NGINX_CERT_DIR/cert/test.crt; ssl_certificate_key $TEST_NGINX_CERT_DIR/cert/test.key; + ssl_session_tickets off; server_tokens off; } @@ -480,9 +480,9 @@ ssl_session_store_by_lua*: handler return value: 0, sess new cb exit code: 0 server { listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; server_name test.com; - ssl_protocols SSLv3; ssl_certificate $TEST_NGINX_CERT_DIR/cert/test.crt; ssl_certificate_key $TEST_NGINX_CERT_DIR/cert/test.key; + ssl_session_tickets off; server_tokens off; } @@ -548,9 +548,9 @@ should never reached here server { listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; server_name test.com; - ssl_protocols SSLv3; ssl_certificate $TEST_NGINX_CERT_DIR/cert/test.crt; ssl_certificate_key $TEST_NGINX_CERT_DIR/cert/test.key; + ssl_session_tickets off; server_tokens off; } @@ -621,7 +621,7 @@ get_phase: ssl_session_store } ssl_certificate $TEST_NGINX_CERT_DIR/cert/test.crt; ssl_certificate_key $TEST_NGINX_CERT_DIR/cert/test.key; - ssl_protocols SSLv3; + ssl_session_tickets off; server_tokens off; } @@ -690,7 +690,7 @@ qr/elapsed in ssl cert by lua: 0.(?:09|1[01])\d+,/, server_name test.com; ssl_certificate $TEST_NGINX_CERT_DIR/cert/test.crt; ssl_certificate_key $TEST_NGINX_CERT_DIR/cert/test.key; - ssl_protocols SSLv3; + ssl_session_tickets off; server_tokens off; } @@ -760,7 +760,6 @@ a.lua:1: ssl store session by lua is running! ssl_session_store_by_lua_block { print("handler in test.com") } - ssl_protocols SSLv3; ssl_certificate $TEST_NGINX_CERT_DIR/cert/test.crt; ssl_certificate_key $TEST_NGINX_CERT_DIR/cert/test.key; @@ -770,7 +769,6 @@ a.lua:1: ssl store session by lua is running! server { listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; server_name test.com; - ssl_protocols SSLv3; ssl_certificate $TEST_NGINX_CERT_DIR/cert/test.crt; ssl_certificate_key $TEST_NGINX_CERT_DIR/cert/test.key; @@ -836,7 +834,7 @@ qr/\[emerg\] .*? "ssl_session_store_by_lua_block" directive is not allowed here server_name test.com; ssl_certificate $TEST_NGINX_CERT_DIR/cert/test.crt; ssl_certificate_key $TEST_NGINX_CERT_DIR/cert/test.key; - ssl_protocols SSLv3; + ssl_session_tickets off; server_tokens off; } diff --git a/t/143-ssl-session-fetch.t b/t/143-ssl-session-fetch.t index bd800ff..54f7a4a 100644 --- a/t/143-ssl-session-fetch.t +++ b/t/143-ssl-session-fetch.t @@ -33,7 +33,7 @@ __DATA__ server_name test.com; ssl_certificate $TEST_NGINX_CERT_DIR/cert/test.crt; ssl_certificate_key $TEST_NGINX_CERT_DIR/cert/test.key; - ssl_protocols SSLv3; + ssl_session_tickets off; server_tokens off; } @@ -114,7 +114,7 @@ qr/ssl_session_fetch_by_lua_block:1: ssl fetch sess by lua is running!/s server_name test.com; ssl_certificate $TEST_NGINX_CERT_DIR/cert/test.crt; ssl_certificate_key $TEST_NGINX_CERT_DIR/cert/test.key; - ssl_protocols SSLv3; + ssl_session_tickets off; server_tokens off; } @@ -198,7 +198,7 @@ qr/elapsed in ssl fetch session by lua: 0.(?:09|1[01])\d+,/, server_name test.com; ssl_certificate $TEST_NGINX_CERT_DIR/cert/test.crt; ssl_certificate_key $TEST_NGINX_CERT_DIR/cert/test.key; - ssl_protocols SSLv3; + ssl_session_tickets off; server_tokens off; } @@ -297,9 +297,9 @@ qr/my timer run!/s server { listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; server_name test.com; - ssl_protocols SSLv3; ssl_certificate $TEST_NGINX_CERT_DIR/cert/test.crt; ssl_certificate_key $TEST_NGINX_CERT_DIR/cert/test.key; + ssl_session_tickets off; server_tokens off; } @@ -377,9 +377,9 @@ qr/received memc reply: OK/s server { listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; server_name test.com; - ssl_protocols SSLv3; ssl_certificate $TEST_NGINX_CERT_DIR/cert/test.crt; ssl_certificate_key $TEST_NGINX_CERT_DIR/cert/test.key; + ssl_session_tickets off; server_tokens off; } @@ -458,9 +458,9 @@ should never reached here server { listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; server_name test.com; - ssl_protocols SSLv3; ssl_certificate $TEST_NGINX_CERT_DIR/cert/test.crt; ssl_certificate_key $TEST_NGINX_CERT_DIR/cert/test.key; + ssl_session_tickets off; server_tokens off; } @@ -540,9 +540,9 @@ should never reached here server { listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; server_name test.com; - ssl_protocols SSLv3; ssl_certificate $TEST_NGINX_CERT_DIR/cert/test.crt; ssl_certificate_key $TEST_NGINX_CERT_DIR/cert/test.key; + ssl_session_tickets off; server_tokens off; } @@ -621,9 +621,9 @@ should never reached here server { listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; server_name test.com; - ssl_protocols SSLv3; ssl_certificate $TEST_NGINX_CERT_DIR/cert/test.crt; ssl_certificate_key $TEST_NGINX_CERT_DIR/cert/test.key; + ssl_session_tickets off; server_tokens off; } @@ -704,9 +704,9 @@ should never reached here server { listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; server_name test.com; - ssl_protocols SSLv3; ssl_certificate $TEST_NGINX_CERT_DIR/cert/test.crt; ssl_certificate_key $TEST_NGINX_CERT_DIR/cert/test.key; + ssl_session_tickets off; server_tokens off; } @@ -787,7 +787,7 @@ should never reached here server_name test.com; ssl_certificate $TEST_NGINX_CERT_DIR/cert/test.crt; ssl_certificate_key $TEST_NGINX_CERT_DIR/cert/test.key; - ssl_protocols SSLv3; + ssl_session_tickets off; server_tokens off; } @@ -872,7 +872,7 @@ qr/get_phase: ssl_session_fetch/s } ssl_certificate $TEST_NGINX_CERT_DIR/cert/test.crt; ssl_certificate_key $TEST_NGINX_CERT_DIR/cert/test.key; - ssl_protocols SSLv3; + ssl_session_tickets off; server_tokens off; } @@ -956,7 +956,7 @@ ssl store session by lua is running! server_name test.com; ssl_certificate $TEST_NGINX_CERT_DIR/cert/test.crt; ssl_certificate_key $TEST_NGINX_CERT_DIR/cert/test.key; - ssl_protocols SSLv3; + ssl_session_tickets off; server_tokens off; } @@ -1036,7 +1036,7 @@ qr/\S+:\d+: ssl fetch sess by lua is running!/s server_name test.com; ssl_certificate $TEST_NGINX_CERT_DIR/cert/test.crt; ssl_certificate_key $TEST_NGINX_CERT_DIR/cert/test.key; - ssl_protocols SSLv3; + ssl_session_tickets off; server_tokens off; } From daeb42cb9463d7a25d4d64a2588721cb377fb75b Mon Sep 17 00:00:00 2001 From: Alessandro Ghedini Date: Thu, 12 May 2016 13:12:23 +0100 Subject: [PATCH 2/6] bugfix: ssl: do not access SSL_SESSION struct directly In OpenSSL 1.1.0 it was made opaque. --- src/ngx_http_lua_socket_tcp.c | 15 ++--- t/129-ssl-socket.t | 152 +++++++++++++++++++++--------------------- 2 files changed, 82 insertions(+), 85 deletions(-) diff --git a/src/ngx_http_lua_socket_tcp.c b/src/ngx_http_lua_socket_tcp.c index 6db6e2d..18352bf 100644 --- a/src/ngx_http_lua_socket_tcp.c +++ b/src/ngx_http_lua_socket_tcp.c @@ -1311,9 +1311,8 @@ ngx_http_lua_socket_tcp_sslhandshake(lua_State *L) return 2; } - ngx_log_debug2(NGX_LOG_DEBUG_HTTP, c->log, 0, - "lua ssl set session: %p:%d", - *psession, (*psession)->references); + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0, + "lua ssl set session: %p", *psession); } } @@ -1577,9 +1576,8 @@ ngx_http_lua_ssl_handshake_retval_handler(ngx_http_request_t *r, } else { *ud = ssl_session; - ngx_log_debug2(NGX_LOG_DEBUG_HTTP, c->log, 0, - "lua ssl save session: %p:%d", ssl_session, - ssl_session->references); + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0, + "lua ssl save session: %p", ssl_session); /* set up the __gc metamethod */ lua_pushlightuserdata(L, &ngx_http_lua_ssl_session_metatable_key); @@ -5356,9 +5354,8 @@ ngx_http_lua_ssl_free_session(lua_State *L) psession = lua_touserdata(L, 1); if (psession && *psession != NULL) { - ngx_log_debug2(NGX_LOG_DEBUG_HTTP, ngx_cycle->log, 0, - "lua ssl free session: %p:%d", *psession, - (*psession)->references); + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, ngx_cycle->log, 0, + "lua ssl free session: %p", *psession); ngx_ssl_free_session(*psession); } diff --git a/t/129-ssl-socket.t b/t/129-ssl-socket.t index cc14594..e7e6a98 100644 --- a/t/129-ssl-socket.t +++ b/t/129-ssl-socket.t @@ -108,10 +108,10 @@ sent http request: 59 bytes. received: HTTP/1.1 (?:200 OK|302 Found) close: 1 nil \z ---- grep_error_log eval: qr/lua ssl (?:set|save|free) session: [0-9A-F]+:\d+/ +--- grep_error_log eval: qr/lua ssl (?:set|save|free) session: [0-9A-F]+/ --- grep_error_log_out eval -qr/^lua ssl save session: ([0-9A-F]+):2 -lua ssl free session: ([0-9A-F]+):1 +qr/^lua ssl save session: ([0-9A-F]+) +lua ssl free session: ([0-9A-F]+) $/ --- no_error_log lua ssl server name: @@ -185,10 +185,10 @@ received: HTTP/1.1 401 Unauthorized close: 1 nil --- log_level: debug ---- grep_error_log eval: qr/lua ssl (?:set|save|free) session: [0-9A-F]+:\d+/ +--- grep_error_log eval: qr/lua ssl (?:set|save|free) session: [0-9A-F]+/ --- grep_error_log_out eval -qr/^lua ssl save session: ([0-9A-F]+):2 -lua ssl free session: ([0-9A-F]+):1 +qr/^lua ssl save session: ([0-9A-F]+) +lua ssl free session: ([0-9A-F]+) $/ --- no_error_log lua ssl server name: @@ -262,10 +262,10 @@ received: HTTP/1.1 200 OK close: 1 nil --- log_level: debug ---- grep_error_log eval: qr/lua ssl (?:set|save|free) session: [0-9A-F]+:\d+/ +--- grep_error_log eval: qr/lua ssl (?:set|save|free) session: [0-9A-F]+/ --- grep_error_log_out eval -qr/^lua ssl save session: ([0-9A-F]+):2 -lua ssl free session: ([0-9A-F]+):1 +qr/^lua ssl save session: ([0-9A-F]+) +lua ssl free session: ([0-9A-F]+) $/ --- error_log lua ssl server name: "iscribblet.org" @@ -349,13 +349,13 @@ sent http request: 59 bytes. received: HTTP/1.1 200 OK close: 1 nil ---- grep_error_log eval: qr/lua ssl (?:set|save|free) session: [0-9A-F]+:\d+/ +--- grep_error_log eval: qr/lua ssl (?:set|save|free) session: [0-9A-F]+/ --- grep_error_log_out eval -qr/^lua ssl save session: ([0-9A-F]+):2 -lua ssl set session: \1:2 -lua ssl save session: \1:3 -lua ssl free session: \1:2 -lua ssl free session: \1:1 +qr/^lua ssl save session: ([0-9A-F]+) +lua ssl set session: \1 +lua ssl save session: \1 +lua ssl free session: \1 +lua ssl free session: \1 $/ --- error_log @@ -437,7 +437,7 @@ failed to do SSL handshake: certificate host mismatch failed to send http request: closed --- log_level: debug ---- grep_error_log eval: qr/lua ssl (?:set|save|free) session: [0-9A-F]+:\d+/ +--- grep_error_log eval: qr/lua ssl (?:set|save|free) session: [0-9A-F]+/ --- grep_error_log_out --- error_log lua ssl server name: "blah.agentzh.org" @@ -517,7 +517,7 @@ failed to do SSL handshake: certificate host mismatch failed to send http request: closed --- log_level: debug ---- grep_error_log eval: qr/lua ssl (?:set|save|free) session: [0-9A-F]+:\d+/ +--- grep_error_log eval: qr/lua ssl (?:set|save|free) session: [0-9A-F]+/ --- grep_error_log_out --- error_log lua ssl server name: "blah.agentzh.org" @@ -592,10 +592,10 @@ received: HTTP/1.1 200 OK close: 1 nil --- log_level: debug ---- grep_error_log eval: qr/lua ssl (?:set|save|free) session: [0-9A-F]+:\d+/ +--- grep_error_log eval: qr/lua ssl (?:set|save|free) session: [0-9A-F]+/ --- grep_error_log_out eval -qr/^lua ssl save session: ([0-9A-F]+):2 -lua ssl free session: ([0-9A-F]+):1 +qr/^lua ssl save session: ([0-9A-F]+) +lua ssl free session: ([0-9A-F]+) $/ --- error_log @@ -677,10 +677,10 @@ received: HTTP/1.1 200 OK close: 1 nil --- log_level: debug ---- grep_error_log eval: qr/lua ssl (?:set|save|free) session: [0-9A-F]+:\d+/ +--- grep_error_log eval: qr/lua ssl (?:set|save|free) session: [0-9A-F]++/ --- grep_error_log_out eval -qr/^lua ssl save session: ([0-9A-F]+):2 -lua ssl free session: ([0-9A-F]+):1 +qr/^lua ssl save session: ([0-9A-F]+) +lua ssl free session: ([0-9A-F]+) $/ --- error_log @@ -759,7 +759,7 @@ failed to do SSL handshake: 20: unable to get local issuer certificate failed to send http request: closed --- log_level: debug ---- grep_error_log eval: qr/lua ssl (?:set|save|free) session: [0-9A-F]+:\d+/ +--- grep_error_log eval: qr/lua ssl (?:set|save|free) session: [0-9A-F]+/ --- grep_error_log_out --- error_log lua ssl server name: "iscribblet.org" @@ -838,7 +838,7 @@ failed to do SSL handshake: 20: unable to get local issuer certificate failed to send http request: closed --- log_level: debug ---- grep_error_log eval: qr/lua ssl (?:set|save|free) session: [0-9A-F]+:\d+/ +--- grep_error_log eval: qr/lua ssl (?:set|save|free) session: [0-9A-F]+/ --- grep_error_log_out --- error_log lua ssl server name: "iscribblet.org" @@ -928,10 +928,10 @@ sent http request: 59 bytes. received: HTTP/1.1 (?:200 OK|302 Found) close: 1 nil \z ---- grep_error_log eval: qr/lua ssl (?:set|save|free) session: [0-9A-F]+:\d+/ +--- grep_error_log eval: qr/lua ssl (?:set|save|free) session: [0-9A-F]+/ --- grep_error_log_out eval -qr/^lua ssl save session: ([0-9A-F]+):2 -lua ssl free session: ([0-9A-F]+):1 +qr/^lua ssl save session: ([0-9A-F]+) +lua ssl free session: ([0-9A-F]+) $/ --- error_log lua ssl server name: "www.google.com" @@ -1018,7 +1018,7 @@ GET /t connected: 1 failed to do SSL handshake: 20: unable to get local issuer certificate ---- grep_error_log eval: qr/lua ssl (?:set|save|free) session: [0-9A-F]+:\d+/ +--- grep_error_log eval: qr/lua ssl (?:set|save|free) session: [0-9A-F]+/ --- grep_error_log_out --- error_log lua ssl server name: "www.google.com" @@ -1100,10 +1100,10 @@ received: HTTP/1.1 200 OK close: 1 nil --- log_level: debug ---- grep_error_log eval: qr/lua ssl (?:set|save|free) session: [0-9A-F]+:\d+/ +--- grep_error_log eval: qr/lua ssl (?:set|save|free) session: [0-9A-F]+/ --- grep_error_log_out eval -qr/^lua ssl save session: ([0-9A-F]+):2 -lua ssl free session: ([0-9A-F]+):1 +qr/^lua ssl save session: ([0-9A-F]+) +lua ssl free session: ([0-9A-F]+) $/ --- error_log @@ -1179,10 +1179,10 @@ received: HTTP/1.1 200 OK close: 1 nil --- log_level: debug ---- grep_error_log eval: qr/lua ssl (?:set|save|free) session: [0-9A-F]+:\d+/ +--- grep_error_log eval: qr/lua ssl (?:set|save|free) session: [0-9A-F]+/ --- grep_error_log_out eval -qr/^lua ssl save session: ([0-9A-F]+):2 -lua ssl free session: ([0-9A-F]+):1 +qr/^lua ssl save session: ([0-9A-F]+) +lua ssl free session: ([0-9A-F]+) $/ --- error_log lua ssl server name: "iscribblet.org" @@ -1259,10 +1259,10 @@ received: HTTP/1.1 200 OK close: 1 nil --- log_level: debug ---- grep_error_log eval: qr/lua ssl (?:set|save|free) session: [0-9A-F]+:\d+/ +--- grep_error_log eval: qr/lua ssl (?:set|save|free) session: [0-9A-F]+/ --- grep_error_log_out eval -qr/^lua ssl save session: ([0-9A-F]+):2 -lua ssl free session: ([0-9A-F]+):1 +qr/^lua ssl save session: ([0-9A-F]+) +lua ssl free session: ([0-9A-F]+) $/ --- error_log lua ssl server name: "iscribblet.org" @@ -1339,10 +1339,10 @@ received: HTTP/1.1 200 OK close: 1 nil --- log_level: debug ---- grep_error_log eval: qr/lua ssl (?:set|save|free) session: [0-9A-F]+:\d+/ +--- grep_error_log eval: qr/lua ssl (?:set|save|free) session: [0-9A-F]+/ --- grep_error_log_out eval -qr/^lua ssl save session: ([0-9A-F]+):2 -lua ssl free session: ([0-9A-F]+):1 +qr/^lua ssl save session: ([0-9A-F]+) +lua ssl free session: ([0-9A-F]+) $/ --- error_log lua ssl server name: "iscribblet.org" @@ -1417,7 +1417,7 @@ failed to do SSL handshake: handshake failed failed to send http request: closed --- log_level: debug ---- grep_error_log eval: qr/lua ssl (?:set|save|free) session: [0-9A-F]+:\d+/ +--- grep_error_log eval: qr/lua ssl (?:set|save|free) session: [0-9A-F]+/ --- grep_error_log_out --- error_log eval [ @@ -1493,10 +1493,10 @@ ssl handshake: userdata set keepalive: 1 nil --- log_level: debug ---- grep_error_log eval: qr/lua ssl (?:set|save|free) session: [0-9A-F]+:\d+/ +--- grep_error_log eval: qr/lua ssl (?:set|save|free) session: [0-9A-F]+/ --- grep_error_log_out eval -qr/^lua ssl save session: ([0-9A-F]+):2 -lua ssl free session: \1:2 +qr/^lua ssl save session: ([0-9A-F]+) +lua ssl free session: \1 $/ --- error_log @@ -1569,14 +1569,14 @@ ssl handshake: userdata set keepalive: 1 nil --- log_level: debug ---- grep_error_log eval: qr/lua ssl (?:set|save|free) session: [0-9A-F]+:\d+/ +--- grep_error_log eval: qr/lua ssl (?:set|save|free) session: [0-9A-F]+/ --- grep_error_log_out eval -qr/^lua ssl save session: ([0-9A-F]+):2 -lua ssl save session: \1:3 -lua ssl save session: \1:4 -lua ssl free session: \1:4 -lua ssl free session: \1:3 -lua ssl free session: \1:2 +qr/^lua ssl save session: ([0-9A-F]+) +lua ssl save session: \1 +lua ssl save session: \1 +lua ssl free session: \1 +lua ssl free session: \1 +lua ssl free session: \1 $/ --- error_log @@ -1620,7 +1620,7 @@ hello world --- response_body_like: 500 Internal Server Error --- error_code: 500 --- log_level: debug ---- grep_error_log eval: qr/lua ssl (?:set|save|free) session: [0-9A-F]+:\d+/ +--- grep_error_log eval: qr/lua ssl (?:set|save|free) session: [0-9A-F]+/ --- grep_error_log_out --- error_log attempt to call method 'sslhandshake' (a nil value) @@ -1719,10 +1719,10 @@ $::TestCertificateKey >>> test.crt $::TestCertificate" ---- grep_error_log eval: qr/lua ssl (?:set|save|free) session: [0-9A-F]+:\d+/ +--- grep_error_log eval: qr/lua ssl (?:set|save|free) session: [0-9A-F]+/ --- grep_error_log_out eval -qr/^lua ssl save session: ([0-9A-F]+):2 -lua ssl free session: ([0-9A-F]+):1 +qr/^lua ssl save session: ([0-9A-F]+) +lua ssl free session: ([0-9A-F]+) $/ --- no_error_log lua ssl server name: @@ -1824,10 +1824,10 @@ $::TestCertificateKey >>> test.crt $::TestCertificate" ---- grep_error_log eval: qr/lua ssl (?:set|save|free) session: [0-9A-F]+:\d+/ +--- grep_error_log eval: qr/lua ssl (?:set|save|free) session: [0-9A-F]+/ --- grep_error_log_out eval -qr/^lua ssl save session: ([0-9A-F]+):2 -lua ssl free session: ([0-9A-F]+):1 +qr/^lua ssl save session: ([0-9A-F]+) +lua ssl free session: ([0-9A-F]+) $/ --- error_log lua ssl server name: "test.com" @@ -1917,7 +1917,7 @@ failed to do SSL handshake: handshake failed ">>> test.crt $::TestCertificate" ---- grep_error_log eval: qr/lua ssl (?:set|save|free) session: [0-9A-F]+:\d+/ +--- grep_error_log eval: qr/lua ssl (?:set|save|free) session: [0-9A-F]+/ --- grep_error_log_out --- error_log eval qr/SSL_do_handshake\(\) failed .*?unknown protocol/ @@ -2016,7 +2016,7 @@ $::TestCertificate >>> test.crl $::TestCRL" ---- grep_error_log eval: qr/lua ssl (?:set|save|free) session: [0-9A-F]+:\d+/ +--- grep_error_log eval: qr/lua ssl (?:set|save|free) session: [0-9A-F]+/ --- grep_error_log_out --- error_log lua ssl server name: "test.com" @@ -2095,12 +2095,12 @@ received: HTTP/1.1 200 OK close: 1 nil --- log_level: debug ---- grep_error_log eval: qr/lua ssl (?:set|save|free) session: [0-9A-F]+:\d+/ +--- grep_error_log eval: qr/lua ssl (?:set|save|free) session: [0-9A-F]+/ --- grep_error_log_out eval -qr/^lua ssl save session: ([0-9A-F]+):2 -lua ssl save session: ([0-9A-F]+):3 -lua ssl free session: ([0-9A-F]+):2 -lua ssl free session: ([0-9A-F]+):1 +qr/^lua ssl save session: ([0-9A-F]+) +lua ssl save session: ([0-9A-F]+) +lua ssl free session: ([0-9A-F]+) +lua ssl free session: ([0-9A-F]+) $/ --- error_log lua ssl server name: "iscribblet.org" @@ -2154,7 +2154,7 @@ connected: 1 failed to do SSL handshake: timeout --- log_level: debug ---- grep_error_log eval: qr/lua ssl (?:set|save|free) session: [0-9A-F]+:\d+/ +--- grep_error_log eval: qr/lua ssl (?:set|save|free) session: [0-9A-F]+/ --- grep_error_log_out --- error_log lua ssl server name: "iscribblet.org" @@ -2226,7 +2226,7 @@ $::TestCertificateKey >>> test.crt $::TestCertificate" ---- grep_error_log eval: qr/lua ssl (?:set|save|free) session: [0-9A-F]+:\d+/ +--- grep_error_log eval: qr/lua ssl (?:set|save|free) session: [0-9A-F]+/ --- grep_error_log_out --- no_error_log lua ssl server name: @@ -2297,10 +2297,10 @@ $::TestCertificateKey >>> test.crt $::TestCertificate" ---- grep_error_log eval: qr/lua ssl (?:set|save|free) session: [0-9A-F]+:\d+/ +--- grep_error_log eval: qr/lua ssl (?:set|save|free) session: [0-9A-F]+/ --- grep_error_log_out eval -qr/^lua ssl save session: ([0-9A-F]+):2 -lua ssl free session: ([0-9A-F]+):1 +qr/^lua ssl save session: ([0-9A-F]+) +lua ssl free session: ([0-9A-F]+) $/ --- no_error_log lua ssl server name: @@ -2377,7 +2377,7 @@ $::TestCertificateKey >>> test.crt $::TestCertificate" ---- grep_error_log eval: qr/lua ssl (?:set|save|free) session: [0-9A-F]+:\d+/ +--- grep_error_log eval: qr/lua ssl (?:set|save|free) session: [0-9A-F]+/ --- grep_error_log_out --- no_error_log lua ssl server name: @@ -2479,10 +2479,10 @@ $::TestCertificateKey >>> test.crt $::TestCertificate" ---- grep_error_log eval: qr/lua ssl (?:set|save|free) session: [0-9A-F]+:\d+/ +--- grep_error_log eval: qr/lua ssl (?:set|save|free) session: [0-9A-F]+/ --- grep_error_log_out eval -qr/^lua ssl save session: ([0-9A-F]+):2 -lua ssl free session: ([0-9A-F]+):1 +qr/^lua ssl save session: ([0-9A-F]+) +lua ssl free session: ([0-9A-F]+) $/ --- error_log --- no_error_log @@ -2575,7 +2575,7 @@ $::TestCertificateKey >>> test.crt $::TestCertificate" ---- grep_error_log eval: qr/lua ssl (?:set|save|free) session: [0-9A-F]+:\d+/ +--- grep_error_log eval: qr/lua ssl (?:set|save|free) session: [0-9A-F]+/ --- grep_error_log_out --- error_log lua ssl certificate verify error: (18: self signed certificate) From 7206c8f6fe10136e458d4b3c7ae2b696bd4c8983 Mon Sep 17 00:00:00 2001 From: Alessandro Ghedini Date: Thu, 12 May 2016 13:17:52 +0100 Subject: [PATCH 3/6] bugfix: ssl: do not set tlsext_status_expected flag In OpenSSL 1.1.0 the SSL struct was made opaque, and setting this flag manually is not required anyway since OpenSSL already does that automatically when ngx_http_lua_ssl_empty_status_callback() returns "OK" (which is always), and an OCSP response has been set. --- src/ngx_http_lua_ssl_ocsp.c | 1 - 1 file changed, 1 deletion(-) diff --git a/src/ngx_http_lua_ssl_ocsp.c b/src/ngx_http_lua_ssl_ocsp.c index 3904aa8..31b4f24 100644 --- a/src/ngx_http_lua_ssl_ocsp.c +++ b/src/ngx_http_lua_ssl_ocsp.c @@ -490,7 +490,6 @@ ngx_http_lua_ffi_ssl_set_ocsp_status_resp(ngx_http_request_t *r, dd("set ocsp resp: resp_len=%d", (int) resp_len); (void) SSL_set_tlsext_status_ocsp_resp(ssl_conn, p, resp_len); - ssl_conn->tlsext_status_expected = 1; return NGX_OK; From 96f39afab912c06fc76f2b18a70130ab41b00f12 Mon Sep 17 00:00:00 2001 From: Alessandro Ghedini Date: Fri, 10 Jun 2016 13:23:21 +0100 Subject: [PATCH 4/6] bugfix: ssl: do not access SSL struct directly for tlsext_status_type In OpenSSL 1.1.0 it was made opaque, and a getter function was added. --- src/ngx_http_lua_ssl_ocsp.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/ngx_http_lua_ssl_ocsp.c b/src/ngx_http_lua_ssl_ocsp.c index 31b4f24..9ec8b50 100644 --- a/src/ngx_http_lua_ssl_ocsp.c +++ b/src/ngx_http_lua_ssl_ocsp.c @@ -468,7 +468,11 @@ ngx_http_lua_ffi_ssl_set_ocsp_status_resp(ngx_http_request_t *r, return NGX_ERROR; } +#ifdef SSL_CTRL_GET_TLSEXT_STATUS_REQ_TYPE + if (SSL_get_tlsext_status_type(ssl_conn) == -1) { +#else if (ssl_conn->tlsext_status_type == -1) { +#endif dd("no ocsp status req from client"); return NGX_DECLINED; } From 26d6bbefb78cc72d14961a8166ffc3cb67611b6f Mon Sep 17 00:00:00 2001 From: Alessandro Ghedini Date: Tue, 13 Sep 2016 22:19:10 +0100 Subject: [PATCH 5/6] bugfix: ssl: make SSL session callback build with OpenSSL 1.1.0 --- src/ngx_http_lua_ssl_session_fetchby.c | 9 ++++++--- src/ngx_http_lua_ssl_session_fetchby.h | 6 +++++- src/ngx_http_lua_ssl_session_storeby.c | 8 ++++++-- 3 files changed, 17 insertions(+), 6 deletions(-) diff --git a/src/ngx_http_lua_ssl_session_fetchby.c b/src/ngx_http_lua_ssl_session_fetchby.c index 4c450b5..6212c60 100644 --- a/src/ngx_http_lua_ssl_session_fetchby.c +++ b/src/ngx_http_lua_ssl_session_fetchby.c @@ -171,8 +171,11 @@ ngx_http_lua_ssl_sess_fetch_by_lua(ngx_conf_t *cf, ngx_command_t *cmd, /* cached session fetching callback to be set with SSL_CTX_sess_set_get_cb */ ngx_ssl_session_t * -ngx_http_lua_ssl_sess_fetch_handler(ngx_ssl_conn_t *ssl_conn, u_char *id, - int len, int *copy) +ngx_http_lua_ssl_sess_fetch_handler(ngx_ssl_conn_t *ssl_conn, +#if OPENSSL_VERSION_NUMBER >= 0x10100003L + const +#endif + u_char *id, int len, int *copy) { lua_State *L; ngx_int_t rc; @@ -284,7 +287,7 @@ ngx_http_lua_ssl_sess_fetch_handler(ngx_ssl_conn_t *ssl_conn, u_char *id, cctx->exit_code = 1; /* successful by default */ cctx->connection = c; cctx->request = r; - cctx->session_id.data = id; + cctx->session_id.data = (u_char *) id; cctx->session_id.len = len; cctx->entered_sess_fetch_handler = 1; cctx->done = 0; diff --git a/src/ngx_http_lua_ssl_session_fetchby.h b/src/ngx_http_lua_ssl_session_fetchby.h index 5a6f96f..50c6616 100644 --- a/src/ngx_http_lua_ssl_session_fetchby.h +++ b/src/ngx_http_lua_ssl_session_fetchby.h @@ -25,7 +25,11 @@ char *ngx_http_lua_ssl_sess_fetch_by_lua_block(ngx_conf_t *cf, ngx_command_t *cmd, void *conf); ngx_ssl_session_t *ngx_http_lua_ssl_sess_fetch_handler( - ngx_ssl_conn_t *ssl_conn, u_char *id, int len, int *copy); + ngx_ssl_conn_t *ssl_conn, +#if OPENSSL_VERSION_NUMBER >= 0x10100003L + const +#endif + u_char *id, int len, int *copy); #endif diff --git a/src/ngx_http_lua_ssl_session_storeby.c b/src/ngx_http_lua_ssl_session_storeby.c index b5596bc..85dbece 100644 --- a/src/ngx_http_lua_ssl_session_storeby.c +++ b/src/ngx_http_lua_ssl_session_storeby.c @@ -172,6 +172,8 @@ int ngx_http_lua_ssl_sess_store_handler(ngx_ssl_conn_t *ssl_conn, ngx_ssl_session_t *sess) { + const u_char *sess_id; + unsigned int sess_id_len; lua_State *L; ngx_int_t rc; ngx_connection_t *c, *fc = NULL; @@ -246,11 +248,13 @@ ngx_http_lua_ssl_sess_store_handler(ngx_ssl_conn_t *ssl_conn, } } + sess_id = SSL_SESSION_get_id(sess, &sess_id_len); + cctx->connection = c; cctx->request = r; cctx->session = sess; - cctx->session_id.data = sess->session_id; - cctx->session_id.len = sess->session_id_length; + cctx->session_id.data = (u_char *) sess_id; + cctx->session_id.len = sess_id_len; cctx->done = 0; dd("setting cctx"); From ac7dc8f7fdc391301db5c8e35a7113b86d492b56 Mon Sep 17 00:00:00 2001 From: Alessandro Ghedini Date: Mon, 28 Nov 2016 21:01:00 +0000 Subject: [PATCH 6/6] bugfix: ssl: don't use RC4 in tests RC4 ciphers are deprecated and disabled by default in OpenSSL 1.1.0. --- t/129-ssl-socket.t | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/t/129-ssl-socket.t b/t/129-ssl-socket.t index e7e6a98..ebb6555 100644 --- a/t/129-ssl-socket.t +++ b/t/129-ssl-socket.t @@ -1129,7 +1129,7 @@ SSL reused session sock:settimeout(2000) do - local ok, err = sock:connect("iscribblet.org", 443) + local ok, err = sock:connect("openresty.org", 443) if not ok then ngx.say("failed to connect: ", err) return @@ -1137,7 +1137,7 @@ SSL reused session ngx.say("connected: ", ok) - local session, err = sock:sslhandshake(nil, "iscribblet.org") + local session, err = sock:sslhandshake(nil, "openresty.org") if not session then ngx.say("failed to do SSL handshake: ", err) return @@ -1145,7 +1145,7 @@ SSL reused session ngx.say("ssl handshake: ", type(session)) - local req = "GET / HTTP/1.1\\r\\nHost: iscribblet.org\\r\\nConnection: close\\r\\n\\r\\n" + local req = "GET /en/ HTTP/1.1\\r\\nHost: openresty.org\\r\\nConnection: close\\r\\n\\r\\n" local bytes, err = sock:send(req) if not bytes then ngx.say("failed to send http request: ", err) @@ -1174,7 +1174,7 @@ GET /t --- response_body connected: 1 ssl handshake: userdata -sent http request: 59 bytes. +sent http request: 61 bytes. received: HTTP/1.1 200 OK close: 1 nil @@ -1185,8 +1185,8 @@ qr/^lua ssl save session: ([0-9A-F]+) lua ssl free session: ([0-9A-F]+) $/ --- error_log -lua ssl server name: "iscribblet.org" -SSL: TLSv1.2, cipher: "ECDHE-RSA-RC4-SHA SSLv3 +lua ssl server name: "openresty.org" +SSL: TLSv1.2, cipher: "ECDHE-RSA-AES128-GCM-SHA256 --- no_error_log SSL reused session [error] @@ -1199,7 +1199,7 @@ SSL reused session --- config server_tokens off; resolver $TEST_NGINX_RESOLVER ipv6=off; - lua_ssl_ciphers RC4-SHA; + lua_ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256; location /t { #set $port 5000; set $port $TEST_NGINX_MEMCACHED_PORT; @@ -1266,7 +1266,7 @@ lua ssl free session: ([0-9A-F]+) $/ --- error_log lua ssl server name: "iscribblet.org" -SSL: TLSv1.2, cipher: "RC4-SHA SSLv3 +SSL: TLSv1.2, cipher: "ECDHE-RSA-AES128-GCM-SHA256 --- no_error_log SSL reused session [error] @@ -1346,7 +1346,7 @@ lua ssl free session: ([0-9A-F]+) $/ --- error_log lua ssl server name: "iscribblet.org" -SSL: TLSv1, cipher: "ECDHE-RSA-RC4-SHA SSLv3 +SSL: TLSv1 --- no_error_log SSL reused session [error]