Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

tlshandshake not support #159

Open
dadins opened this issue May 27, 2022 · 6 comments
Open

tlshandshake not support #159

dadins opened this issue May 27, 2022 · 6 comments

Comments

@dadins
Copy link

dadins commented May 27, 2022

ngx.socket.tcp() dose not has method tlshandshake()
@tzssangglass
Copy link
Contributor

Can you describe it in more detail? I don't know what you are trying to say.

In fact, we added the tlshandshake patch to apisix-base. see: https://github.com/api7/apisix-nginx-module/blob/main/patch/README.md

@danischroeter
Copy link

Hi @tzssangglass
I've been trying to use lua-resty-etcd in openresty and probably hit the same problem as @dadins

the underlying socket does not provide the tlshandshake function and thus http_connect.lua falls back to ssl_handshake

I added a debug log to show this (http_connect.lua)

   if ssl and sock:getreusedtimes() == 0 then
        local ok, err
        if not sock.tlshandshake then
            ngx.log(ngx.DEBUG,"sock does not provide tlshandshake - fallback to ssl_handshake")
            ok, err = self:ssl_handshake(nil, ssl_server_name, ssl_verify, ssl_send_status_req)

and when testing it:

*171 [lua] http_connect.lua:230: connect(): sock does not provide tlshandshake - fallback to ssl_handshake

This hurts in my case since this way the provided client certificate details (ssl_cert_path,ssl_key_path) get ignored silently and the etcd connect fails with SSL_do_handshake() failed (SSL: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:SSL alert number 42)
and etcd
etcd[24950]: rejected connection from "127.0.0.1:39500" (error "tls: client didn't provide a certificate"

Is there a way to get client cert based authentication vs etcd to work with a stock openresty?
I run:

openresty -v
nginx version: openresty/1.21.4.1

@tzssangglass
Copy link
Contributor

Is there a way to get client cert based authentication vs etcd to work with a stock openresty?

In fact, this is already implemented in APISIX. ref: https://github.com/apache/apisix/pull/7540/files#diff-50936d6780259bf539f3e60ae8008e586e5ec0185ae2a1997133f07585d900af

This requires do patch to ngx.socket.tcp, this is the patch: https://github.com/api7/apisix-nginx-module/blob/main/patch/1.21.4/lua-resty-core-tlshandshake.patch

@danischroeter
Copy link

Hi @tzssangglass
Thx a lot for the quick response!

I manually applied the referenced patch directly to a dev openresty. Now when I try to start openresty I get this:

[alert] 22218#22218: failed to load the 'resty.core' module (https://github.com/openresty/lua-resty-core); ensure you are using an OpenResty release from https://openresty.org/en/download.html (reason: /usr/local/openresty/lualib/resty/core/socket/tcp.lua:52: /usr/local/openresty/luajit/lib/libluajit-5.1.so.2: undefined symbol: ngx_http_lua_ffi_socket_tcp_tlshandshake) in /etc/nginx/nginx.conf:86

I think the patch version and the openresty version do match - right?

https://raw.githubusercontent.com/api7/apisix-nginx-module/main/patch/1.21.4/lua-resty-core-tlshandshake.patch
-> 
openresty -v
nginx version: openresty/1.21.4.1

Is there something obvious that I might have missed?

@tzssangglass
Copy link
Contributor

tzssangglass commented Jul 30, 2022
edited
Loading 

[alert] 22218#22218: failed to load the 'resty.core' module (https://github.com/openresty/lua-resty-core[](https://github.com/openresty/lua-resty-core)); ensure you are using an OpenResty release from https://openresty.org/en/download.html[](https://openresty.org/en/download.html) (reason: /usr/local/openresty/lualib/resty/core/socket/tcp.lua:52: /usr/local/openresty/luajit/lib/libluajit-5.1.so.2: undefined symbol: ngx_http_lua_ffi_socket_tcp_tlshandshake) in /etc/nginx/nginx.conf:86

try: https://github.com/api7/apisix-nginx-module/blob/main/patch/1.21.4/ngx_lua-tlshandshake.patch, maybe this patch needs to be added

@Hanoboo
Copy link

Hanoboo commented May 20, 2024 

[alert] 22218#22218: failed to load the 'resty.core' module (https://github.com/openresty/lua-resty-core[](https://github.com/openresty/lua-resty-core)); ensure you are using an OpenResty release from https://openresty.org/en/download.html[](https://openresty.org/en/download.html) (reason: /usr/local/openresty/lualib/resty/core/socket/tcp.lua:52: /usr/local/openresty/luajit/lib/libluajit-5.1.so.2: undefined symbol: ngx_http_lua_ffi_socket_tcp_tlshandshake) in /etc/nginx/nginx.conf:86

try: https://github.com/api7/apisix-nginx-module/blob/main/patch/1.21.4/ngx_lua-tlshandshake.patch, maybe this patch needs to be added

The src/ngx_http_lua_socket_tcp.c file was not found in my openresty directory,my version is openresty/1.21.4.2.How do I apply this patch?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@dadins @danischroeter @tzssangglass @Hanoboo