From 987ce6435777aa7c1cc29d9e84493efc7c68bef3 Mon Sep 17 00:00:00 2001
From: willmafh <willmafh@hotmail.com>
Date: Sun, 19 Oct 2025 17:18:55 +0800
Subject: [PATCH 1/6] ci fix

---
 t/169-proxy-ssl-verify.t | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/t/169-proxy-ssl-verify.t b/t/169-proxy-ssl-verify.t
index 4c44a8b9be..43e5178ef9 100644
--- a/t/169-proxy-ssl-verify.t
+++ b/t/169-proxy-ssl-verify.t
@@ -1230,7 +1230,7 @@ proxy_ssl_verify_by_lua: cert verify callback aborted
 === TEST 25: cosocket
 --- http_config
     server {
-        listen *:80;
+        listen 127.0.0.1:$TEST_NGINX_RAND_PORT_1;
         server_name test.com;
 
         server_tokens off;
@@ -1279,7 +1279,7 @@ proxy_ssl_verify_by_lua: cert verify callback aborted
                 local sock = ngx.socket.tcp()
                 sock:settimeout(2000)
 
-                local ok, err = sock:connect("127.0.0.1", "80")
+                local ok, err = sock:connect("127.0.0.1", $TEST_NGINX_RAND_PORT_1)
                 if not ok then
                     ngx.log(ngx.ERR, "failed to connect: ", err)
                     return

From d6e5e42fdb6ef2bbe90f2e8b081e3be1f2cc57da Mon Sep 17 00:00:00 2001
From: willmafh <willmafh@hotmail.com>
Date: Sun, 19 Oct 2025 18:48:38 +0800
Subject: [PATCH 2/6] tests: ci fix

---
 t/169-proxy-ssl-verify.t | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/t/169-proxy-ssl-verify.t b/t/169-proxy-ssl-verify.t
index 43e5178ef9..89673fcdec 100644
--- a/t/169-proxy-ssl-verify.t
+++ b/t/169-proxy-ssl-verify.t
@@ -8,8 +8,13 @@ repeat_each(3);
 my $NginxBinary = $ENV{'TEST_NGINX_BINARY'} || 'nginx';
 my $openssl_version = eval { `$NginxBinary -V 2>&1` };
 
-if ($openssl_version =~ m/built with OpenSSL (0\S*|1\.0\S*|1\.1\.0\S*)/) {
-    plan(skip_all => "too old OpenSSL, need 1.1.1, was $1");
+if ($openssl_version =~ m/built with OpenSSL (\d+)\.(\d+)\.(\d+)/) {
+    my ($major, $minor, $patch) = ($1, $2, $3);
+
+    if ($major < 3 || ($major == 3 && $minor == 0 && $patch < 2)) {
+        plan(skip_all => "too old OpenSSL, need >= 3.0.2, was " .
+            "$major.$minor.$patch");
+    }
 } elsif ($openssl_version =~ m/running with BoringSSL/) {
     plan(skip_all => "does not support BoringSSL");
 } elsif ($ENV{TEST_NGINX_USE_HTTP3}) {

From 8a4df957a805c2161744132fd49acc20c30e587e Mon Sep 17 00:00:00 2001
From: willmafh <willmafh@hotmail.com>
Date: Sun, 19 Oct 2025 21:14:24 +0800
Subject: [PATCH 3/6] bugfix: macros to guard boringssl build failure and fixed
 ci

---
 src/ngx_http_lua_proxy_ssl_verifyby.c | 93 ++++++++++++++++++++++++++-
 1 file changed, 92 insertions(+), 1 deletion(-)

diff --git a/src/ngx_http_lua_proxy_ssl_verifyby.c b/src/ngx_http_lua_proxy_ssl_verifyby.c
index 339522bab3..5b7e0e686d 100644
--- a/src/ngx_http_lua_proxy_ssl_verifyby.c
+++ b/src/ngx_http_lua_proxy_ssl_verifyby.c
@@ -33,13 +33,20 @@ ngx_int_t
 ngx_http_lua_proxy_ssl_verify_set_callback(ngx_conf_t *cf)
 {
 
-#ifdef LIBRESSL_VERSION_NUMBER
+#if defined(LIBRESSL_VERSION_NUMBER)
 
     ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
                   "LibreSSL does not support by proxy_ssl_verify_by_lua*");
 
     return NGX_ERROR;
 
+#elif defined(OPENSSL_IS_BORINGSSL)
+
+    ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
+                  "BoringSSL does not support by proxy_ssl_verify_by_lua*");
+
+    return NGX_ERROR;
+
 #else
 
     void                      *plcf;
@@ -150,6 +157,22 @@ char *
 ngx_http_lua_proxy_ssl_verify_by_lua(ngx_conf_t *cf, ngx_command_t *cmd,
     void *conf)
 {
+#if defined(LIBRESSL_VERSION_NUMBER)
+
+    ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
+                  "LibreSSL does not support by proxy_ssl_verify_by_lua*");
+
+    return NGX_CONF_ERROR;
+
+#elif defined(OPENSSL_IS_BORINGSSL)
+
+    ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
+                  "BoringSSL does not support by proxy_ssl_verify_by_lua*");
+
+    return NGX_CONF_ERROR;
+
+#else
+
 #if (!defined SSL_ERROR_WANT_RETRY_VERIFY                                    \
      || OPENSSL_VERSION_NUMBER < 0x30000020L)
 
@@ -231,12 +254,30 @@ ngx_http_lua_proxy_ssl_verify_by_lua(ngx_conf_t *cf, ngx_command_t *cmd,
     return NGX_CONF_OK;
 
 #endif  /* SSL_ERROR_WANT_RETRY_VERIFY */
+
+#endif
 }
 
 
 int
 ngx_http_lua_proxy_ssl_verify_handler(X509_STORE_CTX *x509_store, void *arg)
 {
+#if defined(LIBRESSL_VERSION_NUMBER)
+
+    ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0,
+                  "LibreSSL does not support by proxy_ssl_verify_by_lua*");
+
+    return 1;
+
+#elif defined(OPENSSL_IS_BORINGSSL)
+
+    ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0,
+                  "BoringSSL does not support by proxy_ssl_verify_by_lua*");
+
+    return 1;
+
+#else
+
     lua_State                       *L;
     ngx_int_t                        rc;
     ngx_connection_t                *c;
@@ -377,6 +418,8 @@ ngx_http_lua_proxy_ssl_verify_handler(X509_STORE_CTX *x509_store, void *arg)
     }
 
     return 0;  /* verify failure or error */
+
+#endif
 }
 
 
@@ -553,6 +596,20 @@ int
 ngx_http_lua_ffi_proxy_ssl_set_verify_result(ngx_http_request_t *r,
     int verify_result, char **err)
 {
+#if defined(LIBRESSL_VERSION_NUMBER)
+
+    *err = "LibreSSL does not support this function";
+
+    return NGX_ERROR;
+
+#elif defined(OPENSSL_IS_BORINGSSL)
+
+    *err = "BoringSSL does not support this function";
+
+    return NGX_ERROR;
+
+#else
+
 #ifdef SSL_ERROR_WANT_RETRY_VERIFY
     ngx_http_upstream_t             *u;
     ngx_ssl_conn_t                  *ssl_conn;
@@ -598,12 +655,28 @@ ngx_http_lua_ffi_proxy_ssl_set_verify_result(ngx_http_request_t *r,
 
     return NGX_ERROR;
 #endif
+
+#endif
 }
 
 
 int
 ngx_http_lua_ffi_proxy_ssl_get_verify_result(ngx_http_request_t *r, char **err)
 {
+#if defined(LIBRESSL_VERSION_NUMBER)
+
+    *err = "LibreSSL does not support this function";
+
+    return NGX_ERROR;
+
+#elif defined(OPENSSL_IS_BORINGSSL)
+
+    *err = "BoringSSL does not support this function";
+
+    return NGX_ERROR;
+
+#else
+
 #ifdef SSL_ERROR_WANT_RETRY_VERIFY
     ngx_http_upstream_t             *u;
     ngx_ssl_conn_t                  *ssl_conn;
@@ -647,6 +720,8 @@ ngx_http_lua_ffi_proxy_ssl_get_verify_result(ngx_http_request_t *r, char **err)
 
     return NGX_ERROR;
 #endif
+
+#endif
 }
 
 
@@ -662,6 +737,20 @@ ngx_http_lua_ffi_proxy_ssl_free_verify_cert(void *cdata)
 void *
 ngx_http_lua_ffi_proxy_ssl_get_verify_cert(ngx_http_request_t *r, char **err)
 {
+#if defined(LIBRESSL_VERSION_NUMBER)
+
+    *err = "LibreSSL does not support this function";
+
+    return NGX_ERROR;
+
+#elif defined(OPENSSL_IS_BORINGSSL)
+
+    *err = "BoringSSL does not support this function";
+
+    return NGX_ERROR;
+
+#else
+
 #ifdef SSL_ERROR_WANT_RETRY_VERIFY
     ngx_http_upstream_t             *u;
     ngx_ssl_conn_t                  *ssl_conn;
@@ -713,6 +802,8 @@ ngx_http_lua_ffi_proxy_ssl_get_verify_cert(ngx_http_request_t *r, char **err)
 
     return NULL;
 #endif
+
+#endif
 }
 
 

From 560439850edfc431b627634f196630a05e25e323 Mon Sep 17 00:00:00 2001
From: willmafh <willmafh@hotmail.com>
Date: Sun, 19 Oct 2025 21:24:37 +0800
Subject: [PATCH 4/6] style: ngx-releng style check and fix

---
 src/ngx_http_lua_proxy_ssl_verifyby.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/ngx_http_lua_proxy_ssl_verifyby.c b/src/ngx_http_lua_proxy_ssl_verifyby.c
index 5b7e0e686d..1cb1d980e4 100644
--- a/src/ngx_http_lua_proxy_ssl_verifyby.c
+++ b/src/ngx_http_lua_proxy_ssl_verifyby.c
@@ -265,14 +265,14 @@ ngx_http_lua_proxy_ssl_verify_handler(X509_STORE_CTX *x509_store, void *arg)
 #if defined(LIBRESSL_VERSION_NUMBER)
 
     ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0,
-                  "LibreSSL does not support by proxy_ssl_verify_by_lua*");
+        "LibreSSL does not support by proxy_ssl_verify_by_lua*");
 
     return 1;
 
 #elif defined(OPENSSL_IS_BORINGSSL)
 
     ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0,
-                  "BoringSSL does not support by proxy_ssl_verify_by_lua*");
+        "BoringSSL does not support by proxy_ssl_verify_by_lua*");
 
     return 1;
 

From c8d7a87bc14a4dc805d52ec2fc7881f5c73ae612 Mon Sep 17 00:00:00 2001
From: willmafh <willmafh@hotmail.com>
Date: Sun, 19 Oct 2025 22:14:59 +0800
Subject: [PATCH 5/6] bugfix: test case fix

---
 t/169-proxy-ssl-verify.t | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/t/169-proxy-ssl-verify.t b/t/169-proxy-ssl-verify.t
index 89673fcdec..ab3ae2e837 100644
--- a/t/169-proxy-ssl-verify.t
+++ b/t/169-proxy-ssl-verify.t
@@ -1325,7 +1325,7 @@ simple logging return
 connected: 1
 sent http request: 56 bytes.
 received: HTTP/1.1 201 Created
-received: Server: openresty
+received: Server: nginx
 received: Content-Type: text/plain
 received: Content-Length: 4
 received: Connection: close

From ad9571438b6894ba33fe3d89e7e1c3c69ab2e68b Mon Sep 17 00:00:00 2001
From: lijunlong <lijunlong@openresty.com>
Date: Mon, 20 Oct 2025 09:21:21 +0800
Subject: [PATCH 6/6] more fixes

---
 t/169-proxy-ssl-verify.t | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/t/169-proxy-ssl-verify.t b/t/169-proxy-ssl-verify.t
index ab3ae2e837..95ecc1f3a7 100644
--- a/t/169-proxy-ssl-verify.t
+++ b/t/169-proxy-ssl-verify.t
@@ -14,13 +14,13 @@ if ($openssl_version =~ m/built with OpenSSL (\d+)\.(\d+)\.(\d+)/) {
     if ($major < 3 || ($major == 3 && $minor == 0 && $patch < 2)) {
         plan(skip_all => "too old OpenSSL, need >= 3.0.2, was " .
             "$major.$minor.$patch");
+    } else {
+        plan tests => repeat_each() * (blocks() * 5 + 19);
     }
 } elsif ($openssl_version =~ m/running with BoringSSL/) {
     plan(skip_all => "does not support BoringSSL");
-} elsif ($ENV{TEST_NGINX_USE_HTTP3}) {
-    plan tests => repeat_each() * (blocks() * 6 + 6);
 } else {
-    plan tests => repeat_each() * (blocks() * 5 + 10);
+    die "unknown SSL";
 }
 
 $ENV{TEST_NGINX_HTML_DIR} ||= html_dir();