From b088d7f66531881ed2fab132e85bbc687042049f Mon Sep 17 00:00:00 2001
From: lijunlong <lijunlong@openresty.com>
Date: Mon, 13 Oct 2025 11:19:46 +0800
Subject: [PATCH] feature: add support for nginx-1.29.2.

---
 .travis.yml                             | 20 +++++++--------
 src/ngx_stream_lua_ssl_client_helloby.c |  9 +++++++
 t/129-ssl-socket.t                      | 34 ++++++++++++++++++++++++-
 3 files changed, 52 insertions(+), 11 deletions(-)

diff --git a/.travis.yml b/.travis.yml
index 8647fa6a..35c4c727 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -28,20 +28,20 @@ env:
     - LD_LIBRARY_PATH=$LUAJIT_LIB:$LD_LIBRARY_PATH
     - LUAJIT_INC=$LUAJIT_PREFIX/include/luajit-2.1
     - LUA_INCLUDE_DIR=$LUAJIT_INC
-    - PCRE2_VER=10.45
-    #- PCRE2_PREFIX=/opt/pcre2
-    - PCRE2_PREFIX=/usr/local/openresty/pcre2
+    - PCRE2_VER=10.46
+    - PCRE2_PREFIX=/opt/pcre2
+    #- PCRE2_PREFIX=/usr/local/openresty/pcre2
     - PCRE2_LIB=$PCRE2_PREFIX/lib
     - PCRE2_INC=$PCRE2_PREFIX/include
-    #- OPENSSL_PREFIX=/opt/ssl3
-    - OPENSSL_PREFIX=/usr/local/openresty/openssl3
+    - OPENSSL_PREFIX=/opt/ssl3
+    #- OPENSSL_PREFIX=/usr/local/openresty/openssl3
     - OPENSSL_LIB=$OPENSSL_PREFIX/lib
     - OPENSSL_INC=$OPENSSL_PREFIX/include
     - JOBS=3
     - NGX_BUILD_JOBS=$JOBS
     - TEST_NGINX_SLEEP=0.006
   matrix:
-    - NGINX_VERSION=1.27.1 OPENSSL_VER=3.5.0
+    - NGINX_VERSION=1.29.2 OPENSSL_VER=3.5.4
 
 services:
  - memcache
@@ -54,8 +54,8 @@ before_install:
   - sudo DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends openresty-pcre2 openresty-openssl3 openresty-pcre2-dev openresty-openssl3-dev
 
 install:
-  #- if [ ! -f download-cache/pcre2-$PCRE2_VER.tar.gz ]; then wget -P download-cache https://downloads.sourceforge.net/project/pcre/pcre2/${PCRE2_VER}/pcre2-${PCRE2_VER}.tar.gz; fi
-  #- if [ ! -f download-cache/openssl-$OPENSSL_VER.tar.gz ]; then wget -P download-cache https://www.openssl.org/source/openssl-$OPENSSL_VER.tar.gz; fi
+  - if [ ! -f download-cache/pcre2-$PCRE2_VER.tar.gz ]; then wget -P download-cache https://downloads.sourceforge.net/project/pcre/pcre2/${PCRE2_VER}/pcre2-${PCRE2_VER}.tar.gz; fi
+  - if [ ! -f download-cache/openssl-$OPENSSL_VER.tar.gz ]; then wget -P download-cache https://www.openssl.org/source/openssl-$OPENSSL_VER.tar.gz; fi
   - git clone https://github.com/openresty/openresty-devel-utils.git
   - git clone https://github.com/openresty/lua-cjson.git
   - git clone https://github.com/openresty/openresty.git ../openresty
@@ -78,14 +78,14 @@ script:
   - sudo ip addr add 10.254.254.1/24 dev lo
   - sudo ip addr add 10.254.254.2/24 dev lo
   - sudo ip route add prohibit 0.0.0.1/32
-  #- tar zxf download-cache/pcre2-$PCRE2_VER.tar.gz; cd pcre2-$PCRE2_VER/; ./configure --prefix=$PCRE2_PREFIX --enable-jit --enable-utf > build.log 2>&1 || (cat build.log && exit 1); make -j$JOBS > build.log 2>&1 || (cat build.log && exit 1); sudo PATH=$PATH make install > build.log 2>&1 || (cat build.log && exit 1); cd ..;
+  - tar zxf download-cache/pcre2-$PCRE2_VER.tar.gz; cd pcre2-$PCRE2_VER/; ./configure --prefix=$PCRE2_PREFIX --enable-jit --enable-utf > build.log 2>&1 || (cat build.log && exit 1); make -j$JOBS > build.log 2>&1 || (cat build.log && exit 1); sudo PATH=$PATH make install > build.log 2>&1 || (cat build.log && exit 1); cd ..;
   - cd luajit2
   - make -j$JOBS CCDEBUG=-g Q= PREFIX=$LUAJIT_PREFIX CC=$CC XCFLAGS='-DLUA_USE_APICHECK -DLUA_USE_ASSERT' > build.log 2>&1 || (cat build.log && exit 1)
   - sudo make install PREFIX=$LUAJIT_PREFIX > build.log 2>&1 || (cat build.log && exit 1)
   - cd ../test-nginx && sudo cpanm . && cd ..
   - cd lua-cjson/ && make -j$JOBS && sudo make install && cd ..
   - cd mockeagain/ && make CC=$CC -j$JOBS && cd ..
-  #- tar zxf download-cache/openssl-$OPENSSL_VER.tar.gz; cd openssl-$OPENSSL_VER/; ./config no-threads shared enable-ssl3 enable-ssl3-method -g --prefix=$OPENSSL_PREFIX -DPURIFY > build.log 2>&1 || (cat build.log && exit 1); make -j$JOBS > build.log 2>&1 || (cat build.log && exit 1); sudo make PATH=$PATH install_sw > build.log 2>&1 || (cat build.log && exit 1) ; cd ..
+  - tar zxf download-cache/openssl-$OPENSSL_VER.tar.gz; cd openssl-$OPENSSL_VER/; ./config no-threads shared enable-ssl3 enable-ssl3-method -g --prefix=$OPENSSL_PREFIX -DPURIFY > build.log 2>&1 || (cat build.log && exit 1); make -j$JOBS > build.log 2>&1 || (cat build.log && exit 1); sudo make PATH=$PATH install_sw > build.log 2>&1 || (cat build.log && exit 1) ; cd ..
   - export PATH=$PWD/work/nginx/sbin:$PWD/openresty-devel-utils:$PATH
   - export NGX_BUILD_CC=$CC
   - sh util/build.sh $NGINX_VERSION > build.log 2>&1 || (cat build.log && exit 1)
diff --git a/src/ngx_stream_lua_ssl_client_helloby.c b/src/ngx_stream_lua_ssl_client_helloby.c
index 9e738ac2..cd2d8adc 100644
--- a/src/ngx_stream_lua_ssl_client_helloby.c
+++ b/src/ngx_stream_lua_ssl_client_helloby.c
@@ -218,6 +218,15 @@ ngx_stream_lua_ssl_client_hello_handler(ngx_ssl_conn_t *ssl_conn,
         return -1;
     }
 
+#if (nginx_version > 1029000)
+    /* see commit 0373fe5d98c1515640 for more details */
+    rc = ngx_ssl_client_hello_callback(ssl_conn, al, arg);
+
+    if (rc == 0) {
+        return rc;
+    }
+#endif
+
     dd("first time");
 
     ngx_reusable_connection(c, 0);
diff --git a/t/129-ssl-socket.t b/t/129-ssl-socket.t
index 997c9773..2b84087f 100644
--- a/t/129-ssl-socket.t
+++ b/t/129-ssl-socket.t
@@ -2769,6 +2769,37 @@ SSL reused session
 
 === TEST 35: ssl session/ticket reuse CVE
 https://www.cve.org/CVERecord?id=CVE-2025-23419
+
+commit 0373fe5d98c1515640e74fa6f4d32fac1f1d3ab2
+Author: Sergey Kandaurov <pluknet@nginx.com>
+Date:   Tue Jan 28 00:53:15 2025 +0400
+
+    SNI: using the ClientHello callback.
+
+    The change introduces an SNI based virtual server selection during
+    early ClientHello processing.  The callback is available since
+    OpenSSL 1.1.1; for older OpenSSL versions, the previous behaviour
+    is kept.
+
+    Using the ClientHello callback sets a reasonable processing order
+    for the "server_name" TLS extension.  Notably, session resumption
+    decision now happens after applying server configuration chosen by
+    SNI, useful with enabled verification of client certificates, which
+    brings consistency with BoringSSL behaviour.  The change supersedes
+    and reverts a fix made in 46b9f5d38 for TLSv1.3 resumed sessions.
+
+    In addition, since the callback is invoked prior to the protocol
+    version negotiation, this makes it possible to set "ssl_protocols"
+    on a per-virtual server basis.
+
+    To keep the $ssl_server_name variable working with TLSv1.2 resumed
+    sessions, as previously fixed in fd97b2a80, a limited server name
+    callback is preserved in order to acknowledge the extension.
+
+    Note that to allow third-party modules to properly chain the call to
+    ngx_ssl_client_hello_callback(), the servername callback function is
+    passed through exdata.
+--- SKIP
 --- stream_config
     server {
         listen $TEST_NGINX_SERVER_SSL_PORT ssl reuseport default_server;
@@ -2907,6 +2938,8 @@ lua ssl free session
 
 === TEST 36: ssl session/ticket reuse CVE
 https://www.cve.org/CVERecord?id=CVE-2025-23419
+see TEST 35
+--- SKIP
 --- main_config
 env PATH;
 --- stream_config
@@ -3011,7 +3044,6 @@ handshake rejected while SSL handshaking
 [alert]
 [crit]
 --- timeout: 5
---- skip_nginx: 7: < 1.25.4