From ff01f40466ea9df3f503027537d2c0e14b008cdf Mon Sep 17 00:00:00 2001 From: willmafh Date: Sun, 19 Oct 2025 13:08:28 +0800 Subject: [PATCH 1/8] bugfix: Nginx introduces ssl client hello callback in version 1.29.2 so we need to change nginx_version value to 1029001 here --- src/ngx_stream_lua_ssl_client_helloby.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/ngx_stream_lua_ssl_client_helloby.c b/src/ngx_stream_lua_ssl_client_helloby.c index cd2d8adc..b6a6229c 100644 --- a/src/ngx_stream_lua_ssl_client_helloby.c +++ b/src/ngx_stream_lua_ssl_client_helloby.c @@ -218,7 +218,7 @@ ngx_stream_lua_ssl_client_hello_handler(ngx_ssl_conn_t *ssl_conn, return -1; } -#if (nginx_version > 1029000) +#if (nginx_version > 1029001) /* see commit 0373fe5d98c1515640 for more details */ rc = ngx_ssl_client_hello_callback(ssl_conn, al, arg); From 379635b3d421f02455cf36d79bd00bc02ad7b121 Mon Sep 17 00:00:00 2001 From: willmafh Date: Sun, 19 Oct 2025 17:19:38 +0800 Subject: [PATCH 2/8] ci fix --- t/164-proxy-ssl-verify-by.t | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/t/164-proxy-ssl-verify-by.t b/t/164-proxy-ssl-verify-by.t index de58d36a..1982f859 100644 --- a/t/164-proxy-ssl-verify-by.t +++ b/t/164-proxy-ssl-verify-by.t @@ -908,7 +908,7 @@ proxy_ssl_verify_by_lua: cert verify callback aborted === TEST 23: cosocket --- stream_config server { - listen *:80; + listen 127.0.0.1:$TEST_NGINX_RAND_PORT_1; return "it works!\n"; } @@ -936,7 +936,7 @@ proxy_ssl_verify_by_lua: cert verify callback aborted local sock = ngx.socket.tcp() sock:settimeout(2000) - local ok, err = sock:connect("127.0.0.1", "80") + local ok, err = sock:connect("127.0.0.1", $TEST_NGINX_RAND_PORT_1) if not ok then ngx.log(ngx.ERR, "failed to connect: ", err) return From de4580e0a0d2970e0f895989d6ac1a723b66481b Mon Sep 17 00:00:00 2001 From: willmafh Date: Sun, 19 Oct 2025 18:50:25 +0800 Subject: [PATCH 3/8] tests: ci fix --- t/164-proxy-ssl-verify-by.t | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/t/164-proxy-ssl-verify-by.t b/t/164-proxy-ssl-verify-by.t index 1982f859..3a040940 100644 --- a/t/164-proxy-ssl-verify-by.t +++ b/t/164-proxy-ssl-verify-by.t @@ -7,8 +7,13 @@ repeat_each(3); my $NginxBinary = $ENV{'TEST_NGINX_BINARY'} || 'nginx'; my $openssl_version = eval { `$NginxBinary -V 2>&1` }; -if ($openssl_version =~ m/built with OpenSSL (0\S*|1\.0\S*|1\.1\.0\S*)/) { - plan(skip_all => "too old OpenSSL, need 1.1.1, was $1"); +if ($openssl_version =~ m/built with OpenSSL (\d+)\.(\d+)\.(\d+)/) { + my ($major, $minor, $patch) = ($1, $2, $3); + + if ($major < 3 || ($major == 3 && $minor == 0 && $patch < 2)) { + plan(skip_all => "too old OpenSSL, need >= 3.0.2, was " . + "$major.$minor.$patch"); + } } else { plan tests => repeat_each() * (blocks() * 6 + 5); } From 15fe37611f2333524fb9f32e977daa836828fc9b Mon Sep 17 00:00:00 2001 From: willmafh Date: Mon, 20 Oct 2025 11:04:34 +0800 Subject: [PATCH 4/8] tests: fix ci --- src/ngx_stream_lua_proxy_ssl_verifyby.c | 93 ++++++++++++++++++++++++- t/164-proxy-ssl-verify-by.t | 6 +- 2 files changed, 97 insertions(+), 2 deletions(-) diff --git a/src/ngx_stream_lua_proxy_ssl_verifyby.c b/src/ngx_stream_lua_proxy_ssl_verifyby.c index e43d3abb..91c82551 100644 --- a/src/ngx_stream_lua_proxy_ssl_verifyby.c +++ b/src/ngx_stream_lua_proxy_ssl_verifyby.c @@ -32,13 +32,20 @@ ngx_int_t ngx_stream_lua_proxy_ssl_verify_set_callback(ngx_conf_t *cf) { -#ifdef LIBRESSL_VERSION_NUMBER +#if defined(LIBRESSL_VERSION_NUMBER) ngx_log_error(NGX_LOG_EMERG, cf->log, 0, "LibreSSL does not support by proxy_ssl_verify_by_lua*"); return NGX_ERROR; +#elif defined(OPENSSL_IS_BORINGSSL) + + ngx_log_error(NGX_LOG_EMERG, cf->log, 0, + "BoringSSL does not support by proxy_ssl_verify_by_lua*"); + + return NGX_ERROR; + #else ngx_flag_t proxy_ssl = 0; @@ -161,6 +168,22 @@ char * ngx_stream_lua_proxy_ssl_verify_by_lua(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) { +#if defined(LIBRESSL_VERSION_NUMBER) + + ngx_log_error(NGX_LOG_EMERG, cf->log, 0, + "LibreSSL does not support by proxy_ssl_verify_by_lua*"); + + return NGX_CONF_ERROR; + +#elif defined(OPENSSL_IS_BORINGSSL) + + ngx_log_error(NGX_LOG_EMERG, cf->log, 0, + "BoringSSL does not support by proxy_ssl_verify_by_lua*"); + + return NGX_CONF_ERROR; + +#else + #if (!defined SSL_ERROR_WANT_RETRY_VERIFY \ || OPENSSL_VERSION_NUMBER < 0x30000020L) @@ -244,12 +267,30 @@ ngx_stream_lua_proxy_ssl_verify_by_lua(ngx_conf_t *cf, ngx_command_t *cmd, return NGX_CONF_OK; #endif /* SSL_ERROR_WANT_RETRY_VERIFY */ + +#endif } int ngx_stream_lua_proxy_ssl_verify_handler(X509_STORE_CTX *x509_store, void *arg) { +#if defined(LIBRESSL_VERSION_NUMBER) + + ngx_log_debug0(NGX_LOG_DEBUG_STREAM, c->log, 0, + "LibreSSL does not support by proxy_ssl_verify_by_lua*"); + + return 1; + +#elif defined(OPENSSL_IS_BORINGSSL) + + ngx_log_debug0(NGX_LOG_DEBUG_STREAM, c->log, 0, + "BoringSSL does not support by proxy_ssl_verify_by_lua*"); + + return 1; + +#else + lua_State *L; ngx_int_t rc; ngx_connection_t *c; @@ -395,6 +436,8 @@ ngx_stream_lua_proxy_ssl_verify_handler(X509_STORE_CTX *x509_store, void *arg) return 0; /* verify failure or error */ #endif + +#endif } @@ -573,6 +616,20 @@ int ngx_stream_lua_ffi_proxy_ssl_set_verify_result(ngx_stream_lua_request_t *r, int verify_result, char **err) { +#if defined(LIBRESSL_VERSION_NUMBER) + + *err = "LibreSSL does not support this function"; + + return NGX_ERROR; + +#elif defined(OPENSSL_IS_BORINGSSL) + + *err = "BoringSSL does not support this function"; + + return NGX_ERROR; + +#else + #ifdef SSL_ERROR_WANT_RETRY_VERIFY ngx_stream_upstream_t *u; ngx_ssl_conn_t *ssl_conn; @@ -618,6 +675,8 @@ ngx_stream_lua_ffi_proxy_ssl_set_verify_result(ngx_stream_lua_request_t *r, return NGX_ERROR; #endif + +#endif } @@ -625,6 +684,20 @@ int ngx_stream_lua_ffi_proxy_ssl_get_verify_result(ngx_stream_lua_request_t *r, char **err) { +#if defined(LIBRESSL_VERSION_NUMBER) + + *err = "LibreSSL does not support this function"; + + return NGX_ERROR; + +#elif defined(OPENSSL_IS_BORINGSSL) + + *err = "BoringSSL does not support this function"; + + return NGX_ERROR; + +#else + #ifdef SSL_ERROR_WANT_RETRY_VERIFY ngx_stream_upstream_t *u; ngx_ssl_conn_t *ssl_conn; @@ -668,6 +741,8 @@ ngx_stream_lua_ffi_proxy_ssl_get_verify_result(ngx_stream_lua_request_t *r, return NGX_ERROR; #endif + +#endif } @@ -684,6 +759,20 @@ void * ngx_stream_lua_ffi_proxy_ssl_get_verify_cert(ngx_stream_lua_request_t *r, char **err) { +#if defined(LIBRESSL_VERSION_NUMBER) + + *err = "LibreSSL does not support this function"; + + return NGX_ERROR; + +#elif defined(OPENSSL_IS_BORINGSSL) + + *err = "BoringSSL does not support this function"; + + return NGX_ERROR; + +#else + #ifdef SSL_ERROR_WANT_RETRY_VERIFY ngx_stream_upstream_t *u; ngx_ssl_conn_t *ssl_conn; @@ -735,6 +824,8 @@ ngx_stream_lua_ffi_proxy_ssl_get_verify_cert(ngx_stream_lua_request_t *r, return NULL; #endif + +#endif } diff --git a/t/164-proxy-ssl-verify-by.t b/t/164-proxy-ssl-verify-by.t index 3a040940..8436b6bd 100644 --- a/t/164-proxy-ssl-verify-by.t +++ b/t/164-proxy-ssl-verify-by.t @@ -13,9 +13,13 @@ if ($openssl_version =~ m/built with OpenSSL (\d+)\.(\d+)\.(\d+)/) { if ($major < 3 || ($major == 3 && $minor == 0 && $patch < 2)) { plan(skip_all => "too old OpenSSL, need >= 3.0.2, was " . "$major.$minor.$patch"); + } else { + plan tests => repeat_each() * (blocks() * 6 + 3); } +} elsif ($openssl_version =~ m/running with BoringSSL/) { + plan(skip_all => "does not support BoringSSL"); } else { - plan tests => repeat_each() * (blocks() * 6 + 5); + die "unknown SSL"; } $ENV{TEST_NGINX_HTML_DIR} ||= html_dir(); From 1c923d6b4c49cf76aa25491c4246a610b691d4c9 Mon Sep 17 00:00:00 2001 From: lijunlong Date: Mon, 20 Oct 2025 11:13:26 +0800 Subject: [PATCH 5/8] fix pcre downloa url --- .travis.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.travis.yml b/.travis.yml index 35c4c727..f239ba37 100644 --- a/.travis.yml +++ b/.travis.yml @@ -54,8 +54,8 @@ before_install: - sudo DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends openresty-pcre2 openresty-openssl3 openresty-pcre2-dev openresty-openssl3-dev install: - - if [ ! -f download-cache/pcre2-$PCRE2_VER.tar.gz ]; then wget -P download-cache https://downloads.sourceforge.net/project/pcre/pcre2/${PCRE2_VER}/pcre2-${PCRE2_VER}.tar.gz; fi - - if [ ! -f download-cache/openssl-$OPENSSL_VER.tar.gz ]; then wget -P download-cache https://www.openssl.org/source/openssl-$OPENSSL_VER.tar.gz; fi + - if [ -n "$PCRE2_VER" ] && [ ! -f download-cache/pcre2-$PCRE2_VER.tar.gz ]; then wget -P download-cache https://github.com/PCRE2Project/pcre2/releases/download/pcre2-${PCRE2_VER}/pcre2-${PCRE2_VER}.tar.gz; fi + - if [ -n "$OPENSSL_VER" ] && [ ! -f download-cache/openssl-$OPENSSL_VER.tar.gz ]; then wget -P download-cache https://github.com/openssl/openssl/releases/download/openssl-$OPENSSL_VER/openssl-$OPENSSL_VER.tar.gz || wget -P download-cache https://www.openssl.org/source/openssl-$OPENSSL_VER.tar.gz || wget -P download-cache https://www.openssl.org/source/old/${OPENSSL_VER//[a-z]/}/openssl-$OPENSSL_VER.tar.gz; fi - git clone https://github.com/openresty/openresty-devel-utils.git - git clone https://github.com/openresty/lua-cjson.git - git clone https://github.com/openresty/openresty.git ../openresty From 2a35874a1a2bd00755c081f270353373eaf7bc1b Mon Sep 17 00:00:00 2001 From: lijunlong Date: Mon, 20 Oct 2025 11:32:26 +0800 Subject: [PATCH 6/8] fix ssl lib dir. --- .travis.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.travis.yml b/.travis.yml index f239ba37..7fde84fe 100644 --- a/.travis.yml +++ b/.travis.yml @@ -78,14 +78,14 @@ script: - sudo ip addr add 10.254.254.1/24 dev lo - sudo ip addr add 10.254.254.2/24 dev lo - sudo ip route add prohibit 0.0.0.1/32 - - tar zxf download-cache/pcre2-$PCRE2_VER.tar.gz; cd pcre2-$PCRE2_VER/; ./configure --prefix=$PCRE2_PREFIX --enable-jit --enable-utf > build.log 2>&1 || (cat build.log && exit 1); make -j$JOBS > build.log 2>&1 || (cat build.log && exit 1); sudo PATH=$PATH make install > build.log 2>&1 || (cat build.log && exit 1); cd ..; + - if [ -n "$PCRE2_VER" ]; then tar zxf download-cache/pcre2-$PCRE2_VER.tar.gz; cd pcre2-$PCRE2_VER/; ./configure --prefix=$PCRE2_PREFIX --enable-jit --enable-utf > build.log 2>&1 || (cat build.log && exit 1); make -j$JOBS > build.log 2>&1 || (cat build.log && exit 1); sudo PATH=$PATH make install > build.log 2>&1 || (cat build.log && exit 1); cd ..; fi - cd luajit2 - make -j$JOBS CCDEBUG=-g Q= PREFIX=$LUAJIT_PREFIX CC=$CC XCFLAGS='-DLUA_USE_APICHECK -DLUA_USE_ASSERT' > build.log 2>&1 || (cat build.log && exit 1) - sudo make install PREFIX=$LUAJIT_PREFIX > build.log 2>&1 || (cat build.log && exit 1) - cd ../test-nginx && sudo cpanm . && cd .. - cd lua-cjson/ && make -j$JOBS && sudo make install && cd .. - cd mockeagain/ && make CC=$CC -j$JOBS && cd .. - - tar zxf download-cache/openssl-$OPENSSL_VER.tar.gz; cd openssl-$OPENSSL_VER/; ./config no-threads shared enable-ssl3 enable-ssl3-method -g --prefix=$OPENSSL_PREFIX -DPURIFY > build.log 2>&1 || (cat build.log && exit 1); make -j$JOBS > build.log 2>&1 || (cat build.log && exit 1); sudo make PATH=$PATH install_sw > build.log 2>&1 || (cat build.log && exit 1) ; cd .. + - if [ -n "$OPENSSL_VER" ]; then tar zxf download-cache/openssl-$OPENSSL_VER.tar.gz; cd openssl-$OPENSSL_VER/; patch -p1 < ../../openresty/patches/openssl-$OPENSSL_PATCH_VER-sess_set_get_cb_yield.patch; ./config shared enable-ssl3 enable-ssl3-method -g --prefix=$OPENSSL_PREFIX --libdir=lib -DPURIFY > build.log 2>&1 || (cat build.log && exit 1); make -j$JOBS > build.log 2>&1 || (cat build.log && exit 1); sudo make PATH=$PATH install_sw > build.log 2>&1 || (cat build.log && exit 1); cd ..; fi - export PATH=$PWD/work/nginx/sbin:$PWD/openresty-devel-utils:$PATH - export NGX_BUILD_CC=$CC - sh util/build.sh $NGINX_VERSION > build.log 2>&1 || (cat build.log && exit 1) From 0505d70713afab901f05ed87eb529c2ddd85cb82 Mon Sep 17 00:00:00 2001 From: lijunlong Date: Mon, 20 Oct 2025 11:45:58 +0800 Subject: [PATCH 7/8] fixed missing var --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index 7fde84fe..61d606f8 100644 --- a/.travis.yml +++ b/.travis.yml @@ -41,7 +41,7 @@ env: - NGX_BUILD_JOBS=$JOBS - TEST_NGINX_SLEEP=0.006 matrix: - - NGINX_VERSION=1.29.2 OPENSSL_VER=3.5.4 + - NGINX_VERSION=1.29.2 OPENSSL_VER=3.5.4 OPENSSL_PATCH_VER=3.5.4 services: - memcache From 74ac5a1ba18b5d274b5f1942a8550cdc506f9a67 Mon Sep 17 00:00:00 2001 From: lijunlong Date: Mon, 20 Oct 2025 12:07:02 +0800 Subject: [PATCH 8/8] fixed missing var --- t/138-balancer.t | 1 - 1 file changed, 1 deletion(-) diff --git a/t/138-balancer.t b/t/138-balancer.t index 8991239a..c863c219 100644 --- a/t/138-balancer.t +++ b/t/138-balancer.t @@ -237,7 +237,6 @@ retry counter: 5 --- error_log set more tries: reduced tries due to limit ---- ONLY