@@ -9,6 +9,14 @@ local to_hex = require("resty.string").to_hex
99local ffi_gc = ffi .gc
1010local ffi_cast = ffi .cast
1111local string_format = string.format
12+ local type = type
13+
14+ local function require_openssl_libs ()
15+ local chain = require (" resty.openssl.x509.chain"
16+ local x509 = require (" resty.openssl.x509"
17+ local pkey = require (" resty.openssl.pkey"
18+ return { chain , x509 , pkey }
19+ end
1220
1321--[[
1422A connection function that incorporates:
@@ -174,79 +182,76 @@ local function connect(self, options)
174182 local key_type = type (ssl_client_priv_key )
175183
176184 if cert_type ~= " cdata" then
177- ngx_log (ngx_WARN , " bad ssl_client_cert: cdata expected, got " .. cert_type )
185+ ngx_log (ngx_WARN , " bad ssl_client_cert: cdata expected, got " , cert_type )
178186 break
179187 end
180188
181189 if key_type ~= " cdata" then
182- ngx_log (ngx_WARN , " bad ssl_client_priv_key: cdata expected, got " .. key_type )
190+ ngx_log (ngx_WARN , " bad ssl_client_priv_key: cdata expected, got " , key_type )
183191 break
184192 end
185193
186- local status , res = xpcall (function ()
187- local chain = require (" resty.openssl.x509.chain"
188- local x509 = require (" resty.openssl.x509"
189- local pkey = require (" resty.openssl.pkey"
190- return { chain , x509 , pkey }
191- end , debug.traceback )
192-
193- if status then
194- local chain = res [1 ]
195- local x509 = res [2 ]
196- local pkey = res [3 ]
197-
198- -- convert from `void*` to `OPENSSL_STACK*`
199- local cert_chain , err = chain .dup (ffi_cast (" OPENSSL_STACK*" ssl_client_cert ))
200- if not cert_chain then
201- ngx_log (ngx_WARN , " failed to dup the ssl_client_cert, falling back to non-mTLS: " .. err )
202- break
203- end
194+ local status , res = xpcall (require_openssl_libs , debug.traceback )
204195
205- if # cert_chain < 1 then
206- ngx_log ( ngx_WARN , " no cert in ssl_client_cert, falling back to non-mTLS: " .. err )
207- break
208- end
196+ if not status then
197+ if type ( res ) == " string " and ngx_re_find ( res , " module 'resty \\ .openssl \\ ..+' not found " ) then
198+ ngx_log ( ngx_WARN , " can't use mTLS without module `lua-resty-openssl`, falling back to non-mTLS: \n "
199+ , res )
209200
210- local cert , err = x509 .dup (cert_chain [1 ].ctx )
211- if not cert then
212- ngx_log (ngx_WARN , " failed to dup the x509, falling back to non-mTLS: " .. err )
213- break
201+ else
202+ ngx_log (ngx_WARN , " failed to load module `resty.openssl.*`, falling back to non-mTLS:\n " res )
214203 end
215204
216- -- convert from `void*` to `EVP_PKEY*`
217- local key , err = pkey .new (ffi_cast (" EVP_PKEY*" ssl_client_priv_key ))
218- if not key then
219- ngx_log (ngx_WARN , " failed to new the pkey, falling back to non-mTLS: " .. err )
220- break
221- end
222- -- should not free the cdata passed in
223- ffi_gc (key .ctx , nil )
205+ break
206+ end
224207
225- -- check the private key in order to make sure the caller is indeed the holder of the cert
226- ok , err = cert :check_private_key (key )
227- if not ok then
228- ngx_log (ngx_WARN , " the private key doesn't match the cert, falling back to non-mTLS: " .. err )
229- break
230- end
208+ local chain = res [1 ]
209+ local x509 = res [2 ]
210+ local pkey = res [3 ]
231211
232- cert_hash , err = cert :digest (" sha256"
233- if cert_hash then
234- cert_hash = to_hex (cert_hash ) -- convert to hex so that it's printable
212+ -- convert from `void*` to `OPENSSL_STACK*`
213+ local cert_chain , err = chain .dup (ffi_cast (" OPENSSL_STACK*" ssl_client_cert ))
214+ if not cert_chain then
215+ ngx_log (ngx_WARN , " failed to dup the ssl_client_cert, falling back to non-mTLS: " err )
216+ break
217+ end
235218
236- else
237- ngx_log (ngx_WARN , " failed to calculate the digest of the cert , falling back to non-mTLS: " .. err )
238- break
239- end
219+ if # cert_chain < 1 then
220+ ngx_log (ngx_WARN , " no cert in ssl_client_cert , falling back to non-mTLS: " , err )
221+ break
222+ end
240223
241- else
242- if type (res ) == " string" and ngx_re_find (res , " module 'resty\\ .openssl\\ ..+' not found" then
243- ngx_log (ngx_WARN , " can't use mTLS without module `lua-resty-openssl`, falling back to non-mTLS:\n "
244- .. res )
224+ local cert , err = x509 .dup (cert_chain [1 ].ctx )
225+ if not cert then
226+ ngx_log (ngx_WARN , " failed to dup the x509, falling back to non-mTLS: " err )
227+ break
228+ end
245229
246- else
247- ngx_log (ngx_WARN , " failed to load module `resty.openssl.*`, falling back to non-mTLS:\n " .. res )
248- end
230+ -- convert from `void*` to `EVP_PKEY*`
231+ local key , err = pkey .new (ffi_cast (" EVP_PKEY*" ssl_client_priv_key ))
232+ if not key then
233+ ngx_log (ngx_WARN , " failed to new the pkey, falling back to non-mTLS: " err )
234+ break
249235 end
236+ -- should not free the cdata passed in
237+ ffi_gc (key .ctx , nil )
238+
239+ -- check the private key in order to make sure the caller is indeed the holder of the cert
240+ ok , err = cert :check_private_key (key )
241+ if not ok then
242+ ngx_log (ngx_WARN , " the private key doesn't match the cert, falling back to non-mTLS: " err )
243+ break
244+ end
245+
246+ cert_hash , err = cert :digest (" sha256"
247+ if cert_hash then
248+ cert_hash = to_hex (cert_hash ) -- convert to hex so that it's printable
249+
250+ else
251+ ngx_log (ngx_WARN , " failed to calculate the digest of the cert, falling back to non-mTLS: " err )
252+ break
253+ end
254+
250255 until true
251256 end
252257
@@ -273,7 +278,7 @@ local function connect(self, options)
273278 -- with a plain http request the authorization is part of the actual request.
274279 end
275280
276- ngx_log (ngx_DEBUG , " poolname: " .. poolname )
281+ ngx_log (ngx_DEBUG , " poolname: " , poolname )
277282
278283 -- do TCP level connection
279284 local tcp_opts = { pool = poolname , pool_size = pool_size , backlog = backlog }
0 commit comments