@@ -175,84 +175,86 @@ local function connect(self, options)
175175 end
176176
177177 local cert_hash
178- if ssl and ssl_client_cert and ssl_client_priv_key then
179- -- fallback to non-mTLS when any error
180- repeat
181- local cert_type = type (ssl_client_cert )
182- local key_type = type (ssl_client_priv_key )
183-
184- if cert_type ~= " cdata" then
185- ngx_log (ngx_WARN , " bad ssl_client_cert: cdata expected, got " cert_type )
186- break
187- end
178+ -- fallback to non-mTLS when any error
179+ repeat
180+ if not ssl or not ssl_client_cert or not ssl_client_priv_key then
181+ break
182+ end
188183
189- if key_type ~= " cdata" then
190- ngx_log (ngx_WARN , " bad ssl_client_priv_key: cdata expected, got " key_type )
191- break
192- end
184+ local cert_type = type (ssl_client_cert )
185+ local key_type = type (ssl_client_priv_key )
193186
194- local status , res = xpcall (require_openssl_libs , debug.traceback )
187+ if cert_type ~= " cdata" then
188+ ngx_log (ngx_WARN , " bad ssl_client_cert: cdata expected, got " cert_type )
189+ break
190+ end
195191
196- if not status then
197- if type ( res ) == " string " and ngx_re_find ( res , " module 'resty \\ .openssl \\ ..+' not found " ) then
198- ngx_log ( ngx_WARN , " can't use mTLS without module `lua-resty-openssl`, falling back to non-mTLS: \n "
199- , res )
192+ if key_type ~= " cdata " then
193+ ngx_log ( ngx_WARN , " bad ssl_client_priv_key: cdata expected, got " , key_type )
194+ break
195+ end
200196
201- else
202- ngx_log (ngx_WARN , " failed to load module `resty.openssl.*`, falling back to non-mTLS:\n " res )
203- end
197+ local status , res = xpcall (require_openssl_libs , debug.traceback )
204198
205- break
199+ if not status then
200+ if type (res ) == " string" and ngx_re_find (res , " module 'resty\\ .openssl\\ ..+' not found" then
201+ ngx_log (ngx_WARN , " can't use mTLS without module `lua-resty-openssl`, falling back to non-mTLS:\n "
202+ , res )
203+
204+ else
205+ ngx_log (ngx_WARN , " failed to load module `resty.openssl.*`, falling back to non-mTLS:\n " res )
206206 end
207207
208- local chain = res [1 ]
209- local x509 = res [2 ]
210- local pkey = res [3 ]
208+ break
209+ end
211210
212- -- convert from `void*` to `OPENSSL_STACK*`
213- local cert_chain , err = chain .dup (ffi_cast (" OPENSSL_STACK*" ssl_client_cert ))
214- if not cert_chain then
215- ngx_log (ngx_WARN , " failed to dup the ssl_client_cert, falling back to non-mTLS: " err )
216- break
217- end
211+ local chain = res [1 ]
212+ local x509 = res [2 ]
213+ local pkey = res [3 ]
218214
219- if # cert_chain < 1 then
220- ngx_log (ngx_WARN , " no cert in ssl_client_cert, falling back to non-mTLS: " err )
221- break
222- end
215+ -- convert from `void*` to `OPENSSL_STACK*`
216+ local cert_chain , err = chain .dup (ffi_cast (" OPENSSL_STACK*" ssl_client_cert ))
217+ if not cert_chain then
218+ ngx_log (ngx_WARN , " failed to dup the ssl_client_cert, falling back to non-mTLS: " err )
219+ break
220+ end
223221
224- local cert , err = x509 .dup (cert_chain [1 ].ctx )
225- if not cert then
226- ngx_log (ngx_WARN , " failed to dup the x509, falling back to non-mTLS: " err )
227- break
228- end
222+ if # cert_chain < 1 then
223+ ngx_log (ngx_WARN , " no cert in ssl_client_cert, falling back to non-mTLS: " err )
224+ break
225+ end
229226
230- -- convert from `void*` to `EVP_PKEY*`
231- local key , err = pkey .new (ffi_cast (" EVP_PKEY*" ssl_client_priv_key ))
232- if not key then
233- ngx_log (ngx_WARN , " failed to new the pkey, falling back to non-mTLS: " err )
234- break
235- end
236- -- should not free the cdata passed in
237- ffi_gc (key .ctx , nil )
227+ local cert , err = x509 .dup (cert_chain [1 ].ctx )
228+ if not cert then
229+ ngx_log (ngx_WARN , " failed to dup the x509, falling back to non-mTLS: " err )
230+ break
231+ end
238232
239- -- check the private key in order to make sure the caller is indeed the holder of the cert
240- ok , err = cert :check_private_key (key )
241- if not ok then
242- ngx_log (ngx_WARN , " the private key doesn't match the cert, falling back to non-mTLS: " err )
243- break
244- end
233+ -- convert from `void*` to `EVP_PKEY*`
234+ local key , err = pkey .new (ffi_cast (" EVP_PKEY*" ssl_client_priv_key ))
235+ if not key then
236+ ngx_log (ngx_WARN , " failed to new the pkey, falling back to non-mTLS: " err )
237+ break
238+ end
239+ -- should not free the cdata passed in
240+ ffi_gc (key .ctx , nil )
245241
246- cert_hash , err = cert :digest (" sha256"
247- if not cert_hash then
248- ngx_log (ngx_WARN , " failed to calculate the digest of the cert, falling back to non-mTLS: " err )
249- break
250- end
242+ -- check the private key in order to make sure the caller is indeed the holder of the cert
243+ ok , err = cert :check_private_key (key )
244+ if not ok then
245+ ngx_log (ngx_WARN , " the private key doesn't match the cert, falling back to non-mTLS: " err )
246+ break
247+ end
251248
252- cert_hash = to_hex (cert_hash ) -- convert to hex so that it's printable
249+ cert_hash , err = cert :digest (" sha256"
250+ if not cert_hash then
251+ ngx_log (ngx_WARN , " failed to calculate the digest of the cert, falling back to non-mTLS: " err )
252+ break
253+ end
253254
254- until true
255- end
255+ cert_hash = to_hex (cert_hash ) -- convert to hex so that it's printable
256+
257+ until true
256258
257259 if not cert_hash then
258260 ssl_client_cert = nil
0 commit comments