@@ -167,20 +167,30 @@ local function connect(self, options)
167167 local cert_hash
168168 if ssl and ssl_client_cert and ssl_client_priv_key then
169169 local status , res = xpcall (function ()
170+ local chain = require (" resty.openssl.chain"
170171 local x509 = require (" resty.openssl.x509"
171172 local pkey = require (" resty.openssl.pkey"
172- return { x509 , pkey }
173+ return { chain , x509 , pkey }
173174 end , debug.traceback )
174175
175176 if status then
176- local x509 = res [1 ]
177- local pkey = res [2 ]
178- local cert , err = x509 .new (ssl_client_cert )
177+ local chain = res [1 ]
178+ local x509 = res [2 ]
179+ local pkey = res [3 ]
180+
181+ local cert_chain , err = chain .dup (ssl_client_cert )
182+ if not cert_chain then
183+ return nil , err
184+ end
185+
186+ if # cert_chain < 1 then
187+ return nil , " no cert in the chain"
188+ end
189+
190+ local cert , err = x509 .dup (cert_chain [1 ].ctx )
179191 if not cert then
180192 return nil , err
181193 end
182- -- should not free the cdata passed in
183- ffi_gc (cert .ctx , nil )
184194
185195 local key , err = pkey .new (ssl_client_priv_key )
186196 if not key then
@@ -204,8 +214,8 @@ local function connect(self, options)
204214 end
205215
206216 else
207- if type (res ) == " string" and ngx_re_find (res , " module 'resty\\ .openssl\\ .(x509|pkey)' not found" then
208- ngx_log (ngx_WARN , " can't use mTLS without module `lua-resty-openssl`, falling back to non-mTLS."
217+ if type (res ) == " string" and ngx_re_find (res , " module 'resty\\ .openssl\\ .(chain| x509|pkey)' not found" then
218+ ngx_log (ngx_WARN , " can't use mTLS without module `lua-resty-openssl`, falling back to non-mTLS." .. res )
209219
210220 else
211221 return nil , " failed to load module 'resty.openssl.*':\n " .. res
0 commit comments