@@ -179,12 +179,7 @@ local function connect(self, options)
179179 end
180180
181181 local cert_hash
182- -- fallback to non-mTLS if it's not an error due to the caller
183- repeat
184- if not ssl or not ssl_client_cert or not ssl_client_priv_key then
185- break
186- end
187-
182+ if ssl and ssl_client_cert and ssl_client_priv_key then
188183 local cert_type = type (ssl_client_cert )
189184 local key_type = type (ssl_client_priv_key )
190185
@@ -197,15 +192,13 @@ local function connect(self, options)
197192 end
198193
199194 if not openssl_available then
200- ngx_log (ngx_WARN , " module `resty.openssl.*` not available, falling back to non-mTLS:\n "
201- break
195+ return nil , " module `resty.openssl.*` not available, mTLS isn't supported with lua-resty-openssl"
202196 end
203197
204198 -- convert from `void*` to `OPENSSL_STACK*`
205199 local cert_chain , err = lib_chain .dup (ffi_cast (" OPENSSL_STACK*" ssl_client_cert ))
206200 if not cert_chain then
207- ngx_log (ngx_WARN , " failed to dup the ssl_client_cert, falling back to non-mTLS: " err )
208- break
201+ return nil , string_format (" failed to dup the ssl_client_cert: %s" err )
209202 end
210203
211204 if # cert_chain < 1 then
@@ -214,15 +207,13 @@ local function connect(self, options)
214207
215208 local cert , err = lib_x509 .dup (cert_chain [1 ].ctx )
216209 if not cert then
217- ngx_log (ngx_WARN , " failed to dup the x509, falling back to non-mTLS: " err )
218- break
210+ return nil , string_format (" failed to dup the x509: %s" err )
219211 end
220212
221213 -- convert from `void*` to `EVP_PKEY*`
222214 local key , err = lib_pkey .new (ffi_cast (" EVP_PKEY*" ssl_client_priv_key ))
223215 if not key then
224- ngx_log (ngx_WARN , " failed to new the pkey, falling back to non-mTLS: " err )
225- break
216+ return nil , string_format (" failed to new the pkey: %s" err )
226217 end
227218 -- should not free the cdata passed in
228219 ffi_gc (key .ctx , nil )
@@ -235,17 +226,10 @@ local function connect(self, options)
235226
236227 cert_hash , err = cert :digest (" sha256"
237228 if not cert_hash then
238- ngx_log (ngx_WARN , " failed to calculate the digest of the cert, falling back to non-mTLS: " err )
239- break
229+ return nil , string_format (" failed to calculate the digest of the cert: %s" err )
240230 end
241231
242232 cert_hash = to_hex (cert_hash ) -- convert to hex so that it's printable
243-
244- until true
245-
246- if not cert_hash then
247- ssl_client_cert = nil
248- ssl_client_priv_key = nil
249233 end
250234
251235 -- construct a poolname unique within proxy and ssl info
@@ -326,13 +310,13 @@ local function connect(self, options)
326310 -- Experimental mTLS support
327311 if ssl_client_cert and ssl_client_priv_key then
328312 if type (sock .setclientcert ) ~= " function" then
329- ngx_log ( ngx_WARN , " cannot use SSL client cert and key without mTLS support" )
313+ return nil , " cannot use SSL client cert and key without mTLS support"
330314
331315 else
332- ok , err = sock :setclientcert (ssl_client_cert , ssl_client_priv_key )
333- if not ok then
334- ngx_log ( ngx_WARN , " could not set client certificate: " err )
335- end
316+ ok , err = sock :setclientcert (ssl_client_cert , ssl_client_priv_key )
317+ if not ok then
318+ return nil , string_format ( " could not set client certificate: %s " err )
319+ end
336320 end
337321 end
338322
0 commit comments