diff --git a/src/ngx_http_lua_proxy_ssl_verifyby.c b/src/ngx_http_lua_proxy_ssl_verifyby.c index 339522bab3..1cb1d980e4 100644 --- a/src/ngx_http_lua_proxy_ssl_verifyby.c +++ b/src/ngx_http_lua_proxy_ssl_verifyby.c @@ -33,13 +33,20 @@ ngx_int_t ngx_http_lua_proxy_ssl_verify_set_callback(ngx_conf_t *cf) { -#ifdef LIBRESSL_VERSION_NUMBER +#if defined(LIBRESSL_VERSION_NUMBER) ngx_log_error(NGX_LOG_EMERG, cf->log, 0, "LibreSSL does not support by proxy_ssl_verify_by_lua*"); return NGX_ERROR; +#elif defined(OPENSSL_IS_BORINGSSL) + + ngx_log_error(NGX_LOG_EMERG, cf->log, 0, + "BoringSSL does not support by proxy_ssl_verify_by_lua*"); + + return NGX_ERROR; + #else void *plcf; @@ -150,6 +157,22 @@ char * ngx_http_lua_proxy_ssl_verify_by_lua(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) { +#if defined(LIBRESSL_VERSION_NUMBER) + + ngx_log_error(NGX_LOG_EMERG, cf->log, 0, + "LibreSSL does not support by proxy_ssl_verify_by_lua*"); + + return NGX_CONF_ERROR; + +#elif defined(OPENSSL_IS_BORINGSSL) + + ngx_log_error(NGX_LOG_EMERG, cf->log, 0, + "BoringSSL does not support by proxy_ssl_verify_by_lua*"); + + return NGX_CONF_ERROR; + +#else + #if (!defined SSL_ERROR_WANT_RETRY_VERIFY \ || OPENSSL_VERSION_NUMBER < 0x30000020L) @@ -231,12 +254,30 @@ ngx_http_lua_proxy_ssl_verify_by_lua(ngx_conf_t *cf, ngx_command_t *cmd, return NGX_CONF_OK; #endif /* SSL_ERROR_WANT_RETRY_VERIFY */ + +#endif } int ngx_http_lua_proxy_ssl_verify_handler(X509_STORE_CTX *x509_store, void *arg) { +#if defined(LIBRESSL_VERSION_NUMBER) + + ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0, + "LibreSSL does not support by proxy_ssl_verify_by_lua*"); + + return 1; + +#elif defined(OPENSSL_IS_BORINGSSL) + + ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0, + "BoringSSL does not support by proxy_ssl_verify_by_lua*"); + + return 1; + +#else + lua_State *L; ngx_int_t rc; ngx_connection_t *c; @@ -377,6 +418,8 @@ ngx_http_lua_proxy_ssl_verify_handler(X509_STORE_CTX *x509_store, void *arg) } return 0; /* verify failure or error */ + +#endif } @@ -553,6 +596,20 @@ int ngx_http_lua_ffi_proxy_ssl_set_verify_result(ngx_http_request_t *r, int verify_result, char **err) { +#if defined(LIBRESSL_VERSION_NUMBER) + + *err = "LibreSSL does not support this function"; + + return NGX_ERROR; + +#elif defined(OPENSSL_IS_BORINGSSL) + + *err = "BoringSSL does not support this function"; + + return NGX_ERROR; + +#else + #ifdef SSL_ERROR_WANT_RETRY_VERIFY ngx_http_upstream_t *u; ngx_ssl_conn_t *ssl_conn; @@ -598,12 +655,28 @@ ngx_http_lua_ffi_proxy_ssl_set_verify_result(ngx_http_request_t *r, return NGX_ERROR; #endif + +#endif } int ngx_http_lua_ffi_proxy_ssl_get_verify_result(ngx_http_request_t *r, char **err) { +#if defined(LIBRESSL_VERSION_NUMBER) + + *err = "LibreSSL does not support this function"; + + return NGX_ERROR; + +#elif defined(OPENSSL_IS_BORINGSSL) + + *err = "BoringSSL does not support this function"; + + return NGX_ERROR; + +#else + #ifdef SSL_ERROR_WANT_RETRY_VERIFY ngx_http_upstream_t *u; ngx_ssl_conn_t *ssl_conn; @@ -647,6 +720,8 @@ ngx_http_lua_ffi_proxy_ssl_get_verify_result(ngx_http_request_t *r, char **err) return NGX_ERROR; #endif + +#endif } @@ -662,6 +737,20 @@ ngx_http_lua_ffi_proxy_ssl_free_verify_cert(void *cdata) void * ngx_http_lua_ffi_proxy_ssl_get_verify_cert(ngx_http_request_t *r, char **err) { +#if defined(LIBRESSL_VERSION_NUMBER) + + *err = "LibreSSL does not support this function"; + + return NGX_ERROR; + +#elif defined(OPENSSL_IS_BORINGSSL) + + *err = "BoringSSL does not support this function"; + + return NGX_ERROR; + +#else + #ifdef SSL_ERROR_WANT_RETRY_VERIFY ngx_http_upstream_t *u; ngx_ssl_conn_t *ssl_conn; @@ -713,6 +802,8 @@ ngx_http_lua_ffi_proxy_ssl_get_verify_cert(ngx_http_request_t *r, char **err) return NULL; #endif + +#endif } diff --git a/t/169-proxy-ssl-verify.t b/t/169-proxy-ssl-verify.t index 4c44a8b9be..95ecc1f3a7 100644 --- a/t/169-proxy-ssl-verify.t +++ b/t/169-proxy-ssl-verify.t @@ -8,14 +8,19 @@ repeat_each(3); my $NginxBinary = $ENV{'TEST_NGINX_BINARY'} || 'nginx'; my $openssl_version = eval { `$NginxBinary -V 2>&1` }; -if ($openssl_version =~ m/built with OpenSSL (0\S*|1\.0\S*|1\.1\.0\S*)/) { - plan(skip_all => "too old OpenSSL, need 1.1.1, was $1"); +if ($openssl_version =~ m/built with OpenSSL (\d+)\.(\d+)\.(\d+)/) { + my ($major, $minor, $patch) = ($1, $2, $3); + + if ($major < 3 || ($major == 3 && $minor == 0 && $patch < 2)) { + plan(skip_all => "too old OpenSSL, need >= 3.0.2, was " . + "$major.$minor.$patch"); + } else { + plan tests => repeat_each() * (blocks() * 5 + 19); + } } elsif ($openssl_version =~ m/running with BoringSSL/) { plan(skip_all => "does not support BoringSSL"); -} elsif ($ENV{TEST_NGINX_USE_HTTP3}) { - plan tests => repeat_each() * (blocks() * 6 + 6); } else { - plan tests => repeat_each() * (blocks() * 5 + 10); + die "unknown SSL"; } $ENV{TEST_NGINX_HTML_DIR} ||= html_dir(); @@ -1230,7 +1235,7 @@ proxy_ssl_verify_by_lua: cert verify callback aborted === TEST 25: cosocket --- http_config server { - listen *:80; + listen 127.0.0.1:$TEST_NGINX_RAND_PORT_1; server_name test.com; server_tokens off; @@ -1279,7 +1284,7 @@ proxy_ssl_verify_by_lua: cert verify callback aborted local sock = ngx.socket.tcp() sock:settimeout(2000) - local ok, err = sock:connect("127.0.0.1", "80") + local ok, err = sock:connect("127.0.0.1", $TEST_NGINX_RAND_PORT_1) if not ok then ngx.log(ngx.ERR, "failed to connect: ", err) return @@ -1320,7 +1325,7 @@ simple logging return connected: 1 sent http request: 56 bytes. received: HTTP/1.1 201 Created -received: Server: openresty +received: Server: nginx received: Content-Type: text/plain received: Content-Length: 4 received: Connection: close