lua-resty-etcd icon indicating copy to clipboard operation
lua-resty-etcd copied to clipboard

Published 20 hours ago verified publisher icon api7

tlshandshake not support

Open dadins opened this issue 2 years ago • 6 comments

ngx.socket.tcp() dose not has method tlshandshake()

dadins avatar May 27 '22 11:05 dadins

Can you describe it in more detail? I don't know what you are trying to say.

In fact, we added the tlshandshake patch to apisix-base. see: https://github.com/api7/apisix-nginx-module/blob/main/patch/README.md

tzssangglass avatar May 30 '22 00:05 tzssangglass

Hi @tzssangglass I've been trying to use lua-resty-etcd in openresty and probably hit the same problem as @dadins

the underlying socket does not provide the tlshandshake function and thus http_connect.lua falls back to ssl_handshake

I added a debug log to show this (http_connect.lua)

   if ssl and sock:getreusedtimes() == 0 then
        local ok, err
        if not sock.tlshandshake then
            ngx.log(ngx.DEBUG,"sock does not provide tlshandshake - fallback to ssl_handshake")
            ok, err = self:ssl_handshake(nil, ssl_server_name, ssl_verify, ssl_send_status_req)

and when testing it:

*171 [lua] http_connect.lua:230: connect(): sock does not provide tlshandshake - fallback to ssl_handshake

This hurts in my case since this way the provided client certificate details (ssl_cert_path,ssl_key_path) get ignored silently and the etcd connect fails with SSL_do_handshake() failed (SSL: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:SSL alert number 42) and etcd etcd[24950]: rejected connection from "127.0.0.1:39500" (error "tls: client didn't provide a certificate"

Is there a way to get client cert based authentication vs etcd to work with a stock openresty? I run:

openresty -v
nginx version: openresty/1.21.4.1

danischroeter avatar Jul 29 '22 08:07 danischroeter

Is there a way to get client cert based authentication vs etcd to work with a stock openresty?

In fact, this is already implemented in APISIX. ref: https://github.com/apache/apisix/pull/7540/files#diff-50936d6780259bf539f3e60ae8008e586e5ec0185ae2a1997133f07585d900af

This requires do patch to ngx.socket.tcp, this is the patch: https://github.com/api7/apisix-nginx-module/blob/main/patch/1.21.4/lua-resty-core-tlshandshake.patch

tzssangglass avatar Jul 29 '22 09:07 tzssangglass

Hi @tzssangglass Thx a lot for the quick response!

I manually applied the referenced patch directly to a dev openresty. Now when I try to start openresty I get this:

[alert] 22218#22218: failed to load the 'resty.core' module (https://github.com/openresty/lua-resty-core); ensure you are using an OpenResty release from https://openresty.org/en/download.html (reason: /usr/local/openresty/lualib/resty/core/socket/tcp.lua:52: /usr/local/openresty/luajit/lib/libluajit-5.1.so.2: undefined symbol: ngx_http_lua_ffi_socket_tcp_tlshandshake) in /etc/nginx/nginx.conf:86

I think the patch version and the openresty version do match - right?

https://raw.githubusercontent.com/api7/apisix-nginx-module/main/patch/1.21.4/lua-resty-core-tlshandshake.patch
-> 
openresty -v
nginx version: openresty/1.21.4.1

Is there something obvious that I might have missed?

danischroeter avatar Jul 29 '22 10:07 danischroeter 

[alert] 22218#22218: failed to load the 'resty.core' module (https://github.com/openresty/lua-resty-core[](https://github.com/openresty/lua-resty-core)); ensure you are using an OpenResty release from https://openresty.org/en/download.html[](https://openresty.org/en/download.html) (reason: /usr/local/openresty/lualib/resty/core/socket/tcp.lua:52: /usr/local/openresty/luajit/lib/libluajit-5.1.so.2: undefined symbol: ngx_http_lua_ffi_socket_tcp_tlshandshake) in /etc/nginx/nginx.conf:86

try: https://github.com/api7/apisix-nginx-module/blob/main/patch/1.21.4/ngx_lua-tlshandshake.patch, maybe this patch needs to be added

tzssangglass avatar Jul 30 '22 16:07 tzssangglass 

[alert] 22218#22218: failed to load the 'resty.core' module (https://github.com/openresty/lua-resty-core[](https://github.com/openresty/lua-resty-core)); ensure you are using an OpenResty release from https://openresty.org/en/download.html[](https://openresty.org/en/download.html) (reason: /usr/local/openresty/lualib/resty/core/socket/tcp.lua:52: /usr/local/openresty/luajit/lib/libluajit-5.1.so.2: undefined symbol: ngx_http_lua_ffi_socket_tcp_tlshandshake) in /etc/nginx/nginx.conf:86

try: https://github.com/api7/apisix-nginx-module/blob/main/patch/1.21.4/ngx_lua-tlshandshake.patch, maybe this patch needs to be added

The src/ngx_http_lua_socket_tcp.c file was not found in my openresty directory,my version is openresty/1.21.4.2.How do I apply this patch?

Hanoboo avatar May 20 '24 09:05 Hanoboo