lua-nginx-module
lua-nginx-module copied to clipboard
openresty
features discuss: change protocols and ciphers in ssl_certificate_by_lua_*
Can use SSL_set_options and SSL_set_cipher_list to modify ssl_protocols and ssl_ciphers in the ssl_certificate_by_lua_* phase?
Maybe the ssl_protocols modification is invalid, have way?
location / {
ssl_certificate_by_lua_block {
-- Retrieve the SSL object
local ssl = ngx.req.socket
-- Modify SSL options
ssl:setoption("SSL_OP_NO_SSLv2")
ssl:setoption("SSL_OP_NO_SSLv3")
ssl:setoption("SSL_OP_CIPHER_SERVER_PREFERENCE")
-- You can set more options as needed
-- Set the list of allowed ciphers
local ciphers = "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256"
ssl:setcipherlist(ciphers)
-- Proceed with the SSL handshake
local ret = ssl:handshake()
if not ret then
ngx.log(ngx.ERR, "SSL handshake failed: " .. ssl:errmsg())
return ngx.exit(ngx.ERROR)
end
}
# Your regular Nginx configuration for this location
# ...
}
location / { ssl_certificate_by_lua_block { -- Retrieve the SSL object local ssl = ngx.req.socket -- Modify SSL options ssl:setoption("SSL_OP_NO_SSLv2") ssl:setoption("SSL_OP_NO_SSLv3") ssl:setoption("SSL_OP_CIPHER_SERVER_PREFERENCE") -- You can set more options as needed -- Set the list of allowed ciphers local ciphers = "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256" ssl:setcipherlist(ciphers) -- Proceed with the SSL handshake local ret = ssl:handshake() if not ret then ngx.log(ngx.ERR, "SSL handshake failed: " .. ssl:errmsg()) return ngx.exit(ngx.ERROR) end } # Your regular Nginx configuration for this location # ... }
ngx.req.socket was returning TCP socket, it can not change any SSL-related setting, If you want to set the SSL option in the SSL phase, You need to write some FFI to do it. Like https://github.com/openresty/lua-nginx-module/blob/master/src/ngx_http_lua_ssl_client_helloby.c#L657
