lua-resty-websocket icon indicating copy to clipboard operation
lua-resty-websocket copied to clipboard

Published 20 hours ago verified publisher icon openresty

ssl session repeated sslhandshake

Open chenyyyang opened this issue 2 years ago • 2 comments

branch : master

https://github.com/openresty/lua-resty-websocket/blob/eba3e979620f847fc6bdb3f64e9adf86b59a0251/lib/resty/websocket/client.lua#L172

 if scheme == "wss" then
        if not ssl_support then
            return nil, "ngx_lua 0.9.11+ required for SSL sockets"
        end
        if client_cert then
            ok, err = sock:setclientcert(client_cert, client_priv_key)
            if not ok then
                return nil, "failed to set TLS client certificate: " .. err
            end
        end
        ok, err = sock:sslhandshake(false, server_name, ssl_verify)
        if not ok then
            return nil, "ssl handshake failed: " .. err
        end
    end

According to the api manual https://www.kancloud.cn/qq13867685/openresty-api-cn/159103 session, err = tcpsock:sslhandshake(reused_session?, server_name?, ssl_verify?)

I think it is nesseary to change the code:

 if scheme == "wss" then
        if not ssl_support then
            return nil, "ngx_lua 0.9.11+ required for SSL sockets"
        end
        if client_cert then
            ok, err = sock:setclientcert(client_cert, client_priv_key)
            if not ok then
                return nil, "failed to set TLS client certificate: " .. err
            end
        end
    end

    -- check for connections from pool:

    local count, err = sock:getreusedtimes()
    if not count then
        return nil, "failed to get reused times: " .. err
    end
    if count > 0 then
        -- being a reused connection (must have done handshake)
        return 1
   else
       local  ok, err = sock:sslhandshake(false, server_name, ssl_verify)
        if not ok then
            return nil, "ssl handshake failed: " .. err
        end
    end

Added: Determine if the sslhandshake is necessary by 'sock:getreusedtimes()' .It do need to call sslhandshake when the reused time of connection is zero.

refer to https://github.com/doujiang24/lua-resty-kafka/blob/3fbed91d81d4fb32d4dda4316f5f2cba04622633/lib/resty/kafka/broker.lua#L144

chenyyyang avatar Jun 12 '23 09:06 chenyyyang

PR is welcomed. @chenyyyang

zhuizhuhaomeng avatar Jun 12 '23 14:06 zhuizhuhaomeng

Hi @zhuizhuhaomeng Could you mind rewiew this PR :https://github.com/openresty/lua-resty-websocket/pull/80

chenyyyang avatar Jun 18 '23 14:06 chenyyyang