From c6384ae2e24caa3cf2b32949aeb71133b1ed5979 Mon Sep 17 00:00:00 2001 From: willmafh Date: Sat, 19 Jul 2025 17:43:04 +0800 Subject: [PATCH 1/4] feature: proxy_ssl_verify_by_lua update table of context names --- lib/resty/core/phase.lua | 33 +++++++++++++++++---------------- 1 file changed, 17 insertions(+), 16 deletions(-) diff --git a/lib/resty/core/phase.lua b/lib/resty/core/phase.lua index 8bd2ce827..eaf04d768 100644 --- a/lib/resty/core/phase.lua +++ b/lib/resty/core/phase.lua @@ -15,22 +15,23 @@ int ngx_http_lua_ffi_get_phase(ngx_http_request_t *r, char **err) local errmsg = base.get_errmsg_ptr() local context_names = { - [0x0001] = "set", - [0x0002] = "rewrite", - [0x0004] = "access", - [0x0008] = "content", - [0x0010] = "log", - [0x0020] = "header_filter", - [0x0040] = "body_filter", - [0x0080] = "timer", - [0x0100] = "init_worker", - [0x0200] = "balancer", - [0x0400] = "ssl_cert", - [0x0800] = "ssl_session_store", - [0x1000] = "ssl_session_fetch", - [0x2000] = "exit_worker", - [0x4000] = "ssl_client_hello", - [0x8000] = "server_rewrite", + [0x00000001] = "set", + [0x00000002] = "rewrite", + [0x00000004] = "access", + [0x00000008] = "content", + [0x00000010] = "log", + [0x00000020] = "header_filter", + [0x00000040] = "body_filter", + [0x00000080] = "timer", + [0x00000100] = "init_worker", + [0x00000200] = "balancer", + [0x00000400] = "ssl_cert", + [0x00000800] = "ssl_session_store", + [0x00001000] = "ssl_session_fetch", + [0x00002000] = "exit_worker", + [0x00004000] = "ssl_client_hello", + [0x00008000] = "server_rewrite", + [0x00010000] = "proxy_ssl_verify", } From dcef9197206bb9df4e0e1d343b45195773da73b8 Mon Sep 17 00:00:00 2001 From: willmafh Date: Sun, 20 Jul 2025 20:13:41 +0800 Subject: [PATCH 2/4] feature: proxysslverify module to facilitate using proxy_ssl_verify_by_lua directives --- lib/ngx/ssl/proxysslverify.lua | 140 ++++++++++++++++++++++++ lib/ngx/ssl/proxysslverify.md | 188 +++++++++++++++++++++++++++++++++ 2 files changed, 328 insertions(+) create mode 100644 lib/ngx/ssl/proxysslverify.lua create mode 100644 lib/ngx/ssl/proxysslverify.md diff --git a/lib/ngx/ssl/proxysslverify.lua b/lib/ngx/ssl/proxysslverify.lua new file mode 100644 index 000000000..4ba04220d --- /dev/null +++ b/lib/ngx/ssl/proxysslverify.lua @@ -0,0 +1,140 @@ +-- Copyright (C) Yichun Zhang (agentzh) + + +local base = require "resty.core.base" +base.allows_subsystem('http', 'stream') + + +local ffi = require "ffi" +local C = ffi.C +local ffi_gc = ffi.gc +local ffi_str = ffi.string +local get_request = base.get_request +local error = error +local errmsg = base.get_errmsg_ptr() + +local FFI_OK = base.FFI_OK +local FFI_ERROR = base.FFI_ERROR +local subsystem = ngx.config.subsystem +local ngx_phase = ngx.get_phase + +local ngx_lua_ffi_ssl_set_verify_result +local ngx_lua_ffi_ssl_get_verify_result +local ngx_lua_ffi_ssl_get_verify_cert +local ngx_lua_ffi_ssl_free_verify_cert + + +if subsystem == 'http' then + ffi.cdef[[ + int ngx_http_lua_ffi_ssl_set_verify_result(ngx_http_request_t *r, + int verify_result, char **err); + + int ngx_http_lua_ffi_ssl_get_verify_result(ngx_http_request_t *r, + char **err); + + void *ngx_http_lua_ffi_ssl_get_verify_cert(ngx_http_request_t *r, + char **err); + + void ngx_http_lua_ffi_ssl_free_verify_cert(void *cdata); + ]] + + ngx_lua_ffi_ssl_set_verify_result = + C.ngx_http_lua_ffi_ssl_set_verify_result + ngx_lua_ffi_ssl_get_verify_result = + C.ngx_http_lua_ffi_ssl_get_verify_result + ngx_lua_ffi_ssl_get_verify_cert = + C.ngx_http_lua_ffi_ssl_get_verify_cert + ngx_lua_ffi_ssl_free_verify_cert = + C.ngx_http_lua_ffi_ssl_free_verify_cert + + + +elseif subsystem == 'stream' then + ffi.cdef[[ + int ngx_stream_lua_ffi_ssl_set_verify_result(ngx_stream_lua_request_t *r, + int verify_result, char **err); + + int ngx_stream_lua_ffi_ssl_get_verify_result(ngx_stream_lua_request_t *r, + char **err); + + void *ngx_stream_lua_ffi_ssl_get_verify_cert(ngx_stream_lua_request_t *r, + char **err); + + void ngx_stream_lua_ffi_ssl_free_verify_cert(void *cdata); + ]] + + ngx_lua_ffi_ssl_set_verify_result = + C.ngx_stream_lua_ffi_ssl_set_verify_result + ngx_lua_ffi_ssl_get_verify_result = + C.ngx_stream_lua_ffi_ssl_get_verify_result + ngx_lua_ffi_ssl_get_verify_cert = + C.ngx_stream_lua_ffi_ssl_get_verify_cert + ngx_lua_ffi_ssl_free_verify_cert = + C.ngx_stream_lua_ffi_ssl_free_verify_cert +end + + +local _M = { version = base.version } + + +-- return ok, err +function _M.set_verify_result(verify_result) + local r = get_request() + if not r then + error("no request found") + end + + if ngx_phase() ~= "proxy_ssl_verify" then + error("API disabled in the current context") + end + + local rc = ngx_lua_ffi_ssl_set_verify_result(r, verify_result, errmsg) + if rc == FFI_OK then + return true + end + + return nil, ffi_str(errmsg[0]) +end + + +-- return verify_result, err +function _M.get_verify_result() + local r = get_request() + if not r then + error("no request found") + end + + if ngx_phase() ~= "proxy_ssl_verify" then + error("API disabled in the current context") + end + + local rc = ngx_lua_ffi_ssl_get_verify_result(r, errmsg) + if rc == FFI_ERROR then + return nil, ffi_str(errmsg[0]) + end + + return rc +end + + +-- return cert, err +function _M.get_verify_cert() + local r = get_request() + if not r then + error("no request found") + end + + if ngx_phase() ~= "proxy_ssl_verify" then + error("API disabled in the current context") + end + + local cert = ngx_lua_ffi_ssl_get_verify_cert(r, errmsg) + if cert ~= nil then + return ffi_gc(cert, ngx_lua_ffi_ssl_free_verify_cert) + end + + return nil, ffi_str(errmsg[0]) +end + + +return _M diff --git a/lib/ngx/ssl/proxysslverify.md b/lib/ngx/ssl/proxysslverify.md new file mode 100644 index 000000000..ecf9bce4c --- /dev/null +++ b/lib/ngx/ssl/proxysslverify.md @@ -0,0 +1,188 @@ +Name +==== + +ngx.ssl.proxysslverify - Lua API for post-processing SSL server certificate message for NGINX upstream SSL connections. + +Table of Contents +================= + +* [Name](#name) +* [Status](#status) +* [Synopsis](#synopsis) +* [Description](#description) +* [Methods](#methods) + * [set_verify_result](#set_verify_result) + * [get_verify_result](#get_verify_result) + * [get_verify_cert](#get_verify_cert) +* [Community](#community) + * [English Mailing List](#english-mailing-list) + * [Chinese Mailing List](#chinese-mailing-list) +* [Bugs and Patches](#bugs-and-patches) +* [Author](#author) +* [Copyright and License](#copyright-and-license) +* [See Also](#see-also) + +Status +====== + +This Lua module is production ready. + +Synopsis +======== + +```nginx +# nginx.conf + +server { + listen 443 ssl; + server_name test.com; + ssl_certificate /path/to/cert.crt; + ssl_certificate_key /path/to/key.key; + + location /t { + proxy_ssl_certificate /path/to/cert.crt; + proxy_ssl_certificate_key /path/to/key.key; + proxy_pass https://upstream; + + proxy_ssl_verify_by_lua_block { + local proxy_ssl_vfy = require "ngx.ssl.proxysslverify" + + local cert, err = proxy_ssl_vfy.get_verify_cert() + + -- ocsp to verify cert + -- check crl + + proxy_ssl_vfy.set_verify_result(0) + } + } + ... + } +``` + +Description +=========== + +This Lua module provides API functions for post-processing SSL server certificate message for NGINX upstream connections. + +It must to be used in the contexts [proxy_ssl_verify_by_lua*](https://github.com/openresty/lua-nginx-module/#proxy_ssl_verify_by_lua_block). + +This directive runs user Lua code when Nginx is about to post-process the SSL server certificate message for the upstream SSL (https) connections. + +It is particularly useful to parse upstream server certificate and do some custom operations in pure lua. + +To load the `ngx.ssl.proxysslverify` module in Lua, just write + +```lua +local proxy_ssl_vfy = require "ngx.ssl.proxysslverify" +``` + +[Back to TOC](#table-of-contents) + +Methods +======= + +set_verify_result +----------------- +**syntax:** *ok, err = proxy_ssl_vfy.set_verify_result(0)* + +**context:** *proxy_ssl_verify_by_lua** + +According to openssl's doc of SSL_CTX_set_cert_verify_callback: In any case a viable verification result value must be reflected in the error member of x509_store_ctx, which can be done using X509_STORE_CTX_set_error. So after using Lua code to verify server certificate, we need to call this function to setup verify result. Please refers to openssl's `include/openssl/x509_vfy.h` to see which verify result code can be used. + +In case of errors, it returns `nil` and a string describing the error. + +This function can only be called in the context of [proxy_ssl_verify_by_lua*](https://github.com/openresty/lua-nginx-module/#proxy_ssl_verify_by_lua_block). + +[Back to TOC](#table-of-contents) + +get_verify_result +----------------- +**syntax:** *verify_result, err = proxy_ssl_vfy.get_verify_result()* + +**context:** *proxy_ssl_verify_by_lua** + +Returns the verify result code. + +In case of errors, it returns `nil` and a string describing the error. + +This function can only be called in the context of [proxy_ssl_verify_by_lua*](https://github.com/openresty/lua-nginx-module/#proxy_ssl_verify_by_lua_block). + +[Back to TOC](#table-of-contents) + +get_verify_cert +--------------- +**syntax:** *cert, err = proxy_ssl_vfy.get_verify_cert()* + +**context:** *proxy_ssl_verify_by_lua** + +Returns the server certificate Nginx received from upstream SSL connection. + +In case of errors, it returns `nil` and a string describing the error. + +This function can only be called in the context of [proxy_ssl_verify_by_lua*](https://github.com/openresty/lua-nginx-module/#proxy_ssl_verify_by_lua_block). + +[Back to TOC](#table-of-contents) + +Community +========= + +[Back to TOC](#table-of-contents) + +English Mailing List +-------------------- + +The [openresty-en](https://groups.google.com/group/openresty-en) mailing list is for English speakers. + +[Back to TOC](#table-of-contents) + +Chinese Mailing List +-------------------- + +The [openresty](https://groups.google.com/group/openresty) mailing list is for Chinese speakers. + +[Back to TOC](#table-of-contents) + +Bugs and Patches +================ + +Please report bugs or submit patches by + +1. creating a ticket on the [GitHub Issue Tracker](https://github.com/openresty/lua-resty-core/issues), +1. or posting to the [OpenResty community](#community). + +[Back to TOC](#table-of-contents) + +Author +====== + +Fuhong Ma <willmafh@hotmail.com> (willmafh) + +[Back to TOC](#table-of-contents) + +Copyright and License +===================== + +This module is licensed under the BSD license. + +Copyright (C) 2016-2017, by Yichun "agentzh" Zhang, OpenResty Inc. + +All rights reserved. + +Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: + +* Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. + +* Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +[Back to TOC](#table-of-contents) + +See AlsoCopyright +======== +* the ngx_lua module: https://github.com/openresty/lua-nginx-module +* the [proxy_ssl_verify_by_lua*](https://github.com/openresty/lua-nginx-module/#proxy_ssl_verify_by_lua_block) directive. +* the [lua-resty-core](https://github.com/openresty/lua-resty-core) library. +* OpenResty: https://openresty.org + +[Back to TOC](#table-of-contents) From 9cc21dabaf71c7493d0d6f56cf8a4125065a545f Mon Sep 17 00:00:00 2001 From: willmafh Date: Mon, 21 Jul 2025 22:15:01 +0800 Subject: [PATCH 3/4] tests: t/proxy-ssl-verify.t --- t/proxy-ssl-verify.t | 140 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 140 insertions(+) create mode 100644 t/proxy-ssl-verify.t diff --git a/t/proxy-ssl-verify.t b/t/proxy-ssl-verify.t new file mode 100644 index 000000000..3c49646ef --- /dev/null +++ b/t/proxy-ssl-verify.t @@ -0,0 +1,140 @@ +# vim:set ft= ts=4 sw=4 et fdm=marker: +use lib '.'; +use t::TestCore; + +#worker_connections(10140); +#workers(1); +#log_level('warn'); + +repeat_each(2); + +# All these tests need to have new openssl +my $NginxBinary = $ENV{'TEST_NGINX_BINARY'} || 'nginx'; +my $openssl_version = eval { `$NginxBinary -V 2>&1` }; + +if ($openssl_version =~ m/built with OpenSSL (0\S*|1\.0\S*|1\.1\.0\S*)/) { + plan(skip_all => "too old OpenSSL, need 1.1.1, was $1"); +} else { + plan tests => repeat_each() * (blocks() * 6 - 2) - 4; +} + +no_long_string(); +#no_diff(); + +env_to_nginx("PATH=" . $ENV{'PATH'}); +$ENV{TEST_NGINX_LUA_PACKAGE_PATH} = "$t::TestCore::lua_package_path"; +$ENV{TEST_NGINX_HTML_DIR} ||= html_dir(); + +run_tests(); + +__DATA__ + +=== TEST 1: ssl.proxysslverify.set_verify_result & ssl.proxysslverify.get_verify_result +--- http_config + lua_package_path "$TEST_NGINX_LUA_PACKAGE_PATH"; + + server { + listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; + + ssl_certificate ../../cert/mtls_server.crt; + ssl_certificate_key ../../cert/mtls_server.key; + + location / { + default_type 'text/plain'; + + content_by_lua_block { + ngx.say("hello world") + } + + more_clear_headers Date; + } + } +--- config + location /t { + proxy_pass https://unix:$TEST_NGINX_HTML_DIR/nginx.sock; + proxy_ssl_verify on; + proxy_ssl_name example.com; + proxy_ssl_certificate ../../cert/mtls_client.crt; + proxy_ssl_certificate_key ../../cert/mtls_client.key; + proxy_ssl_trusted_certificate ../../cert/mtls_ca.crt; + proxy_ssl_session_reuse off; + proxy_ssl_conf_command VerifyMode Peer; + + proxy_ssl_verify_by_lua_block { + local proxy_ssl_vfy = require "ngx.ssl.proxysslverify" + + local ok, err = proxy_ssl_vfy.set_verify_result(23) + if not ok then + ngx.log(ngx.ERR, "proxy ssl verify set_verify_result failed: ", err) + ngx.exit(ngx.ERROR) + end + + local result, err = proxy_ssl_vfy.get_verify_result() + if not result then + ngx.log(ngx.ERR, "proxy ssl verify get_verify_result failed: ", err) + end + + ngx.log(ngx.INFO, "proxy ssl verify result: ", result) + } + } +--- request +GET /t +--- error_code: 502 +--- response_body_like: 502 Bad Gateway +--- error_log +proxy ssl verify result: 23 +--- no_error_log +[alert] + + + +=== TEST 2: ssl.proxysslverify.get_verify_cert +--- http_config + lua_package_path "$TEST_NGINX_LUA_PACKAGE_PATH"; + + server { + listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; + + ssl_certificate ../../cert/mtls_server.crt; + ssl_certificate_key ../../cert/mtls_server.key; + + location / { + default_type 'text/plain'; + + content_by_lua_block { + ngx.say("hello world") + } + + more_clear_headers Date; + } + } +--- config + location /t { + proxy_pass https://unix:$TEST_NGINX_HTML_DIR/nginx.sock; + proxy_ssl_verify on; + proxy_ssl_name example.com; + proxy_ssl_certificate ../../cert/mtls_client.crt; + proxy_ssl_certificate_key ../../cert/mtls_client.key; + proxy_ssl_trusted_certificate ../../cert/mtls_ca.crt; + proxy_ssl_session_reuse off; + proxy_ssl_conf_command VerifyMode Peer; + + proxy_ssl_verify_by_lua_block { + local proxy_ssl_vfy = require "ngx.ssl.proxysslverify" + + local cert, err = proxy_ssl_vfy.get_verify_cert() + if not cert then + ngx.log(ngx.ERR, "proxy ssl verify get_verify_cert failed: ", err) + end + + -- more functions to take care of the returned cert + } + } +--- request +GET /t +--- error_code: 200 +--- response_body +hello world +--- no_error_log +proxy ssl verify get_verify_cert failed +[alert] From bd66fa7b3577eb7abdaa70bc1e3b4cabad10a4c9 Mon Sep 17 00:00:00 2001 From: willmafh Date: Tue, 14 Oct 2025 12:13:54 +0800 Subject: [PATCH 4/4] better prefix for proxy ssl verify ffi functions --- lib/ngx/ssl/proxysslverify.lua | 70 +++++++++++++++++----------------- 1 file changed, 35 insertions(+), 35 deletions(-) diff --git a/lib/ngx/ssl/proxysslverify.lua b/lib/ngx/ssl/proxysslverify.lua index 4ba04220d..1b06e12bc 100644 --- a/lib/ngx/ssl/proxysslverify.lua +++ b/lib/ngx/ssl/proxysslverify.lua @@ -18,59 +18,59 @@ local FFI_ERROR = base.FFI_ERROR local subsystem = ngx.config.subsystem local ngx_phase = ngx.get_phase -local ngx_lua_ffi_ssl_set_verify_result -local ngx_lua_ffi_ssl_get_verify_result -local ngx_lua_ffi_ssl_get_verify_cert -local ngx_lua_ffi_ssl_free_verify_cert +local ngx_lua_ffi_proxy_ssl_set_verify_result +local ngx_lua_ffi_proxy_ssl_get_verify_result +local ngx_lua_ffi_proxy_ssl_get_verify_cert +local ngx_lua_ffi_proxy_ssl_free_verify_cert if subsystem == 'http' then ffi.cdef[[ - int ngx_http_lua_ffi_ssl_set_verify_result(ngx_http_request_t *r, + int ngx_http_lua_ffi_proxy_ssl_set_verify_result(ngx_http_request_t *r, int verify_result, char **err); - int ngx_http_lua_ffi_ssl_get_verify_result(ngx_http_request_t *r, + int ngx_http_lua_ffi_proxy_ssl_get_verify_result(ngx_http_request_t *r, char **err); - void *ngx_http_lua_ffi_ssl_get_verify_cert(ngx_http_request_t *r, + void *ngx_http_lua_ffi_proxy_ssl_get_verify_cert(ngx_http_request_t *r, char **err); - void ngx_http_lua_ffi_ssl_free_verify_cert(void *cdata); + void ngx_http_lua_ffi_proxy_ssl_free_verify_cert(void *cdata); ]] - ngx_lua_ffi_ssl_set_verify_result = - C.ngx_http_lua_ffi_ssl_set_verify_result - ngx_lua_ffi_ssl_get_verify_result = - C.ngx_http_lua_ffi_ssl_get_verify_result - ngx_lua_ffi_ssl_get_verify_cert = - C.ngx_http_lua_ffi_ssl_get_verify_cert - ngx_lua_ffi_ssl_free_verify_cert = - C.ngx_http_lua_ffi_ssl_free_verify_cert + ngx_lua_ffi_proxy_ssl_set_verify_result = + C.ngx_http_lua_ffi_proxy_ssl_set_verify_result + ngx_lua_ffi_proxy_ssl_get_verify_result = + C.ngx_http_lua_ffi_proxy_ssl_get_verify_result + ngx_lua_ffi_proxy_ssl_get_verify_cert = + C.ngx_http_lua_ffi_proxy_ssl_get_verify_cert + ngx_lua_ffi_proxy_ssl_free_verify_cert = + C.ngx_http_lua_ffi_proxy_ssl_free_verify_cert elseif subsystem == 'stream' then ffi.cdef[[ - int ngx_stream_lua_ffi_ssl_set_verify_result(ngx_stream_lua_request_t *r, - int verify_result, char **err); + int ngx_stream_lua_ffi_proxy_ssl_set_verify_result( + ngx_stream_lua_request_t *r, int verify_result, char **err); - int ngx_stream_lua_ffi_ssl_get_verify_result(ngx_stream_lua_request_t *r, - char **err); + int ngx_stream_lua_ffi_proxy_ssl_get_verify_result( + ngx_stream_lua_request_t *r, char **err); - void *ngx_stream_lua_ffi_ssl_get_verify_cert(ngx_stream_lua_request_t *r, - char **err); + void *ngx_stream_lua_ffi_proxy_ssl_get_verify_cert( + ngx_stream_lua_request_t *r, char **err); - void ngx_stream_lua_ffi_ssl_free_verify_cert(void *cdata); + void ngx_stream_lua_ffi_proxy_ssl_free_verify_cert(void *cdata); ]] - ngx_lua_ffi_ssl_set_verify_result = - C.ngx_stream_lua_ffi_ssl_set_verify_result - ngx_lua_ffi_ssl_get_verify_result = - C.ngx_stream_lua_ffi_ssl_get_verify_result - ngx_lua_ffi_ssl_get_verify_cert = - C.ngx_stream_lua_ffi_ssl_get_verify_cert - ngx_lua_ffi_ssl_free_verify_cert = - C.ngx_stream_lua_ffi_ssl_free_verify_cert + ngx_lua_ffi_proxy_ssl_set_verify_result = + C.ngx_stream_lua_ffi_proxy_ssl_set_verify_result + ngx_lua_ffi_proxy_ssl_get_verify_result = + C.ngx_stream_lua_ffi_proxy_ssl_get_verify_result + ngx_lua_ffi_proxy_ssl_get_verify_cert = + C.ngx_stream_lua_ffi_proxy_ssl_get_verify_cert + ngx_lua_ffi_proxy_ssl_free_verify_cert = + C.ngx_stream_lua_ffi_proxy_ssl_free_verify_cert end @@ -88,7 +88,7 @@ function _M.set_verify_result(verify_result) error("API disabled in the current context") end - local rc = ngx_lua_ffi_ssl_set_verify_result(r, verify_result, errmsg) + local rc = ngx_lua_ffi_proxy_ssl_set_verify_result(r, verify_result, errmsg) if rc == FFI_OK then return true end @@ -108,7 +108,7 @@ function _M.get_verify_result() error("API disabled in the current context") end - local rc = ngx_lua_ffi_ssl_get_verify_result(r, errmsg) + local rc = ngx_lua_ffi_proxy_ssl_get_verify_result(r, errmsg) if rc == FFI_ERROR then return nil, ffi_str(errmsg[0]) end @@ -128,9 +128,9 @@ function _M.get_verify_cert() error("API disabled in the current context") end - local cert = ngx_lua_ffi_ssl_get_verify_cert(r, errmsg) + local cert = ngx_lua_ffi_proxy_ssl_get_verify_cert(r, errmsg) if cert ~= nil then - return ffi_gc(cert, ngx_lua_ffi_ssl_free_verify_cert) + return ffi_gc(cert, ngx_lua_ffi_proxy_ssl_free_verify_cert) end return nil, ffi_str(errmsg[0])