feature: implement serversslhandshake method on downstream sockets #392
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
tcpsock:sslhandshake does a client side ssl handshake for upstream sockets. normally you just specify `ssl` on the listen directive for downstream sockets. however there are certain cases where you want to be able to take a plaintext downstream connection and upgrade it to an ssl encrypted one, such as legacy SMTP STARTTLS this implements a new sock:serversslhandshake method. it uses ssl certificate setup via the existing ssl_certificate and ssl_certificate_key configuration options. it only adds this method to downstream socket connections.
robmueller
force-pushed
the
feature-serversslhandshake
branch
from
fa988ed to
3ee8cef
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
tcpsock:sslhandshakedoes a client side ssl handshake for upstream sockets. normally you just specifysslon the listen directive for downstream sockets. however there are certain cases where you want to be able to take a plaintext downstream connection and upgrade it to an ssl encrypted one, such as legacy SMTP STARTTLSthis implements a new
sock:serversslhandshakemethod. it uses ssl certificate setup via the existingssl_certificateandssl_certificate_keyconfiguration options. it only adds this method to downstream socket connections.most of this work was based on the code in
ngx_stream_lua_socket_tcp_sslhandshakeand associated functions, with some changes to get it working with downstream sockets. i'm definitely not an nginx expert, so I'm not sure if I've messed up something subtle but important here, but I got enough tests written and working that it seemed reasonably solid.i'd appreciate any review and feedback and would like to get this to a state where it could be merged upstream.