cosocket: add function tcpsock:setclientcert, reimplemented tcpsock:sslhandshake with FFI.

[dndx]

I hereby granted the copyright of the changes in this pull request
to the authors of this lua-nginx-module project.

Sister PR: openresty/lua-resty-core#278

[thibaultcha]

I am wondering if this new test suite belongs to lua-resty-core instead. After all, all FFI-based APIs are tested there, and not in lua-nginx-module.

[dndx]

Yes I thought about this initially, but seems that this clear split is not being followed by existing tests like https://github.com/openresty/lua-nginx-module/blob/master/t/154-semaphore.t.

But, I don't have strong feeling about where to keep the cases, if moving is a better in your opinion then let's move it.

[mergify]

This pull request is now in conflict :(

[shtaif]

@dndx @kikito @thibaultcha thank you for the great work! ✌️ ✌️
May I kindly ask, would this feature make it possible to dynamically determine the TLS client certificate to use when proxying requests over to an upstream (on a per-request basis)?

[thibaultcha]

I just rebased this PR (and sibling PR) on top of the latest master branch and fixed the conflicts now that OpenResty 1.17.8.1 has been released (for potential users of the patch).

[dndx]

@shtaif This PR is for cosocket connections only. For setting client certs to use in upstream connections, https://github.com/Kong/lua-kong-nginx-module#restykongtlsset_upstream_cert_and_key can do it. You just need to apply the required patches from https://github.com/Kong/kong-build-tools/blob/master/openresty-patches/patches/1.15.8.3/nginx-1.15.8_01-upstream_client_certificate_and_ssl_verify.patch.

[shtaif]

@shtaif This PR is for cosocket connections only. For setting client certs to use in upstream connections, https://github.com/Kong/lua-kong-nginx-module#restykongtlsset_upstream_cert_and_key can do it. You just need to apply the required patches from https://github.com/Kong/kong-build-tools/blob/master/openresty-patches/patches/1.15.8.3/nginx-1.15.8_01-upstream_client_certificate_and_ssl_verify.patch.

@dndx this was indeed the right way to go, thanks!

[mergify]

This pull request is now in conflict :(

[dndx]

@zhuizhuhaomeng the title has been changed. We can squash the change if you prefer.

[zhuizhuhaomeng]

You can squash the changes.

[zhuizhuhaomeng]

@dndx would you please add the script to generate the mtls certificates to t/cert.
when the certs expired, we can regenerate them.

[dndx]

@zhuizhuhaomeng The script has been added. One of the Travis run failed because of "negative credit balance" for Travis. However, considering the other build did passed, I think the new script generated certs should be good:

https://app.travis-ci.com/github/openresty/lua-nginx-module/builds/247813268

[zhuizhuhaomeng]

merged with the following patch

--- a/.travis.yml +++ b/.travis.yml @@ -88,7 +88,7 @@ install: - git clone https://github.com/openresty/rds-json-nginx-module.git ../rds-json-nginx-module - git clone https://github.com/openresty/srcache-nginx-module.git ../srcache-nginx-module - git clone https://github.com/openresty/redis2-nginx-module.git ../redis2-nginx-module - - git clone -b feat/cosocket_tlshandshake https://github.com/dndx/lua-resty-core.git ../lua-resty-core + - git clone https://github.com/dndx/lua-resty-core.git ../lua-resty-core - git clone https://github.com/openresty/lua-resty-lrucache.git ../lua-resty-lrucache - git clone https://github.com/openresty/lua-resty-mysql.git ../lua-resty-mysql - git clone https://github.com/openresty/lua-resty-string.git ../lua-resty-string 

[mergify]

This pull request is now in conflict :(

[Bec-k]

Why this wasn't merged?