The poolname doesn't include the client cert info for mtls authentication

[catbro666]

For https requests, if the ssl_client_cert is set, then the poolname should include a field (e.g. the digest of cert) to distinguish different clients. Otherwise, there will be a security issue where any users can reuse the connections of other authenticated users.

I'm preparing a fix for this and wondering if you mind introducing the dependency of lua-resty-openssl into this library. We can address the cdata of X509 and calculate the digest easily by usinglua-resty-openssl. Otherwise we have to call those OpenSSL APIs ourselves by using ffi.

[pintsized]

For https requests, if the ssl_client_cert is set, then the poolname should include a field (e.g. the digest of cert) to distinguish different clients. Otherwise, there will be a security issue where any users can reuse the connections of other authenticated users.

OK yep, makes sense 👍

I'm preparing a fix for this and wondering if you mind introducing the dependency of lua-resty-openssl into this library. We can address the cdata of X509 and calculate the digest easily by usinglua-resty-openssl. Otherwise we have to call those OpenSSL APIs ourselves by using ffi.

I don't have a problem with that. Perhaps it could be a "weak" dependency in some way though? Because most people won't need it, it might be nice to not make lua-resty-openssl a requirement for installation via LuaRocks, but if you use mTLS and don't have lua-resty-openssl, it will log a warning instructing the user to install the dependency?

I don't have a strong opinion on this matter.

[catbro666]

I don't have a problem with that. Perhaps it could be a "weak" dependency in some way though? Because most people won't need it, it might be nice to not make lua-resty-openssl a requirement for installation via LuaRocks, but if you use mTLS and don't have lua-resty-openssl, it will log a warning instructing the user to install the dependency?

OK, sounds good.