[discussion] pool ssl/tls connections

[Tieske]

to pool ssl/tls connections the key used to identify the pool (pool name) must also contain the ssl properties used to do the handhake.

This is a first attempt. Please comment.

[hamishforbes]

This makes sense to me, if you're validating TLS certs you don't want to re-use a connection that didn't validate the certs. @pintsized agree?

Will need tests though

[Tieske]

The hard part is creating the tests though. The test framework doesn't allow to test against a real proxy.

Also, what I do not like is that several methods get intertwined. We need to pass parameters for the handshake to connect as well, and then there are differences based on whether or not there is a proxy...

So I created another one, in which a single connect method (called connect_better 😄 ) does the whole dance all-in-one; connecting, optional proxy, optional handshaking. It creates a poolname based on all the relevant parameters, making keepalive safe.

That second implementation is here for now: https://github.com/Kong/kong-plugin-aws-lambda/compare/better-connect?expand=1

The tests run against a local squid proxy instance (they fail in the CI of the repo linked above, because the CI hasn't been adjusted). The test setup is here: Kong/kong-pongo@65c17c1#diff-6aa563aa270f1c6ca2c912ced56445acR1

Input very much appreciated @hamishforbes @pintsized @bungle .

[Tieske]

closing this in favour of #206