feature: ngx_http_lua_ffi_ssl_ciphers

[chensunny]

SSL Cipher Enumeration API Enhancement for lua-nginx-module

📝 Summary

This PR enhances the SSL cipher enumeration functionality in the lua-nginx-module by improving the ngx_http_lua_ffi_ssl_ciphers() function and expanding its test coverage. The main focus is on debugging SSL cipher negotiation issues and ensuring proper cipher matching between server-supported and client-provided cipher suites.

Key Changes:

• SSL Cipher API Improvement: Enhanced the ngx_http_lua_ffi_ssl_ciphers() function in ngx_http_lua_ssl_certby.c to provide better cipher enumeration and matching logic
• Build Configuration Update: Modified OpenResty build configuration to use local development version of lua-nginx-module for testing
• Test Case Expansion: Added comprehensive test cases for SSL cipher enumeration scenarios including buffer overflow handling and BoringSSL compatibility

🔗 Related Issues

Closed #1962

🧪 Testing

Main Test Cases Added/Enhanced:

TEST 15: Get supported ciphers

• Purpose: Tests the core SSL cipher enumeration functionality
• Configuration:
  • Server configured with 3 cipher suites: ECDHE-RSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES256-GCM-SHA384
  • Client proxy configured with 2 cipher suites
• Expected Output: JSON array ["c02f","c02b"] containing hex cipher IDs of matched ciphers
• Validation: Verifies TLSv1.2 cipher negotiation with specific cipher details in error log

TEST 16: SSL cipher API error handling (no SSL)

• Purpose: Tests error handling when SSL context is not available
• Expected Behavior: Returns error code -1 with "bad request" message
• Coverage: Validates proper error handling for non-SSL contexts

TEST 17: Buffer overflow handling

• Purpose: Tests the API's behavior when buffer size is insufficient for all matching ciphers
• Configuration: Limited buffer size to test overflow scenarios
• Expected Output: Truncated cipher list ["c02f"] demonstrating proper buffer management
• Validation: Ensures graceful handling of buffer constraints without crashes

TEST 18: BoringSSL error handling

• Purpose: Tests compatibility layer for BoringSSL environments
• Expected Behavior: Returns appropriate error message for unsupported BoringSSL operations
• Coverage: Ensures clean error reporting for BoringSSL incompatibility

Testing Methodology:

• Unit tests added/updated for SSL cipher enumeration
• Integration tests for various SSL configurations
• Manual testing performed with different OpenSSL versions
• Error handling tests for edge cases
• Buffer overflow and memory safety tests

📝 Additional Notes

Technical Implementation Details:

• The ngx_http_lua_ffi_ssl_ciphers() function now properly handles cipher protocol ID (tp) matching between server-supported ciphers (via SSL_get1_supported_ciphers()) and client ciphers (via SSL_get_client_ciphers())
• Enhanced buffer overflow protection ensures the function returns appropriate error codes when the provided buffer is too small
• Added comprehensive error handling for various SSL context states and OpenSSL version compatibility

Build Configuration Changes:

• Modified util/mirror-tarballs script to use local lua-nginx-module development version via symbolic link
• Commented out stream proxy protocol v2 patch application for compatibility
• Updated Makefile to enable/disable mirror-tarballs script execution as needed

📋 Checklist

• My code follows the OpenResty contributing guidelines
• I have performed a self-review of my code
• I have made corresponding changes to the test documentation
• I have added tests that prove my fix is effective or that my feature works
• New and existing unit tests pass locally with my changes
• SSL cipher enumeration functionality tested across different configurations
• Error handling validated for various edge cases

📘 Deployment Notes

Prerequisites:

• OpenSSL 1.0.2e or later (LibreSSL not supported for cipher operations)
• BoringSSL environments will receive appropriate error messages for unsupported operations

Configuration Considerations:

• Ensure SSL cipher suites are properly configured in server blocks
• Buffer size should be adequate for expected cipher count (default recommendation: 32+ entries)
• Consider cipher suite ordering for optimal performance

🔍 Test Results

SSL Cipher Enumeration Test Summary:

• TEST 15: ✅ Successfully enumerates matching ciphers between server and client
• TEST 16: ✅ Proper error handling for non-SSL contexts
• TEST 17: ✅ Graceful buffer overflow handling with truncated results
• TEST 18: ✅ Clean BoringSSL incompatibility error reporting

Performance Impact:

• Cipher enumeration adds minimal overhead to SSL handshake process
• Memory usage optimized through proper buffer management
• No impact on non-SSL request processing

Compatibility Matrix:

SSL Library	Support Status	Notes
OpenSSL 1.0.2e+	✅ Full Support	Recommended
LibreSSL	❌ Not Supported	Returns appropriate error
BoringSSL	⚠️ Limited	Error handling only

The implementation maintains backward compatibility while providing enhanced debugging capabilities for SSL cipher negotiation troubleshooting.