ci fix

src/ngx_http_lua_proxy_ssl_verifyby.c

@@ -33,13 +33,20 @@ ngx_int_t
 ngx_http_lua_proxy_ssl_verify_set_callback(ngx_conf_t *cf)
 {
 
-#ifdef LIBRESSL_VERSION_NUMBER
+#if defined(LIBRESSL_VERSION_NUMBER)
 
     ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
                   "LibreSSL does not support by proxy_ssl_verify_by_lua*");
 
     return NGX_ERROR;
 
+#elif defined(OPENSSL_IS_BORINGSSL)
+
+    ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
+                  "BoringSSL does not support by proxy_ssl_verify_by_lua*");
+
+    return NGX_ERROR;
+
 #else
 
     void                      *plcf;
@@ -150,6 +157,22 @@ char *
 ngx_http_lua_proxy_ssl_verify_by_lua(ngx_conf_t *cf, ngx_command_t *cmd,
     void *conf)
 {
+#if defined(LIBRESSL_VERSION_NUMBER)
+
+    ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
+                  "LibreSSL does not support by proxy_ssl_verify_by_lua*");
+
+    return NGX_CONF_ERROR;
+
+#elif defined(OPENSSL_IS_BORINGSSL)
+
+    ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
+                  "BoringSSL does not support by proxy_ssl_verify_by_lua*");
+
+    return NGX_CONF_ERROR;
+
+#else
+
 #if (!defined SSL_ERROR_WANT_RETRY_VERIFY                                    \
      || OPENSSL_VERSION_NUMBER < 0x30000020L)
 
@@ -231,12 +254,30 @@ ngx_http_lua_proxy_ssl_verify_by_lua(ngx_conf_t *cf, ngx_command_t *cmd,
     return NGX_CONF_OK;
 
 #endif  /* SSL_ERROR_WANT_RETRY_VERIFY */
+
+#endif
 }
 
 
 int
 ngx_http_lua_proxy_ssl_verify_handler(X509_STORE_CTX *x509_store, void *arg)
 {
+#if defined(LIBRESSL_VERSION_NUMBER)
+
+    ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0,
+        "LibreSSL does not support by proxy_ssl_verify_by_lua*");
+
+    return 1;
+
+#elif defined(OPENSSL_IS_BORINGSSL)
+
+    ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0,
+        "BoringSSL does not support by proxy_ssl_verify_by_lua*");
+
+    return 1;
+
+#else
+
     lua_State                       *L;
     ngx_int_t                        rc;
     ngx_connection_t                *c;
@@ -377,6 +418,8 @@ ngx_http_lua_proxy_ssl_verify_handler(X509_STORE_CTX *x509_store, void *arg)
     }
 
     return 0;  /* verify failure or error */
+
+#endif
 }
 
 
@@ -553,6 +596,20 @@ int
 ngx_http_lua_ffi_proxy_ssl_set_verify_result(ngx_http_request_t *r,
     int verify_result, char **err)
 {
+#if defined(LIBRESSL_VERSION_NUMBER)
+
+    *err = "LibreSSL does not support this function";
+
+    return NGX_ERROR;
+
+#elif defined(OPENSSL_IS_BORINGSSL)
+
+    *err = "BoringSSL does not support this function";
+
+    return NGX_ERROR;
+
+#else
+
 #ifdef SSL_ERROR_WANT_RETRY_VERIFY
     ngx_http_upstream_t             *u;
     ngx_ssl_conn_t                  *ssl_conn;
@@ -598,12 +655,28 @@ ngx_http_lua_ffi_proxy_ssl_set_verify_result(ngx_http_request_t *r,
 
     return NGX_ERROR;
 #endif
+
+#endif
 }
 
 
 int
 ngx_http_lua_ffi_proxy_ssl_get_verify_result(ngx_http_request_t *r, char **err)
 {
+#if defined(LIBRESSL_VERSION_NUMBER)
+
+    *err = "LibreSSL does not support this function";
+
+    return NGX_ERROR;
+
+#elif defined(OPENSSL_IS_BORINGSSL)
+
+    *err = "BoringSSL does not support this function";
+
+    return NGX_ERROR;
+
+#else
+
 #ifdef SSL_ERROR_WANT_RETRY_VERIFY
     ngx_http_upstream_t             *u;
     ngx_ssl_conn_t                  *ssl_conn;
@@ -647,6 +720,8 @@ ngx_http_lua_ffi_proxy_ssl_get_verify_result(ngx_http_request_t *r, char **err)
 
     return NGX_ERROR;
 #endif
+
+#endif
 }
 
 
@@ -662,6 +737,20 @@ ngx_http_lua_ffi_proxy_ssl_free_verify_cert(void *cdata)
 void *
 ngx_http_lua_ffi_proxy_ssl_get_verify_cert(ngx_http_request_t *r, char **err)
 {
+#if defined(LIBRESSL_VERSION_NUMBER)
+
+    *err = "LibreSSL does not support this function";
+
+    return NGX_ERROR;
+
+#elif defined(OPENSSL_IS_BORINGSSL)
+
+    *err = "BoringSSL does not support this function";
+
+    return NGX_ERROR;
+
+#else
+
 #ifdef SSL_ERROR_WANT_RETRY_VERIFY
     ngx_http_upstream_t             *u;
     ngx_ssl_conn_t                  *ssl_conn;
@@ -713,6 +802,8 @@ ngx_http_lua_ffi_proxy_ssl_get_verify_cert(ngx_http_request_t *r, char **err)
 
     return NULL;
 #endif
+
+#endif
 }
 
 

t/169-proxy-ssl-verify.t

@@ -8,14 +8,19 @@ repeat_each(3);
 my $NginxBinary = $ENV{'TEST_NGINX_BINARY'} || 'nginx';
 my $openssl_version = eval { `$NginxBinary -V 2>&1` };
 
-if ($openssl_version =~ m/built with OpenSSL (0\S*|1\.0\S*|1\.1\.0\S*)/) {
-    plan(skip_all => "too old OpenSSL, need 1.1.1, was $1");
+if ($openssl_version =~ m/built with OpenSSL (\d+)\.(\d+)\.(\d+)/) {
+    my ($major, $minor, $patch) = ($1, $2, $3);
+
+    if ($major < 3 || ($major == 3 && $minor == 0 && $patch < 2)) {
+        plan(skip_all => "too old OpenSSL, need >= 3.0.2, was " .
+            "$major.$minor.$patch");
+    } else {
+        plan tests => repeat_each() * (blocks() * 5 + 19);
+    }
 } elsif ($openssl_version =~ m/running with BoringSSL/) {
     plan(skip_all => "does not support BoringSSL");
-} elsif ($ENV{TEST_NGINX_USE_HTTP3}) {
-    plan tests => repeat_each() * (blocks() * 6 + 6);
 } else {
-    plan tests => repeat_each() * (blocks() * 5 + 10);
+    die "unknown SSL";
 }
 
 $ENV{TEST_NGINX_HTML_DIR} ||= html_dir();
@@ -1230,7 +1235,7 @@ proxy_ssl_verify_by_lua: cert verify callback aborted
 === TEST 25: cosocket
 --- http_config
     server {
-        listen *:80;
+        listen 127.0.0.1:$TEST_NGINX_RAND_PORT_1;
         server_name test.com;
 
         server_tokens off;
@@ -1279,7 +1284,7 @@ proxy_ssl_verify_by_lua: cert verify callback aborted
                 local sock = ngx.socket.tcp()
                 sock:settimeout(2000)
 
-                local ok, err = sock:connect("127.0.0.1", "80")
+                local ok, err = sock:connect("127.0.0.1", $TEST_NGINX_RAND_PORT_1)
                 if not ok then
                     ngx.log(ngx.ERR, "failed to connect: ", err)
                     return
@@ -1320,7 +1325,7 @@ simple logging return
 connected: 1
 sent http request: 56 bytes.
 received: HTTP/1.1 201 Created
-received: Server: openresty
+received: Server: nginx
 received: Content-Type: text/plain
 received: Content-Length: 4
 received: Connection: close