bugfix: the ssl connections might be drained and reused prematurely when ssl_certificate_by_lua* or ssl_session_fetch_by_lua* were used. this might lead to segmentation faults under load. thanks guanglinlv for the report and the original patch in openresty#1162.

Author: agentzh

src/ngx_http_lua_ssl_certby.c

@@ -197,7 +197,8 @@ ngx_http_lua_ssl_cert_handler(ngx_ssl_conn_t *ssl_conn, void *data)
 
     c = ngx_ssl_get_connection(ssl_conn);
 
-    dd("c = %p", c);
+    ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0,
+                   "ssl cert: connection reusable: %ud", c->reusable);
 
     cctx = ngx_http_lua_ssl_get_ctx(c->ssl->connection);
 
@@ -220,6 +221,8 @@ ngx_http_lua_ssl_cert_handler(ngx_ssl_conn_t *ssl_conn, void *data)
 
     dd("first time");
 
+    ngx_reusable_connection(c, 0);
+
     hc = c->data;
 
     fc = ngx_http_lua_create_fake_connection(NULL);

src/ngx_http_lua_ssl_session_fetchby.c

@@ -191,7 +191,8 @@ ngx_http_lua_ssl_sess_fetch_handler(ngx_ssl_conn_t *ssl_conn, u_char *id,
 
     c = ngx_ssl_get_connection(ssl_conn);
 
-    dd("c = %p", c);
+    ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0,
+                   "ssl session fetch: connection reusable: %ud", c->reusable);
 
     cctx = ngx_http_lua_ssl_get_ctx(c->ssl->connection);
 
@@ -224,6 +225,8 @@ ngx_http_lua_ssl_sess_fetch_handler(ngx_ssl_conn_t *ssl_conn, u_char *id,
 
     dd("first time");
 
+    ngx_reusable_connection(c, 0);
+
     hc = c->data;
 
     fc = ngx_http_lua_create_fake_connection(NULL);

src/ngx_http_lua_ssl_session_storeby.c

@@ -183,7 +183,8 @@ ngx_http_lua_ssl_sess_store_handler(ngx_ssl_conn_t *ssl_conn,
 
     c = ngx_ssl_get_connection(ssl_conn);
 
-    dd("c = %p", c);
+    ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0,
+                   "ssl session store: connection reusable: %ud", c->reusable);
 
     cctx = ngx_http_lua_ssl_get_ctx(c->ssl->connection);
 

t/139-ssl-cert-by.t

@@ -113,11 +113,17 @@ close: 1 nil
 
 --- error_log
 lua ssl server name: "test.com"
-ssl_certificate_by_lua:1: ssl cert by lua is running!
 
 --- no_error_log
 [error]
 [alert]
+--- grep_error_log eval: qr/ssl_certificate_by_lua:.*?,|\bssl cert: connection reusable: \d+|\breusable connection: \d+/
+--- grep_error_log_out eval
+qr/reusable connection: 1
+ssl cert: connection reusable: 1
+reusable connection: 0
+ssl_certificate_by_lua:1: ssl cert by lua is running!,
+/
 
 
 

t/142-ssl-session-store.t

@@ -82,11 +82,16 @@ close: 1 nil
 
 --- error_log
 lua ssl server name: "test.com"
-ssl_session_store_by_lua_block:1: ssl session store by lua is running!
 
 --- no_error_log
 [error]
 [alert]
+--- grep_error_log eval: qr/ssl_session_store_by_lua_block:.*?,|\bssl session store: connection reusable: \d+|\breusable connection: \d+/
+--- grep_error_log_out eval
+qr/^reusable connection: 0
+ssl session store: connection reusable: 0
+ssl_session_store_by_lua_block:1: ssl session store by lua is running!,
+/m,
 
 
 

t/143-ssl-session-fetch.t

@@ -83,16 +83,21 @@ connected: 1
 ssl handshake: userdata
 close: 1 nil
 
---- grep_error_log eval
-qr/ssl_session_fetch_by_lua_block:1: ssl fetch sess by lua is running!/s
+--- grep_error_log eval: qr/ssl_session_fetch_by_lua_block:.*?,|\bssl session fetch: connection reusable: \d+|\breusable connection: \d+/
 
 --- grep_error_log_out eval
 [
-'',
-'ssl_session_fetch_by_lua_block:1: ssl fetch sess by lua is running!
-',
-'ssl_session_fetch_by_lua_block:1: ssl fetch sess by lua is running!
-',
+qr/\A(?:reusable connection: [01]\n)+\z/s,
+qr/^reusable connection: 1
+ssl session fetch: connection reusable: 1
+reusable connection: 0
+ssl_session_fetch_by_lua_block:1: ssl fetch sess by lua is running!,
+/m,
+qr/^reusable connection: 1
+ssl session fetch: connection reusable: 1
+reusable connection: 0
+ssl_session_fetch_by_lua_block:1: ssl fetch sess by lua is running!,
+/m,
 ]
 
 --- no_error_log