feature: support AWS-LC SSL Library.#2357
Uh oh!
There was an error while loading. Please reload this page.
Conversation
zhuizhuhaomeng commented Sep 6, 2024
@devhaozi We need to add test cases to cover this new feature |
devhaozi commented Sep 6, 2024
Add it to .travis.yml like BoringSSL? |
zhuizhuhaomeng commented Sep 6, 2024
We don't need to run the tests in t/ directory. |
@zhuizhuhaomeng tests added. |
This comment was marked as resolved.
This comment was marked as resolved.
Uh oh!
There was an error while loading. Please reload this page.
This pull request is now in conflict :( |
| } | ||
| #ifdefSSL_CTRL_GET_TLSEXT_STATUS_REQ_TYPE | ||
| #if defined(SSL_CTRL_GET_TLSEXT_STATUS_REQ_TYPE) || defined(OPENSSL_IS_AWSLC) |
There was a problem hiding this comment.
AWS-LC supports SSL_get_tlsext_status_type, but does not define SSL_CTRL_GET_TLSEXT_STATUS_REQ_TYPE.
| #if defined(OPENSSL_IS_BORINGSSL) | ||
| *err="BoringSSL does not support SSL_export_keying_material_early"; | ||
| returnNGX_ERROR; | ||
| #elif defined(LIBRESSL_VERSION_NUMBER) | ||
| *err="LibreSSL does not support SSL_export_keying_material"; | ||
| *err="LibreSSL does not support SSL_export_keying_material_early"; |
| constu_char*context, size_tctxlen, intuse_ctx, char**err) | ||
| { | ||
| #if defined(OPENSSL_IS_BORINGSSL) ||OPENSSL_VERSION_NUMBER<0x10101000L | ||
| #if defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC) |
There was a problem hiding this comment.
AWS-LC supports SSL_export_keying_material but does not support SSL_export_keying_material_early due to performance reasons, see aws/aws-lc@94b2871
| #elif defined(OPENSSL_IS_AWSLC) | ||
| *err="AWS-LC does not support by ssl_client_hello_by_lua*"; | ||
| returnNGX_ERROR; |
There was a problem hiding this comment.
AWS-LC does not support SSL_client_hello_get0_ext, and therefore does not support ssl_client_hello_by_lua*.
From the test cases I think BoringSSL also does not support SSL_client_hello_get0_ext, but it is not shown here?
| #- if [ -n "$PCRE2_VER" ]; then tar zxf download-cache/pcre2-$PCRE2_VER.tar.gz; cd pcre2-$PCRE2_VER/; ./configure --prefix=$PCRE2_PREFIX --enable-jit --enable-utf > build.log 2>&1 || (cat build.log && exit 1); make -j$JOBS > build.log 2>&1 || (cat build.log && exit 1); sudo PATH=$PATH make install > build.log 2>&1 || (cat build.log && exit 1); cd ..; fi | ||
| #- if [ -n "$OPENSSL_VER" ]; then tar zxf download-cache/openssl-$OPENSSL_VER.tar.gz; cd openssl-$OPENSSL_VER/; patch -p1 < ../../openresty/patches/openssl-$OPENSSL_PATCH_VER-sess_set_get_cb_yield.patch; ./config shared enable-ssl3 enable-ssl3-method -g --prefix=$OPENSSL_PREFIX --libdir=lib -DPURIFY > build.log 2>&1 || (cat build.log && exit 1); make -j$JOBS > build.log 2>&1 || (cat build.log && exit 1); sudo make PATH=$PATH install_sw > build.log 2>&1 || (cat build.log && exit 1); cd ..; fi | ||
| - if [ -n "$BORINGSSL" ]; then sudo mkdir -p /opt/ssl && sudo tar -C /opt/ssl -xf boringssl-20230902-x64-focal.tar.gz --strip-components=1; fi | ||
| - if [ -n "$AWSLC" ]; then sudo mkdir -p /opt/ssl; sudo sh util/build-aws-lc.sh; export ENABLE_AWS_LC="-DOPENSSL_IS_BORINGSSL " fi |
There was a problem hiding this comment.
AWS-LC is close to BoringSSL, so can use -DOPENSSL_IS_BORINGSSL directly.
| #elif defined(OPENSSL_IS_AWSLC) | ||
| *err="AWSLC does not support by ssl_client_hello_by_lua*"; | ||
| returnNGX_ERROR; |
devhaozi commented Apr 17, 2025
@zhuizhuhaomeng Ready for review, can you take a moment to look at this? |
3 participants
This PR enables lua-nginx-module to be compiled with AWS-LC, tested on OpenResty 1.27.1.1.
I hereby granted the copyright of the changes in this pull request
to the authors of this lua-nginx-module project.