feature: add tcpsock:settrustedstore() for per-handshake trusted CAs#525
Merged
zhuizhuhaomeng merged 2 commits intoopenresty:masterfrom May 2, 2026
Merged
Conversation
zhuizhuhaomeng
requested changes
Apr 29, 2026
| local SOCKET_CTX_INDEX = 1 | ||
| local SOCKET_CLIENT_CERT_INDEX = 6 | ||
| local SOCKET_CLIENT_PKEY_INDEX = 7 | ||
| local SOCKET_TRUSTED_STORE_INDEX = 8 |
Contributor
There was a problem hiding this comment.
SOCKET_BIND_INDEX = 8 /* only in upstream cosocket */
So you should use 10 for SOCKET_TRUSTED_STORE_INDEX
Contributor
Author
There was a problem hiding this comment.
Thanks! I used local SOCKET_TRUSTED_STORE_INDEX = 10 for now.
findns94
force-pushed
the
feat/support-trusted-ca
branch
from
875efd1 to
b71f0c5
Compare
Adds a Lua wrapper around the new ngx_http_lua_ffi_socket_tcp_settrustedstore FFI in lua-nginx-module, exposed as tcpsock:settrustedstore(store). The store is an X509_STORE * cdata (e.g. from lua-resty-openssl) that overrides lua_ssl_trusted_certificate for the next sslhandshake() on this cosocket. The C side consumes the slot during the handshake, so the override does not leak across handshakes; passing nil clears it on both the lua and C sides so a previously-set store cannot dangle past a GC of the user's last reference. This is needed for per-request mTLS upstreams where the trusted CA set is determined dynamically (per-tenant routing, dynamic CA discovery) and cannot be expressed via the static lua_ssl_trusted_certificate directive. The FFI symbol is looked up softly so loading lua-resty-core against an older lua-nginx-module that lacks the new symbol still works; the method is simply not attached to the cosocket metatable in that case. Only the http subsystem is wired up, matching the FFI surface in ngx_http_lua_module. Stream cosockets are unchanged. Requires lua-nginx-module change "feature: support custom trusted CA store for cosocket TLS handshake". Signed-off-by: Walker Zhao <walker.zhao@konghq.com>
findns94
force-pushed
the
feat/support-trusted-ca
branch
from
b71f0c5 to
ad5ac4e
Compare
zhuizhuhaomeng
force-pushed
the
feat/support-trusted-ca
branch
from
67a6cf8 to
1a92487
Compare
zhuizhuhaomeng
approved these changes
May 2, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds a Lua wrapper around the new
ngx_http_lua_ffi_socket_tcp_settrustedstore FFI in lua-nginx-module, exposed as tcpsock:settrustedstore(store). The store is an X509_STORE * cdata (e.g. from lua-resty-openssl) that overrides lua_ssl_trusted_certificate for the next sslhandshake() on this cosocket. The C side consumes the slot during the handshake, so the override does not leak across handshakes; passing nil clears it on both the lua and C sides so a previously-set store cannot dangle past a GC of the user's last reference.
This is needed for per-request mTLS upstreams where the trusted CA set is determined dynamically (per-tenant routing, dynamic CA discovery) and cannot be expressed via the static
lua_ssl_trusted_certificate directive.
The FFI symbol is looked up softly so loading lua-resty-core against an older lua-nginx-module that lacks the new symbol still works; the method is simply not attached to the cosocket metatable in that case. Only the http subsystem is wired up, matching the FFI surface in ngx_http_lua_module. Stream cosockets are unchanged.
Requires lua-nginx-module change openresty/lua-nginx-module#2495.
I hereby granted the copyright of the changes in this pull request
to the authors of this lua-resty-core project.