Skip to content

feat: add api to get hostname of ssl session #107

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 13 commits into from
Jun 23, 2025
Merged

feat: add api to get hostname of ssl session #107

Show file tree
Hide file tree
Changes from 10 commits
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
0129f67
SNI: added restriction for TLSv1.3 cross-SNI session resumption
nic-6443 Jun 10, 2025
af6b6fb
f
nic-6443 Jun 10, 2025
69a5ca0
f
nic-6443 Jun 12, 2025
7e50d8d
f
nic-6443 Jun 12, 2025
9f39eac
f
nic-6443 Jun 12, 2025
33a2fa7
feat: add api to get hostname of ssl session
nic-6443 Jun 16, 2025
5ee7635
f
nic-6443 Jun 16, 2025
9c48a08
f
nic-6443 Jun 16, 2025
9028f9a
f
nic-6443 Jun 18, 2025
338192b
f
nic-6443 Jun 19, 2025
97d7823
f
nic-6443 Jun 20, 2025
a45254c
add patch for 1.27
nic-6443 Jun 23, 2025
c32d394
add patch for 1.27
nic-6443 Jun 23, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
76 changes: 76 additions & 0 deletions patch/1.21.4/lua-resty-core-ssl_session_hostname.patch
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,76 @@
diff --git lib/ngx/ssl.lua lib/ngx/ssl.lua
index 8792be0..16b9c13 100644
--- lib/ngx/ssl.lua
+++ lib/ngx/ssl.lua
@@ -26,6 +26,7 @@ local ngx_lua_ffi_ssl_set_der_private_key
local ngx_lua_ffi_ssl_raw_server_addr
local ngx_lua_ffi_ssl_server_port
local ngx_lua_ffi_ssl_server_name
+local ngx_lua_ffi_ssl_session_hostname
local ngx_lua_ffi_ssl_raw_client_addr
local ngx_lua_ffi_cert_pem_to_der
local ngx_lua_ffi_priv_key_pem_to_der
@@ -58,6 +59,9 @@ if subsystem == 'http' then
int ngx_http_lua_ffi_ssl_server_name(ngx_http_request_t *r, char **name,
size_t *namelen, char **err);

+ int ngx_http_lua_ffi_ssl_session_hostname(ngx_http_request_t *r, char **name,
+ size_t *namelen, char **err);
+
int ngx_http_lua_ffi_ssl_raw_client_addr(ngx_http_request_t *r, char **addr,
size_t *addrlen, int *addrtype, char **err);

@@ -97,6 +101,7 @@ if subsystem == 'http' then
ngx_lua_ffi_ssl_raw_server_addr = C.ngx_http_lua_ffi_ssl_raw_server_addr
ngx_lua_ffi_ssl_server_port = C.ngx_http_lua_ffi_ssl_server_port
ngx_lua_ffi_ssl_server_name = C.ngx_http_lua_ffi_ssl_server_name
+ ngx_lua_ffi_ssl_session_hostname = C.ngx_http_lua_ffi_ssl_session_hostname
ngx_lua_ffi_ssl_raw_client_addr = C.ngx_http_lua_ffi_ssl_raw_client_addr
ngx_lua_ffi_cert_pem_to_der = C.ngx_http_lua_ffi_cert_pem_to_der
ngx_lua_ffi_priv_key_pem_to_der = C.ngx_http_lua_ffi_priv_key_pem_to_der
@@ -129,6 +134,9 @@ elseif subsystem == 'stream' then
int ngx_stream_lua_ffi_ssl_server_name(ngx_stream_lua_request_t *r,
char **name, size_t *namelen, char **err);

+ int ngx_stream_lua_ffi_ssl_session_hostname(ngx_stream_lua_request_t *r,
+ char **name, size_t *namelen, char **err);
+
int ngx_stream_lua_ffi_ssl_raw_client_addr(ngx_stream_lua_request_t *r,
char **addr, size_t *addrlen, int *addrtype, char **err);

@@ -168,6 +176,7 @@ elseif subsystem == 'stream' then
ngx_lua_ffi_ssl_raw_server_addr = C.ngx_stream_lua_ffi_ssl_raw_server_addr
ngx_lua_ffi_ssl_server_port = C.ngx_stream_lua_ffi_ssl_server_port
ngx_lua_ffi_ssl_server_name = C.ngx_stream_lua_ffi_ssl_server_name
+ ngx_lua_ffi_ssl_session_hostname = C.ngx_stream_lua_ffi_ssl_session_hostname
ngx_lua_ffi_ssl_raw_client_addr = C.ngx_stream_lua_ffi_ssl_raw_client_addr
ngx_lua_ffi_cert_pem_to_der = C.ngx_stream_lua_ffi_cert_pem_to_der
ngx_lua_ffi_priv_key_pem_to_der = C.ngx_stream_lua_ffi_priv_key_pem_to_der
@@ -299,6 +308,27 @@ function _M.server_name()
end


+function _M.session_hostname()
+ local r = get_request()
+ if not r then
+ error("no request found")
+ end
+
+ local sizep = get_size_ptr()
+
+ local rc = ngx_lua_ffi_ssl_session_hostname(r, charpp, sizep, errmsg)
+ if rc ~= FFI_OK then
+ return nil, ffi_str(errmsg[0])
+ end
+
+ if sizep[0] == 0 then
+ return nil
+ end
+
+ return ffi_str(charpp[0], sizep[0])
+end
+
+
function _M.raw_client_addr()
local r = get_request()
if not r then
51 changes: 51 additions & 0 deletions patch/1.21.4/ngx_lua-ssl_session_hostname.patch
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
diff --git src/ngx_http_lua_ssl_certby.c src/ngx_http_lua_ssl_certby.c
index b8e70dde..c3bfc790 100644
--- src/ngx_http_lua_ssl_certby.c
+++ src/ngx_http_lua_ssl_certby.c
@@ -870,6 +870,46 @@ ngx_http_lua_ffi_ssl_server_name(ngx_http_request_t *r, char **name,
}


+int
+ngx_http_lua_ffi_ssl_session_hostname(ngx_http_request_t *r, char **name,
+ size_t *namelen, char **err)
+{
+ ngx_ssl_conn_t *ssl_conn;
+
+ if (r->connection == NULL || r->connection->ssl == NULL) {
+ *err = "bad request";
+ return NGX_ERROR;
+ }
+
+ ssl_conn = r->connection->ssl->connection;
+ if (ssl_conn == NULL) {
+ *err = "bad ssl conn";
+ return NGX_ERROR;
+ }
+
+#if (defined(TLS1_3_VERSION) \
+ && !defined(LIBRESSL_VERSION_NUMBER) && !defined(OPENSSL_IS_BORINGSSL))
+
+ /*
+ * SSL_SESSION_get0_hostname() is only available in OpenSSL 1.1.1+,
+ * but servername being negotiated in every TLSv1.3 handshake
+ * is only returned in OpenSSL 1.1.1+ as well
+ */
+
+ *name = (char *) SSL_SESSION_get0_hostname(SSL_get0_session(ssl_conn));
+
+ if (*name) {
+ *namelen = ngx_strlen(*name);
+ return NGX_OK;
+ }
+#endif
+
+ *name = "";
+ *namelen = 0;
+ return NGX_OK;
+}
+
+
int
ngx_http_lua_ffi_ssl_server_port(ngx_http_request_t *r,
unsigned short *server_port, char **err)
54 changes: 54 additions & 0 deletions patch/1.21.4/ngx_stream_lua-ssl_session_hostname.patch
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
diff --git src/ngx_stream_lua_ssl_certby.c src/ngx_stream_lua_ssl_certby.c
index 7b4cc5b..054a45e 100644
--- src/ngx_stream_lua_ssl_certby.c
+++ src/ngx_stream_lua_ssl_certby.c
@@ -882,6 +882,49 @@ ngx_stream_lua_ffi_ssl_server_name(ngx_stream_lua_request_t *r, char **name,
}


+int
+ngx_stream_lua_ffi_ssl_session_hostname(ngx_stream_lua_request_t *r, char **name,
+ size_t *namelen, char **err)
+{
+ ngx_ssl_conn_t *ssl_conn;
+
+ if (r->connection == NULL || r->connection->ssl == NULL) {
+ *err = "bad request";
+ return NGX_ERROR;
+ }
+
+ ssl_conn = r->connection->ssl->connection;
+ if (ssl_conn == NULL) {
+ *err = "bad ssl conn";
+ return NGX_ERROR;
+ }
+
+#if (defined(TLS1_3_VERSION) \
+ && !defined(LIBRESSL_VERSION_NUMBER) && !defined(OPENSSL_IS_BORINGSSL))
+
+ /*
+ * SSL_SESSION_get0_hostname() is only available in OpenSSL 1.1.1+,
+ * but servername being negotiated in every TLSv1.3 handshake
+ * is only returned in OpenSSL 1.1.1+ as well
+ */
+
+ SSL_SESSION *sess = SSL_get0_session(ssl_conn);
+ if (sess != NULL) {
+ *name = (char *) SSL_SESSION_get0_hostname(sess);
+ if (*name) {
+ *namelen = ngx_strlen(*name);
+ return NGX_OK;
+ }
+ }
+
+#endif
+
+ *name = "";
+ *namelen = 0;
+ return NGX_OK;
+}
+
+
int
ngx_stream_lua_ffi_ssl_server_port(ngx_stream_lua_request_t *r,
unsigned short *server_port, char **err)