search

openresty / lua-nginx-module

Embed the Power of Lua into NGINX HTTP servers
https://openresty.org/
11.33k stars 2.03k forks source link

feature: Add ngx_http_lua_ffi_parse_der_cert and ngx_http_lua_ffi_parse_der_key functions #2278

Closed devicenull closed 10 months ago

devicenull commented 10 months ago

Per some discussion on the mailing list, parsing SSL certs once and caching the result can significantly improve performance over having to parse them each time. There are existing functions to do this for PEM, but our existing systems were passing around DER files instead.

This just adds the same parsing functions for DER certs. Patch for the Lua side of this is in the works.

From our testing, caching already parsed certs let us handle 45% more SSL sessions, and decreased 99% latency by about 20%. These are best-case numbers, and are likely only representative of traffic while under attack.

I hereby granted the copyright of the changes in this pull request to the authors of this lua-nginx-module project.

devicenull commented 10 months ago

Hm, those build failures appear to be entirely unrelated to my changes

zhuizhuhaomeng commented 10 months ago 
diff --git a/src/ngx_http_lua_ssl_certby.c b/src/ngx_http_lua_ssl_certby.c
index 6ed8f69d..d775f2b3 100644
--- a/src/ngx_http_lua_ssl_certby.c
+++ b/src/ngx_http_lua_ssl_certby.c
@@ -1178,13 +1178,12 @@ ngx_http_lua_ffi_parse_der_cert(const char *data, size_t len,
 {
     BIO             *bio;
     X509            *x509;
-    u_long           n;
     STACK_OF(X509)  *chain;

     if (data == NULL || len == 0) {
-        *err = "NULL data passed in";
+        *err = "invalid argument";
         ERR_clear_error();
-        return NULL
+        return NULL;
     }

     bio = BIO_new_mem_buf((char *) data, len);
@@ -1292,9 +1291,8 @@ ngx_http_lua_ffi_parse_der_priv_key(const char *data, size_t len,
     BIO               *bio = NULL;
     EVP_PKEY          *pkey = NULL;

-    if (data == NULL || len == 0)
-    {
-        *err = "NULL data passed in";
+    if (data == NULL || len == 0) {
+        *err = "invalid argument";
         ERR_clear_error();
         return NULL;
     }
diff --git a/t/140-ssl-c-api.t b/t/140-ssl-c-api.t
index 19410043..6b5ff2f8 100644
--- a/t/140-ssl-c-api.t
+++ b/t/140-ssl-c-api.t
@@ -54,10 +54,10 @@ ffi.cdef[[
         size_t pem_len, char **err);

     void *ngx_http_lua_ffi_parse_der_cert(const char *data, size_t len,
-        char **err)
+        char **err);

     void *ngx_http_lua_ffi_parse_der_priv_key(const char *data, size_t len,
-        char **err)
+        char **err);

     int ngx_http_lua_ffi_set_cert(void *r,
         void *cdata, char **err);
@@ -1330,6 +1330,8 @@ SNI is test.com
 [error]
 [alert]

+
+
 === TEST 11: DER cert + private key cdata
 --- http_config
     server {
@@ -1467,7 +1469,7 @@ received: Server: nginx
 received: Content-Type: text/plain
 received: Content-Length: 4
 received: Connection: close
-received:
+received: 
 received: foo
 close: 1 nil
zhuizhuhaomeng commented 10 months ago

I have merged with the above patch.