When TLSv1.3 is used, the server may send a NewSessionTicket message after the handshake. While this message is ssl-layer data, tcpsock:sslhandshake does not consume it.
In the implementation of setkeepalive, recv is used to confirm the connection is still open and there is no unread data in the buffer. But it treats the NewSessionTicket message as application layer data and then setkeepalive fails with this error connection in dubious state.
In fact we don't need to peek here, because if the application data is read successfully then the connection is going to be closed anyway. Therefore, c->recv can be used instead which will consume the ssl-layer data implicitly.
porting https://github.com/openresty/lua-nginx-module/pull/2356
When TLSv1.3 is used, the server may send a NewSessionTicket message after the handshake. While this message is ssl-layer data,
tcpsock:sslhandshakedoes not consume it.In the implementation of
setkeepalive,recvis used to confirm the connection is still open and there is no unread data in the buffer. But it treats the NewSessionTicket message as application layer data and thensetkeepalivefails with this errorconnection in dubious state.In fact we don't need to peek here, because if the application data is read successfully then the connection is going to be closed anyway. Therefore,
c->recvcan be used instead which will consume the ssl-layer data implicitly.