Closed mpenick closed 4 years ago
Hi,
Thanks for the efforts, however, have you tested your changes in production? I doubt they will work, since unfortunately OpenResty's cosockets does not support TLS client certificate yet, hence why the limitation in this driver. Client certificates are supported by the LuaSocket fallback implemented by this driver for the init_by_lua
phase (in which OpenResty's cosockets aren't supported), but those sockets should never be used after this phase or else they will block the NGINX workers' event loop.
Support for mTLS cosockets has recently been proposed by https://github.com/openresty/lua-resty-core/pull/278 + https://github.com/openresty/lua-nginx-module/pull/1602. Given that we are currently working on OpenResty 1.15.8.4 and 1.17.8.1 releases, these PRs aren't going to land in a mainstream release until later this year.
Also, in order for me to merge this I'd ask of you for tests and documentation around the new options, should we get there some day.
Best,
Thanks so much for the feedback! Yes, we had to force lua sockets instead of ngx.socket
for the reasons above. I'll re-open a PR when client certificates are better supported.
Also, pass client certificates configuration through the cluster interface to the peer options.