bugfix: sslhandshake lost verify error when handshake completed immediately (#2506)

tzssangglass · web-flow · commit 78aff58673f2 · 2026-06-05T09:24:06.000+08:00
After ngx_ssl_handshake(c) returns NGX_OK, the handshake handler may
still record a verify error in u-&gt;error_ret via SSL_get_verify_result().
The old code only checked rc == NGX_ERROR and missed u-&gt;error_ret,
returning FFI_OK with an unread error.  Added u-&gt;error_ret != NULL check
so the Lua caller receives the SSL error instead of a misleading "closed"
on the next socket operation.
diff --git a/src/ngx_http_lua_socket_tcp.c b/src/ngx_http_lua_socket_tcp.c
@@ -2035,7 +2035,7 @@ ngx_http_lua_ffi_socket_tcp_sslhandshake(ngx_http_request_t *r,
 
     ngx_http_lua_ssl_handshake_handler(c);
 
-    if (rc == NGX_ERROR) {
+    if (rc == NGX_ERROR || u->error_ret != NULL) {
         *errmsg = u->error_ret;
         return NGX_ERROR;
     }

Original file line number	Diff line number	Diff line change
`@@ -2035,7 +2035,7 @@ ngx_http_lua_ffi_socket_tcp_sslhandshake(ngx_http_request_t *r,`
`2035`	`2035`
`2036`	`2036`	`ngx_http_lua_ssl_handshake_handler(c);`
`2037`	`2037`
`2038`		`- if (rc == NGX_ERROR) {`
	`2038`	`+ if (rc == NGX_ERROR \|\| u->error_ret != NULL) {`
`2039`	`2039`	`*errmsg = u->error_ret;`
`2040`	`2040`	`return NGX_ERROR;`
`2041`	`2041`	`}`