From e74ede1b39d91c323eba116f53d3e144b32194e6 Mon Sep 17 00:00:00 2001
From: tzssangglass <tzssangglass@gmail.com>
Date: Wed, 3 Jun 2026 12:04:14 +0800
Subject: [PATCH] bugfix: sslhandshake read error details on immediate
 FFI_ERROR

With the C side now returning FFI_ERROR instead of FFI_OK when
u->error_ret is set after an immediate handshake, the early FFI_OK
path is removed.  Added get_sslhandshake_result() in the FFI_ERROR
branch so errmsg and openssl_error_code are populated when the
error comes from the first call rather than from an async resume.
---
 lib/resty/core/socket.lua | 72 ++++++++++++++++++++++++---------------
 1 file changed, 44 insertions(+), 28 deletions(-)

diff --git a/lib/resty/core/socket.lua b/lib/resty/core/socket.lua
index ea973b7ba..11a9ca006 100644
--- a/lib/resty/core/socket.lua
+++ b/lib/resty/core/socket.lua
@@ -424,52 +424,68 @@ local function sslhandshake(cosocket, reused_session, server_name, ssl_verify,
         error("no request ctx found", 2)
     end
 
-    if rc == FFI_OK then
-        if reused_session == false then
-            return true
+    local res
+
+    if rc == FFI_ERROR then
+        res = C.ngx_http_lua_ffi_socket_tcp_get_sslhandshake_result(r, u,
+                  session_ptr, errmsg, openssl_error_code)
+
+        assert(res == FFI_ERROR)
+
+        if openssl_error_code[0] ~= 0 then
+            return nil, openssl_error_code[0] .. ": " .. ffi_str(errmsg[0])
         end
 
-        rc = C.ngx_http_lua_ffi_socket_tcp_get_sslhandshake_result(r, u,
-                 session_ptr, errmsg, openssl_error_code)
+        return nil, ffi_str(errmsg[0])
     end
 
-    while true do
-        if rc == FFI_ERROR then
-            if openssl_error_code[0] ~= 0 then
-                return nil, openssl_error_code[0] .. ": " .. ffi_str(errmsg[0])
-            end
+    if rc == FFI_DONE then
+        return reused_session
+    end
 
-            return nil, ffi_str(errmsg[0])
+    if rc == FFI_OK then
+        if reused_session == false then
+            return true
         end
 
-        if rc == FFI_DONE then
-            return reused_session
+        res = C.ngx_http_lua_ffi_socket_tcp_get_sslhandshake_result(r, u,
+                  session_ptr, errmsg, openssl_error_code)
+
+        assert(res == FFI_OK)
+
+        if session_ptr[0] == nil then
+            return session_ptr[0]
         end
 
-        if rc == FFI_OK then
-            if reused_session == false then
-                return true
-            end
+        return ffi_gc(session_ptr[0], C.ngx_http_lua_ffi_ssl_free_session)
+    end
 
-            rc = C.ngx_http_lua_ffi_socket_tcp_get_sslhandshake_result(r, u,
-                     session_ptr, errmsg, openssl_error_code)
+    assert(rc == FFI_AGAIN)
 
-            assert(rc == FFI_OK)
+    co_yield()
 
-            if session_ptr[0] == nil then
-                return session_ptr[0]
-            end
+    res = C.ngx_http_lua_ffi_socket_tcp_get_sslhandshake_result(r, u,
+              session_ptr, errmsg, openssl_error_code)
 
-            return ffi_gc(session_ptr[0], C.ngx_http_lua_ffi_ssl_free_session)
+    if res == FFI_ERROR then
+        if openssl_error_code[0] ~= 0 then
+            return nil, openssl_error_code[0] .. ": " .. ffi_str(errmsg[0])
         end
 
-        assert(rc == FFI_AGAIN)
+        return nil, ffi_str(errmsg[0])
+    end
 
-        co_yield()
+    assert(res == FFI_OK)
 
-        rc = C.ngx_http_lua_ffi_socket_tcp_get_sslhandshake_result(r, u,
-                 session_ptr, errmsg, openssl_error_code)
+    if reused_session == false then
+        return true
+    end
+
+    if session_ptr[0] == nil then
+        return session_ptr[0]
     end
+
+    return ffi_gc(session_ptr[0], C.ngx_http_lua_ffi_ssl_free_session)
 end