Skip to content

feature: clienthello.set_ciphers().#535

Open
climagabriel wants to merge 1 commit into
openresty:masterfrom
climagabriel:set-ciphers
Open

feature: clienthello.set_ciphers().#535
climagabriel wants to merge 1 commit into
openresty:masterfrom
climagabriel:set-ciphers

Conversation

@climagabriel

Copy link
Copy Markdown
Contributor

Adds clienthello.set_ciphers(ciphers, ciphersuites?) to set the connection's TLS <= 1.2 cipher list and/or TLS 1.3 ciphersuites from ssl_client_hello_by_lua*, e.g. keyed on the client hello server name. Complements clienthello.set_protocols().

On failure the connection's SSL object is left exactly as it was -- cipher list, ciphersuites, and error queue all untouched -- so the handshake proceeds with the default list inherited from the server block (ssl_ciphers/ssl_conf_command). See openresty/lua-nginx-module#2513 for why that guarantee needs pre-validation on a scratch SSL_CTX.

Requires ngx_http_lua_ffi_ssl_set_ciphers() from openresty/lua-nginx-module#2513.

Tests: valid list applied (negotiated cipher asserted), invalid TLS <= 1.2 list fails without breaking the handshake, invalid TLS 1.3 ciphersuites fail without breaking the handshake.

Sets the connection's TLS <= 1.2 cipher list and/or TLS 1.3 ciphersuites
from ssl_client_hello_by_lua*, e.g. keyed on the client hello server name.

On failure the connection's SSL object is left exactly as it was --
cipher list, ciphersuites, and error queue all untouched -- so the
handshake proceeds with the default list inherited from the server block
(ssl_ciphers/ssl_conf_command).

Requires ngx_http_lua_ffi_ssl_set_ciphers() from lua-nginx-module.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant