summaryrefslogtreecommitdiff
path: root/meta/3rd/OpenResty/library/ngx.ssl.clienthello.lua
blob: d2e40665bca96492999949c79e855f7c420ac38b (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
---@meta
local clienthello = {}

clienthello.version = require("resty.core.base").version

---Returns the TLS SNI (Server Name Indication) name set by the client.
---
---Return `nil` when then the extension does not exist.
---
---In case of errors, it returns `nil` and a string describing the error.
---
---Note that the SNI name is gotten from the raw extensions of the client hello message associated with the current downstream SSL connection.
---
---So this function can only be called in the context of `ssl_client_hello_by_lua*`.
---@return string? host
---@return string? error
function clienthello.get_client_hello_server_name() end


--- Returns raw data of arbitrary SSL client hello extension including custom extensions.
---
--- Returns `nil` if the specified extension type does not exist.
---
--- In case of errors, it returns `nil` and a string describing the error.
---
--- Note that the ext is gotten from the raw extensions of the client hello message associated with the current downstream SSL connection.
---
--- So this function can only be called in the context of `ssl_client_hello_by_lua*`.
---
--- Example:
---
--- Gets server name from raw extension data. The `0` in `ssl_clt.get_client_hello_ext(0)` denotes `TLSEXT_TYPE_server_name`, and the `0` in `byte(ext, 3) ~= 0` denotes `TLSEXT_NAMETYPE_host_name`.
---
--- ```nginx
--- # nginx.conf
--- server {
---     listen 443 ssl;
---     server_name   test.com;
---     ssl_client_hello_by_lua_block {
---         local ssl_clt = require "ngx.ssl.clienthello"
---         local byte = string.byte
---         local ext = ssl_clt.get_client_hello_ext(0)
---         if not ext then
---             print("failed to get_client_hello_ext(0)")
---             ngx.exit(ngx.ERROR)
---         end
---         local total_len = string.len(ext)
---         if total_len <= 2 then
---             print("bad SSL Client Hello Extension")
---             ngx.exit(ngx.ERROR)
---         end
---         local len = byte(ext, 1) * 256 + byte(ext, 2)
---         if len + 2 ~= total_len then
---             print("bad SSL Client Hello Extension")
---             ngx.exit(ngx.ERROR)
---         end
---         if byte(ext, 3) ~= 0 then
---             print("bad SSL Client Hello Extension")
---             ngx.exit(ngx.ERROR)
---         end
---         if total_len <= 5 then
---             print("bad SSL Client Hello Extension")
---             ngx.exit(ngx.ERROR)
---         end
---         len = byte(ext, 4) * 256 + byte(ext, 5)
---         if len + 5 > total_len then
---             print("bad SSL Client Hello Extension")
---             ngx.exit(ngx.ERROR)
---         end
---         local name = string.sub(ext, 6, 6 + len -1)
---
---         print("read SNI name from Lua: ", name)
---     }
---     ssl_certificate test.crt;
---     ssl_certificate_key test.key;
--- }
--- ```
---
---@param ext_type number
---@return string? ext
function clienthello.get_client_hello_ext(ext_type) end


--- Sets the SSL protocols supported by the current downstream SSL connection.
---
--- Returns `true` on success, or a `nil` value and a string describing the error otherwise.
---
--- Considering it is meaningless to set ssl protocols after the protocol is determined,
--- so this function may only be called in the context of `ssl_client_hello_by_lua*`.
---
--- Example:
--- ```lua
---  ssl_clt.set_protocols({"TLSv1.1", "TLSv1.2", "TLSv1.3"})`
--- ```
---
---@param protocols string[]
---@return boolean ok
---@return string? error
function clienthello.set_protocols(protocols) end


return clienthello