This is an automated email from the ASF dual-hosted git repository.
alinsran pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/apisix.git
The following commit(s) were added to refs/heads/master by this push:
new d106de5c6 fix(ssl): ssl key rotation caused request failure (#11305)
d106de5c6 is described below
commit d106de5c6c043ace99555e99fd9fed09ccc6174e
Author: AlinsRan <[email protected]>
AuthorDate: Mon Jun 3 23:21:56 2024 +0800
fix(ssl): ssl key rotation caused request failure (#11305)
---
apisix/ssl.lua | 12 +++++++
t/admin/ssl4.t | 106 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++-
2 files changed, 117 insertions(+), 1 deletion(-)
diff --git a/apisix/ssl.lua b/apisix/ssl.lua
index f3c5f9b2e..81fdf1c13 100644
--- a/apisix/ssl.lua
+++ b/apisix/ssl.lua
@@ -18,7 +18,9 @@ local core = require("apisix.core")
local secret = require("apisix.secret")
local ngx_ssl = require("ngx.ssl")
local ngx_ssl_client = require("ngx.ssl.clienthello")
+local ffi = require("ffi")
+local C = ffi.C
local ngx_encode_base64 = ngx.encode_base64
local ngx_decode_base64 = ngx.decode_base64
local aes = require("resty.aes")
@@ -28,6 +30,10 @@ local assert = assert
local type = type
local ipairs = ipairs
+ffi.cdef[[
+unsigned long ERR_peek_error(void);
+void ERR_clear_error(void);
+]]
local cert_cache = core.lrucache.new {
ttl = 3600, count = 1024,
@@ -155,6 +161,12 @@ local function aes_decrypt_pkey(origin, field)
if decrypted then
return decrypted
end
+
+ if C.ERR_peek_error() then
+ -- clean up the error queue of OpenSSL to prevent
+ -- normal requests from being interfered with.
+ C.ERR_clear_error()
+ end
end
return nil, "decrypt ssl key failed"
diff --git a/t/admin/ssl4.t b/t/admin/ssl4.t
index 4b69f8538..c9de90d9b 100644
--- a/t/admin/ssl4.t
+++ b/t/admin/ssl4.t
@@ -242,7 +242,6 @@ apisix:
- qeddd145sfvddff3
--- error_log
decrypt ssl key failed
-[alert]
@@ -404,3 +403,108 @@ location /t {
}
--- response_body
passed
+
+
+
+=== TEST 12: set ssl(sni: www.test.com), encrypt with the first keyring
+--- yaml_config
+apisix:
+ node_listen: 1984
+ data_encryption:
+ keyring:
+ - edd1c9f0985e76a1
+--- config
+location /t {
+ content_by_lua_block {
+ local core = require("apisix.core")
+ local t = require("lib.test_admin")
+
+ local ssl_cert = t.read_file("t/certs/apisix.crt")
+ local ssl_key = t.read_file("t/certs/apisix.key")
+ local data = {cert = ssl_cert, key = ssl_key, sni = "test.com"}
+
+ local code, body = t.test('/apisix/admin/ssls/1',
+ ngx.HTTP_PUT,
+ core.json.encode(data),
+ [[{
+ "value": {
+ "sni": "test.com"
+ },
+ "key": "/apisix/ssls/1"
+ }]]
+ )
+
+ ngx.status = code
+ ngx.say(body)
+ }
+}
+--- response_body
+passed
+
+
+
+=== TEST 13: update encrypt keyring, and set ssl(sni: test2.com)
+--- yaml_config
+apisix:
+ node_listen: 1984
+ data_encryption:
+ keyring:
+ - qeddd145sfvddff3
+ - edd1c9f0985e76a1
+--- config
+location /t {
+ content_by_lua_block {
+ local core = require("apisix.core")
+ local t = require("lib.test_admin")
+
+ local ssl_cert = t.read_file("t/certs/test2.crt")
+ local ssl_key = t.read_file("t/certs/test2.key")
+ local data = {cert = ssl_cert, key = ssl_key, sni = "test2.com"}
+
+ local code, body = t.test('/apisix/admin/ssls/2',
+ ngx.HTTP_PUT,
+ core.json.encode(data),
+ [[{
+ "value": {
+ "sni": "test2.com"
+ },
+ "key": "/apisix/ssls/2"
+ }]]
+ )
+
+ ngx.status = code
+ ngx.say(body)
+ }
+}
+--- response_body
+passed
+
+
+
+=== TEST 14: Successfully access test.com
+--- yaml_config
+apisix:
+ node_listen: 1984
+ data_encryption:
+ keyring:
+ - qeddd145sfvddff3
+ - edd1c9f0985e76a1
+--- exec
+curl -k -s --resolve "test2.com:1994:127.0.0.1" https://test2.com:1994/hello
2>&1 | cat
+--- response_body
+hello world
+
+
+
+=== TEST 15: Successfully access test2.com
+--- yaml_config
+apisix:
+ node_listen: 1984
+ data_encryption:
+ keyring:
+ - qeddd145sfvddff3
+ - edd1c9f0985e76a1
+--- exec
+curl -k -s --resolve "test2.com:1994:127.0.0.1" https://test2.com:1994/hello
2>&1 | cat
+--- response_body
+hello world
