Re: [openresty-en] openresty build! how to support TLSv1.3?

58 views
Skip to first unread message
Message has been deleted

Rainer Canavan

unread,
Apr 14, 2021, 10:43:11 AMApr 14
to openre...@googlegroups.com
On Wed, Apr 14, 2021 at 4:28 PM Hadi Abbasi
<hadi.abbasi...@gmail.com> wrote:
>
>
> Hello
> I'm using openresty and my new requirement is support ssl TLSv1.3!
> All I wanna know is how can I use openssl 1.1.1x for supporting TLSv.1.3 site!
> I have built openssl1.1.1c & openresty master branch using these commands in ubuntu server!
>

[...]

> Error Message:
> [lua] dynamic-ssl.lua:188: failed to set DER private key: SSL_use_PrivateKey() failed, context: ssl_certificate_by_lua*, client: my-ip, server: 0.0.0.0:443
> SSL_do_handshake() failed (SSL: error:1417A179:SSL routines:tls_post_process_client_hello:cert cb error) while SSL handshaking, client: my-ip, server: 0.0.0.0:443
>
> dynamic-ssl.lua:188 --> local ok, err = ssl.set_der_priv_key(key_der)
>
> how can I fix it?

I honestly can't remember if it fixed the specific error above, but I
believe the following patch is required:

https://raw.githubusercontent.com/openresty/openresty/master/patches/openssl-1.1.1f-sess_set_get_cb_yield.patch

regards,

rainer canavan

ecc256

unread,
Apr 14, 2021, 10:45:51 AMApr 14
to openresty-en
openresty-1.19.3.1 supports TLSv1.3 out-of-the-box, no?
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted

uli...@gmail.com

unread,
Apr 14, 2021, 11:03:48 AMApr 14
to openre...@googlegroups.com
On Wed, Apr 14 2021 at 07:28:32 AM -0700, Hadi Abbasi
<hadi.abbasi...@gmail.com> wrote:
> cd /tmp/
> git clone https://github.com/openresty/openresty.git
> cd /tmp/openresty/patches/
> wget
> https://raw.githubusercontent.com/openresty/openresty/master/patches/openssl-1.1.1c-sess_set_get_cb_yield.patch
> wget
> https://raw.githubusercontent.com/openresty/openresty/master/patches/nginx-1.17.1-ssl_cert_cb_yield.patch
> wget
> https://raw.githubusercontent.com/openresty/openresty/master/patches/nginx-1.17.1-ssl_sess_cb_yield.patch
> git apply openssl-1.1.1c-sess_set_get_cb_yield.patch
> git apply nginx-1.17.1-ssl_cert_cb_yield.patch
> git apply nginx-1.17.1-ssl_sess_cb_yield.patch
> cd ..
> make

Hi, you're applying patches in slightly wrong way. The openssl-*.patch
is for openssl tree, not openresty. You should move the wget | git
apply right after tar -zxf openssl-1.1.1c.tar.gz && cd openssl-1.1.1c
for this one patch. Compile openssl with the patch applied already.

HTH


Reply all
Reply to author
Forward
Message has been deleted
Message has been deleted
0 new messages