LuaSec depends on OpenSSL, and integrates with LuaSocket to make it easy to add secure connections to any Lua applications or scripts.
Documentation: https://github.com/brunoos/luasec/wiki
LuaSec
License: Other
LuaSec depends on OpenSSL, and integrates with LuaSocket to make it easy to add secure connections to any Lua applications or scripts.
Documentation: https://github.com/brunoos/luasec/wiki
This allows a server to present the correct certificate depending on what hostname the client is connecting to, without requiring separate IPs or ports.
See these lines; https://github.com/brunoos/luasec/blob/1ab6fac9197b194ea94166dff7ad81579f6113ed/src/https.lua#L122-L123
LuaSocket http module blocks redirects only if url.redirect
is explicitly set to false
. Hence the test here, allows nil
to pass and makes LuaSocket execute the redirect.
Lua 5.2 and 5.3 compatibility
LuaJIT is compatible with Lua 5.1, so does LuaSec works on LuaJIT?
I'm trying to use this with luarocks and I'm getting this error.
luarocks install luasec OPENSSL_DIR=C:\Build-OpenSSL-VC-32
Installing http://luarocks.org/repositories/rocks/luasec-0.6-1.rockspec...
Cloning into 'luasec'...
remote: Counting objects: 872, done.
remote: Total 872 (delta 0), reused 0 (delta 0), pack-reused 872
Receiving objects: 100% (872/872), 689.99 KiB | 0 bytes/s, done.
Resolving deltas: 100% (523/523), done.
Checking connectivity... done.
Applying patch luarocks_vs_compiler.patch...
source/target file does not exist
--- src/ssl.c.orig
+++ C:\Users\Username\AppData\Local\Temp\luarocks_luasec-0.6-1-6833\luasec/src/ssl.c
Error: Failed applying patch luarocks_vs_compiler.patch
I see that the .rockspec file has this in it but I'm not sure what the issue is, exactly.
patches = {
["luarocks_vs_compiler.patch"] = [[
--- a/src/ssl.c.orig
+++ b/src/ssl.c
@@ -844,3 +844,8 @@ LSEC_API int luaopen_ssl_core(lua_State *L)
return 1;
}
+
+#if defined(_MSC_VER)
+/* Empty implementation to allow building with LuaRocks and MS compilers */
+LSEC_API int luaopen_ssl(lua_State *L) { return 0; }
+#endif
]]
}
Any ideas?
Hello,
I have strange problem using luasec for site https://www.sk-nic.sk
Site returns code:
"tlsv1 alert protocol version"
For other protocols returns:
"invalid protocol"
Correct reply code should be 301 (there is a redirect)
Lua code is here:
https://gist.github.com/is73/d50fa12718812e0f0c76c991030b8583
Using by ex. Go, Tcl, PHP (even with simple file_get_contents() request) everything works fine.
client:dohandshake() works very well for https://call
but when I use http:// for my test.. my server is crashing with segfault on dohandshake() function.
Return message I get is false, wrong version number from this function.
How do I avoid this segfault for http:// request?
Thanks in advance.
Hi,
I am having trouble with the following piece of code:
local https = require("ssl.https")
https.request("https://de.wiktionary.org/wiki/%26")
luajit test.lua
PANIC: unprotected error in call to Lua API (?)
Some info:
luasec
0.5-2 (installed) - /usr/local/lib/luarocks/rocks-5.1
luajit -v
LuaJIT 2.0.4 -- Copyright (C) 2005-2015 Mike Pall. http://luajit.org/
openssl version
OpenSSL 1.0.1l-freebsd 15 Jan 2015
uname -a
FreeBSD x230 10.1-RELEASE-p6 FreeBSD 10.1-RELEASE-p6 #0: Tue Feb 24 19:00:21 UTC 2015 [email protected]:/usr/obj/usr/src/sys/GENERIC amd64
Hi, this compile error happens when compiling against libressl:
ssl.c: In function 'meth_compression':
ssl.c:404:3: error: unknown type name 'COMP_METHOD'
const COMP_METHOD *comp;
^
<builtin>: recipe for target 'ssl.o' failed
I compiled luasec 0.6alpha-2 with openssl 1.0.2f using luarocks and compilation was succesfull.
I tried also 1.0.1r and 1.0.1e with no luck.
After requiring it using
local https = require('ssl.https')
I'm getting error
lua: error loading module 'ssl.core' from file 'c:\work\apps\lua\bin\..\lib\lua\5.3\ssl.dll':
The specified module could not be found.
stack traceback:
[C]: in ?
[C]: in function 'require'
c:\work\apps\lua\bin\..\share\lua\5.3\ssl.lua:7: in main chunk
[C]: in function 'require'
c:\work\apps\lua\bin\..\share\lua\5.3\ssl\https.lua:10: in main chunk
[C]: in function 'require'
C:\work\lua\test.lua:4: in main chunk
[C]: in ?
[Finished in 0.1s]
OS win10
mingw32
cmake 3.4.3
lua 5.3.2
luarocks 2.3.0
ssl.dll looks pretty small ... 107kb
Please could you help me?
Hi,
I am trying to build Luasec using Lua 5.2 files and I get errors regarding the ssl_st struct. I copied the latest openssl include folder in the Luasec source folder. I am using Visual Studio Express 2013. My output log is:
1>------ Rebuild All started: Project: luasec, Configuration: Release Win32 ------
1> context.c
1>src\context.c(118): warning C4996: 'strncpy': This function or variable may be unsafe. Consider using strncpy_s instead. To disable deprecation, use _CRT_SECURE_NO_WARNINGS. See online help for details.
1> C:\Program Files (x86)\Microsoft Visual Studio 12.0\VC\include\string.h(195) : see declaration of 'strncpy'
1>src\context.c(197): warning C4013: 'DH_free' undefined; assuming extern returning int
1> buffer.c
1> io.c
1> timeout.c
1> wsocket.c
1>src\luasocket\wsocket.c(311): warning C4996: 'gethostbyaddr': Use getnameinfo() or GetNameInfoW() instead or define _WINSOCK_DEPRECATED_NO_WARNINGS to disable deprecated API warnings
1> C:\Program Files (x86)\Windows Kits\8.1\Include\um\winsock2.h(2216) : see declaration of 'gethostbyaddr'
1>src\luasocket\wsocket.c(317): warning C4996: 'gethostbyname': Use getaddrinfo() or GetAddrInfoW() instead or define _WINSOCK_DEPRECATED_NO_WARNINGS to disable deprecated API warnings
1> C:\Program Files (x86)\Windows Kits\8.1\Include\um\winsock2.h(2238) : see declaration of 'gethostbyname'
1> ssl.c
1>src\ssl.c(453): error C2037: left of 'server' specifies undefined struct/union 'ssl_st'
1>src\ssl.c(485): error C2037: left of 'server' specifies undefined struct/union 'ssl_st'
1> x509.c
1>src\x509.c(215): error C2037: left of 'object' specifies undefined struct/union 'X509_extension_st'
1>src\x509.c(215): warning C4047: 'function' : 'ASN1_OBJECT *' differs in levels of indirection from 'int'
1>src\x509.c(215): warning C4024: 'push_asn1_objname' : different types for formal and actual parameter 2
1>src\x509.c(215): error C2198: 'push_asn1_objname' : too few arguments for call
1>src\x509.c(219): error C2037: left of 'object' specifies undefined struct/union 'X509_extension_st'
1>src\x509.c(219): error C2198: 'push_asn1_objname' : too few arguments for call
1> Generating Code...
========== Rebuild All: 0 succeeded, 1 failed, 0 skipped ==========
# openssl version
OpenSSL 1.0.1c 10 May 2012
# lua51
Lua 5.1.5 Copyright (C) 1994-2012 Lua.org, PUC-Rio
> require('ssl')
lua51:/usr/local/lib/lua/5.1/ssl.so: undefined symbol '__guard_local'
lua51:/usr/local/lib/lua/5.1/ssl.so: undefined symbol '__guard_local'
<snipped 30 repetitions of the previous line>
error loading module 'ssl.core' from file '/usr/local/lib/lua/5.1/ssl.so':
Cannot load specified object
stack traceback:
[C]: ?
[C]: in function 'require'
/usr/local/share/lua/5.1/ssl.lua:7: in main chunk
[C]: in function 'require'
stdin:1: in main chunk
[C]: ?
>
I've been getting this error since updating openssl (after the heartbleed issue). The OpenSSL version is the same (AFAIK), but with that issue fixed.
OS is OpenBSD 5.5-current. I've no idea what other information might be useful, but I can provide whatever is necesary.
The changes to t_context
will break other projects that try and interoperate with luasec.
E.g. https://github.com/chatid/fend/blob/master/ssl.lua#L10
If the ABI must change, ensure there is some (dlsym
-able) way to check which version you're interoperating with.
I've installed Lua 5.3 and Luarocks from source, and luasocket worked nicely. However, trying to install luasec doesn't work
Warning: falling back to curl - install luasec to get native HTTPS support
Installing https://luarocks.org/luasec-0.6-1.rockspec
Cloning into 'luasec'...
remote: Counting objects: 116, done.
remote: Compressing objects: 100% (93/93), done.
remote: Total 116 (delta 33), reused 76 (delta 22), pack-reused 0
Receiving objects: 100% (116/116), 68.52 KiB | 0 bytes/s, done.
Resolving deltas: 100% (33/33), done.
Checking connectivity... done.
Note: checking out '20443861ebc3f6498ee7d9c70fbdaa059bec15e1'.
You are in 'detached HEAD' state. You can look around, make experimental
changes and commit them, and you can discard any commits you make in this
state without impacting any branches by performing another checkout.
If you want to create a new branch to retain commits you create, you may
do so (now or later) by using -b with the checkout command again. Example:
git checkout -b new_branch_name
gcc -O2 -fPIC -I/usr/local/include -c src/x509.c -o src/x509.o -I/usr/include -Isrc/ -Isrc/luasocket
gcc -O2 -fPIC -I/usr/local/include -c src/context.c -o src/context.o -I/usr/include -Isrc/ -Isrc/luasocket
gcc -O2 -fPIC -I/usr/local/include -c src/ssl.c -o src/ssl.o -I/usr/include -Isrc/ -Isrc/luasocket
gcc -O2 -fPIC -I/usr/local/include -c src/luasocket/buffer.c -o src/luasocket/buffer.o -I/usr/include -Isrc/ -Isrc/luasocket
gcc -O2 -fPIC -I/usr/local/include -c src/luasocket/io.c -o src/luasocket/io.o -I/usr/include -Isrc/ -Isrc/luasocket
gcc -O2 -fPIC -I/usr/local/include -c src/luasocket/timeout.c -o src/luasocket/timeout.o -I/usr/include -Isrc/ -Isrc/luasocket
gcc -O2 -fPIC -I/usr/local/include -c src/luasocket/usocket.c -o src/luasocket/usocket.o -I/usr/include -Isrc/ -Isrc/luasocket
gcc -shared -o ssl.so -L/usr/local/lib src/x509.o src/context.o src/ssl.o src/luasocket/buffer.o src/luasocket/io.o src/luasocket/timeout.o src/luasocket/usocket.o -L/usr/lib -Wl,-rpath,/usr/lib: -lssl -lcrypto
/usr/bin/ld: /usr/lib/libssl.a(s23_meth.o): relocation R_X86_64_32 against `.rodata' can not be used when making a shared object; recompile with -fPIC
/usr/lib/libssl.a: error adding symbols: Bad value
collect2: error: ld returned 1 exit status
Error: Build error: Failed compiling module ssl.so
Installing from the github repository does not work either:
---------------------
** Build for Linux **
---------------------
make[1]: Entering directory '/home/candunc/luasec/src'
make[2]: Entering directory '/home/candunc/luasec/src'
make[3]: Entering directory '/home/candunc/luasec/src/luasocket'
cc -O2 -fPIC -Wall -pedantic -I. -I/usr/include -DWITH_LUASOCKET -DLUASOCKET_DEBUG -c -o io.o io.c
cc -O2 -fPIC -Wall -pedantic -I. -I/usr/include -DWITH_LUASOCKET -DLUASOCKET_DEBUG -c -o buffer.o buffer.c
cc -O2 -fPIC -Wall -pedantic -I. -I/usr/include -DWITH_LUASOCKET -DLUASOCKET_DEBUG -c -o timeout.o timeout.c
cc -O2 -fPIC -Wall -pedantic -I. -I/usr/include -DWITH_LUASOCKET -DLUASOCKET_DEBUG -c -o usocket.o usocket.c
ar rcu libluasocket.a io.o buffer.o timeout.o usocket.o
ranlib libluasocket.a
make[3]: Leaving directory '/home/candunc/luasec/src/luasocket'
cc -O2 -fPIC -Wall -pedantic -I. -I/usr/include -DWITH_LUASOCKET -c -o x509.o x509.c
cc -O2 -fPIC -Wall -pedantic -I. -I/usr/include -DWITH_LUASOCKET -c -o context.o context.c
context.c: In function 'str2method':
context.c:96:60: warning: C++ style comments are not allowed in ISO C90
if (!strcmp(method, "sslv23")) return SSLv23_method(); // deprecated
^
context.c:96:60: warning: (this will be reported only once per input file)
cc -O2 -fPIC -Wall -pedantic -I. -I/usr/include -DWITH_LUASOCKET -c -o ssl.o ssl.c
cc -O -fPIC -shared -L./luasocket -L/usr/lib -o ssl.so x509.o context.o ssl.o -lssl -lcrypto -lluasocket
/usr/bin/ld: /usr/lib/libssl.a(s23_meth.o): relocation R_X86_64_32 against `.rodata' can not be used when making a shared object; recompile with -fPIC
/usr/lib/libssl.a: error adding symbols: Bad value
collect2: error: ld returned 1 exit status
Makefile:52: recipe for target 'ssl.so' failed
make[2]: *** [ssl.so] Error 1
make[2]: Leaving directory '/home/candunc/luasec/src'
Makefile:40: recipe for target 'linux' failed
make[1]: *** [linux] Error 2
make[1]: Leaving directory '/home/candunc/luasec/src'
Makefile:38: recipe for target 'linux' failed
make: *** [linux] Error 2
Is there something I've configured wrong on my end, or is this a bug?
core.invalidfd is implemented as lua number
It works in linux32/64 where SOCKET_INVALID (-1)
but in windows SOCKET_INVALID = (SOCKET)(~0)
win32 it is 0xFFFFFFFF
but in win64 is not possible to set 0xFFFFFFFFFFFFFFFF into lua number
I temporairy disable line sock:setfd(core.invalidfd) in ssl.lua and https in win64 works for me.
Please make a new official luasec release in order to push it to distributions.
Thanks.
the documentation states that dohandshake() can return nil followed by "wantread" or "wantwrite" to indicate that the handshake was not finished yet.
The source code reveals that it will return false in these cases. It will never return nil.
It seems like the client is not supporting SNI during the handshake when making a request to an https endpoint. I am using the following code:
local https = require "ssl.https"
https.request{
url = "https://server:443/",
mode = "client",
protocol = "tlsv1",
options = "all"
}
Is SNI supported?
Currently LuaSec only allows you to select a single curve for ECDH, due to the limitations of the OpenSSL API.
OpenSSL 1.0.2 (released 22 Jan 2015) added a bunch of new functions for managing what curves are used: https://www.openssl.org/docs/ssl/SSL_CTX_set1_curves.html
At a minimum we should call SSL_CTX_set_ecdh_auto().
As per version 1.0.2d-2, the SSLv3_* API has been disabled in Debian.
http://metadata.ftp-master.debian.org/changelogs//main/o/openssl/openssl_1.0.2d-3_changelog
Can you help me choosing the right replacement?
Hi, not a dev, but can poke.
I am having build issues - first wa build failure as /opensll/sll.h was missing along with ./lua.h and ./luaconf.h
Once i found these I got the project to start building but hit 91 errors and 25 warnings.
Should this build in VS 2015?
alex
Following the INSTALL instruction & successfully install the OpenSSL 1.0.2f
version as mentioned.
I come across the following error.
user@ux31a:/usr/src/luasec-master# luarocks install luasec OPENSSL_DIR=/usr/local/ssl
Installing https://luarocks.org/luasec-0.6-1.rockspec
Cloning into 'luasec'...
remote: Counting objects: 116, done.
remote: Compressing objects: 100% (93/93), done.
remote: Total 116 (delta 33), reused 76 (delta 22), pack-reused 0
Receiving objects: 100% (116/116), 68.52 KiB | 0 bytes/s, done.
Resolving deltas: 100% (33/33), done.
Note: checking out '20443861ebc3f6498ee7d9c70fbdaa059bec15e1'.
You are in 'detached HEAD' state. You can look around, make experimental
changes and commit them, and you can discard any commits you make in this
state without impacting any branches by performing another checkout.
If you want to create a new branch to retain commits you create, you may
do so (now or later) by using -b with the checkout command again. Example:
git checkout -b <new-branch-name>
gcc -O2 -fPIC -I/usr/include/lua5.1 -c src/x509.c -o src/x509.o -I/usr/local/ssl/include -Isrc/ -Isrc/luasocket
gcc -O2 -fPIC -I/usr/include/lua5.1 -c src/context.c -o src/context.o -I/usr/local/ssl/include -Isrc/ -Isrc/luasocket
gcc -O2 -fPIC -I/usr/include/lua5.1 -c src/ssl.c -o src/ssl.o -I/usr/local/ssl/include -Isrc/ -Isrc/luasocket
gcc -O2 -fPIC -I/usr/include/lua5.1 -c src/luasocket/buffer.c -o src/luasocket/buffer.o -I/usr/local/ssl/include -Isrc/ -Isrc/luasocket
gcc -O2 -fPIC -I/usr/include/lua5.1 -c src/luasocket/io.c -o src/luasocket/io.o -I/usr/local/ssl/include -Isrc/ -Isrc/luasocket
gcc -O2 -fPIC -I/usr/include/lua5.1 -c src/luasocket/timeout.c -o src/luasocket/timeout.o -I/usr/local/ssl/include -Isrc/ -Isrc/luasocket
gcc -O2 -fPIC -I/usr/include/lua5.1 -c src/luasocket/usocket.c -o src/luasocket/usocket.o -I/usr/local/ssl/include -Isrc/ -Isrc/luasocket
gcc -shared -o ssl.so -L/usr/local/lib src/x509.o src/context.o src/ssl.o src/luasocket/buffer.o src/luasocket/io.o src/luasocket/timeout.o src/luasocket/usocket.o -L/usr/local/ssl/lib -Wl,-rpath,/usr/local/ssl/lib: -lssl -lcrypto
/usr/bin/ld: /usr/local/ssl/lib/libssl.a(s3_srvr.o): relocation R_X86_64_PC32 against symbol `stderr@@GLIBC_2.2.5' can not be used when making a shared object; recompile with -fPIC
/usr/bin/ld: final link failed: Bad value
collect2: error: ld returned 1 exit status
Error: Build error: Failed compiling module ssl.so
I've been searching for the solution but so far haven't come across with working solution yet.
Just try build LuaSec with OpenSSL 1.0.2h and got:
Creating library ssl.lib and object ssl.exp
libeay32.lib(cryptlib.obj) : error LNK2019: unresolved external symbol __imp_DeregisterEventSource referenced in function OPENSSL_showfatal
libeay32.lib(cryptlib.obj) : error LNK2019: unresolved external symbol __imp_RegisterEventSourceW referenced in function OPENSSL_showfatal
libeay32.lib(cryptlib.obj) : error LNK2019: unresolved external symbol __imp_ReportEventW referenced in function OPENSSL_showfatal
libeay32.lib(cryptlib.obj) : error LNK2019: unresolved external symbol __imp_GetProcessWindowStation referenced in function OPENSSL_isservice
libeay32.lib(cryptlib.obj) : error LNK2019: unresolved external symbol __imp_GetUserObjectInformationW referenced in function OPENSSL_isservice
libeay32.lib(cryptlib.obj) : error LNK2019: unresolved external symbol __imp_MessageBoxW referenced in function OPENSSL_showfatal
libeay32.lib(rand_win.obj) : error LNK2019: unresolved external symbol __imp_CreateCompatibleBitmap referenced in function readscreen
libeay32.lib(rand_win.obj) : error LNK2019: unresolved external symbol __imp_DeleteObject referenced in function readscreen
libeay32.lib(rand_win.obj) : error LNK2019: unresolved external symbol __imp_GetDeviceCaps referenced in function readscreen
libeay32.lib(rand_win.obj) : error LNK2019: unresolved external symbol __imp_GetDIBits referenced in function readscreen
libeay32.lib(rand_win.obj) : error LNK2019: unresolved external symbol __imp_GetObjectW referenced in function readscreen
libeay32.lib(rand_win.obj) : error LNK2019: unresolved external symbol __imp_GetDC referenced in function readscreen
libeay32.lib(rand_win.obj) : error LNK2019: unresolved external symbol __imp_ReleaseDC referenced in function readscreen
ssl.dll : fatal error LNK1120: 13 unresolved externals
To resolve this deps need also ling against Advapi32.lib
, User32.lib
and Gdi32.lib
Please implement OCSP Stapling.
This is especially useful to 1. reduce load of OCSP servers and 2. prevent privacy leaks of who is connecting to your host towards the OCSP server.
#21 broke the Windows build by using unix only code.
I can't find the rockspec in the repo, but all I did to get it to work was add a symbol definition for LUA_COMPAT_5_2
. You could duplicate this in both the unix
and windows
table, or restructure the table so that the platforms
overrides are outside the main module definitions.
I have managed to run Luasec under x86 (32-bit) but I could not build it to run under x64, SSL.dll is not found, could you please provide a build?
By now, there are some features of luasec which depend on build options rather than on the luasec version and are thus hard to detect for the user. However, luasec throws hard errors and cannot tell the user exactly why an operation failed.
Prosody for example is forced by this to either not use ECDH by default or have no SSL on platforms without ECDH (RedHat and derivates).
Conclusively, one should think about a way to export luasecs feature set to the user.
OpenSSL makes it possible to add multiple different certificates for the sever to use. For example, a (EC)DSA and a RSA cert, where the selected cipher determines which certificate to use. With the SHA1 deprecation coming up, the recommended setup to maintain compatibility is a RSA cert signed using SHA1 and a ECDSA cert signed using SHA256.
LuaSec's API does not make it easy to add multiple certificates. Calling loadcert
and loadkey
manually after creating a new context is possible, but annoying.
I propose to make it possible to specify cert
and key
as lists when calling newcontext
. They must be of equal length and added one by one.
Hi,
If not, could there be a Lua 5.3 release in the not too distant future? I've read that the trunk code seems to be compatible with Lua 5.3.
uname -a
Linux b2bc5f371fab 3.10-2-amd64 #1 SMP Debian 3.10.7-1 (2013-08-17) x86_64 x86_64 x86_64 GNU/Linux
gcc -v
Using built-in specs.
Target: x86_64-redhat-linux
Configured with: ../configure --prefix=/usr --mandir=/usr/share/man --infodir=/usr/share/info --with-bugurl=http://bugzilla.redhat.com/bugzilla --enable-bootstrap --enable-shared --enable-threads=posix --enable-checking=release --with-system-zlib --enable-__cxa_atexit --disable-libunwind-exceptions --enable-gnu-unique-object --enable-languages=c,c++,objc,obj-c++,java,fortran,ada --enable-java-awt=gtk --disable-dssi --with-java-home=/usr/lib/jvm/java-1.5.0-gcj-1.5.0.0/jre --enable-libgcj-multifile --enable-java-maintainer-mode --with-ecj-jar=/usr/share/java/eclipse-ecj.jar --disable-libjava-multilib --with-ppl --with-cloog --with-tune=generic --with-arch_32=i686 --build=x86_64-redhat-linux
Thread model: posix
gcc version 4.4.7 20120313 (Red Hat 4.4.7-3) (GCC)
lua -v
Lua 5.1.4 Copyright (C) 1994-2008 Lua.org, PUC-Rio
Build output:
---------------------
** Build for Linux **
---------------------
make[1]: Entering directory `/home/kitchen/luasec/src'
make[2]: Entering directory `/home/kitchen/luasec/src'
make[3]: Entering directory `/home/kitchen/luasec/src/luasocket'
cc -O2 -fPIC -Wall -pedantic -I. -I/usr/include -DWITH_LUASOCKET -DLUASOCKET_DEBUG -c -o io.o io.c
cc -O2 -fPIC -Wall -pedantic -I. -I/usr/include -DWITH_LUASOCKET -DLUASOCKET_DEBUG -c -o buffer.o buffer.c
cc -O2 -fPIC -Wall -pedantic -I. -I/usr/include -DWITH_LUASOCKET -DLUASOCKET_DEBUG -c -o timeout.o timeout.c
cc -O2 -fPIC -Wall -pedantic -I. -I/usr/include -DWITH_LUASOCKET -DLUASOCKET_DEBUG -c -o usocket.o usocket.c
ar rcu libluasocket.a io.o buffer.o timeout.o usocket.o
ranlib libluasocket.a
make[3]: Leaving directory `/home/kitchen/luasec/src/luasocket'
cc -O2 -fPIC -Wall -pedantic -I. -I/usr/include -DWITH_LUASOCKET -c -o x509.o x509.c
cc -O2 -fPIC -Wall -pedantic -I. -I/usr/include -DWITH_LUASOCKET -c -o context.o context.c
context.c: In function ‘str2method’:
context.c:65: warning: return discards qualifiers from pointer target type
context.c:66: warning: return discards qualifiers from pointer target type
context.c:67: warning: return discards qualifiers from pointer target type
context.c: At top level:
context.c:255: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’ before ‘*’ token
make[2]: *** [context.o] Error 1
make[2]: Leaving directory `/home/kitchen/luasec/src'
make[1]: *** [linux] Error 2
make[1]: Leaving directory `/home/kitchen/luasec/src'
make: *** [linux] Error 2
I tried installing a rockspec via https and luarocks complained that I should install Luasec to get this supported.
From what I see in this repo, there isn't any activity to indicate Lua 5.2 compatibility, so this is why I am asking.
See line https://github.com/brunoos/luasec/blob/master/src/ssl.lua#L123
it sets the value to -1
which is proper for unix (but still a magical value), but not for Windows. I don't know where (if any) else it is used, but I think the proper way is to expose the constant to Lua, and set that value.
Same as (unreleased) LuaSocket does https://github.com/diegonehab/luasocket/blob/be67f63f4e11e53690bf1431a236f86b484c9bf0/src/select.c#L44-L46
I was reading through the code, and saw that the callback dhparam_cb
is setup via SSL_CTX_set_tmp_dh_callback
, but not torn down.
This means if the reference to the ssl context is collected while a DH negotiation is pending, there will be an illegal de-reference (segfault if we're lucky) in dhparam_cb
. I don't think this can currently be reached within the confines of luasec, but if a SSL_CTX*
or SSL*
ever escaped then there would be a problem.
For safety, meth_destroy
should unset the dh callback.
For information: http://www.lua.org/versions.html#5.3
Hey there.
I'm trying to package the 0.5 release here. If I extract that, I get a folder called luasec-luasec-0.5 while I would expect luasec-0.5 (no repetition), just like with 0.4.
Was that an intentional change? Will you keep that naming convention? In that case I'd work around it, but it would be nicer if the 0.4 (and arguably: standard) layout would just work.
I can't seem to figure out how to issue an POST request with the HTTPS library. Would be nice to have this documented somewhere.
The wiki says (under dohandshake
);
"wantread" indicates that the operation was not finished because a timeout in the underline TCP connection prevents it of sending data.
This is rather cryptic, but it says that "I'm sending data, and I want my counterpart to READ; wantread"
The example given does it exactly the other way around;
local succ, msg
conn:settimeout(0)
while not succ do
succ, msg = conn:dohandshake()
if msg == "wantread" then
socket.select({conn}, nil) --> select for reading!!
elseif msg == "wantwrite" then
socket.select(nil, {conn}) --> select for writing!!
else
-- other errors
end
end
This is straightforward, it says "wait to become readable on wantread
", and vice versa for write.
The logic from the wiki text, is giving me strange problems with async connections (applying the same logic to receive
and send
timeouts). So is this wrong? and should I follow the logic from the example?
Hi Bruno,
I am running the kaixhin/torch image on Docker, and luarocks install for luasec keeps failing. I already have openssl installed.
Hi !
I want to download a file (here the google index) but it fails.
require("socket")
local https = require("ssl.https")
print(https.request("https://www.google.com"))
-- nil wrong version number nil nil
require("socket")
local https = require("ssl.https")
local one, code, headers, status = https.request({
url = "https://www.google.com",
protocol="sslv3",
options="all",
verify="none"})
print(one, code, headers, status)
-- nil wrong version number nil nil
This might be related to #34 and #38 ... If I'm not able to download a simple file, well it's bad.
What do I do ?
Compilation failed with two errors in src/x509.c:
In function 'meth_extensions':
src/x509.c:296:35: error: dereferencing pointer to incomplete type 'X509_EXTENSION {aka struct X509_extension_st}'
push_asn1_objname(L, extension->object, 1);
^~
src/x509.c: In function 'meth_pubkey':
src/x509.c:407:32: error: dereferencing pointer to incomplete type 'EVP_PKEY {aka struct evp_pkey_st}'
switch(EVP_PKEY_type(pkey->type)) {
^~Error: Build error: Failed compiling object src/x509.o
I don't know for sure if that is strictly a luasec issue, or if the fault lies with the openssl includes that I use, but I'd be glad for help in any case...
Using luarocks-2.4.2-win32 and luasec-0.6-1 rockspeck. compiler is mingw-w64-i868-gcc (6.3.0-2) from msys2 (I edited luarocks/lua/luarocks/cfg.lua to remove the "mingw-" prefix so the compiler would be found).
both lua (5.3) and openssl (1.1.0e) were built from within msys-mingw32.
full output:
PS C:\luarocks> ./luarocks.bat install luasec OPENSSL_DIR=C:\openssl32
C:\luarocks>SET "PATH=C:\ProgramData\Oracle\Java\javapath;C:\Program Files (x86)\Intel\iCLS Client\;C:\Program Files\Intel\iCLS Client\;C:\Windows\system32;C:\Windows
;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Intel\Intel(R) Management Engine Components\DAL;C:\Program Files (x86)\Intel\In
tel(R) Management Engine Components\DAL;C:\Program Files\Intel\Intel(R) Management Engine Components\IPT;C:\Program Files (x86)\Intel\Intel(R) Management Engine Compo
nents\IPT;C:\Program Files (x86)\NVIDIA Corporation\PhysX\Common;C:\Program Files (x86)\GnuPG\pub;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\WINDOWS\S
ystem32\WindowsPowerShell\v1.0\;C:\Program Files\Intel\WiFi\bin\;C:\Program Files\Common Files\Intel\WirelessCommon\;C:\Program Files (x86)\Skype\Phone\;C:\Program Fi
les\Intel\WiFi\bin\;C:\Program Files\Common Files\Intel\WirelessCommon\;C:\Users\lordhelmchen\AppData\Local\Microsoft\WindowsApps;C:\Program Files\cmdline-tools;C:\lu
a32\bin;C:\msys64\mingw32\bin;C:\msys64\usr\bin"
Installing https://luarocks.org/luasec-0.6-1.rockspec
Cloning into 'luasec'...
remote: Counting objects: 116, done.
remote: Compressing objects: 100% (93/93), done.
Receiving objects: 81% (94/116) remote: Total 116 (delta 33), reused 76 (delta 22), pack-reused 0
Receiving objects: 100% (116/116), 68.52 KiB | 0 bytes/s, done.
Resolving deltas: 100% (33/33), done.
Note: checking out '20443861ebc3f6498ee7d9c70fbdaa059bec15e1'.
You are in 'detached HEAD' state. You can look around, make experimental
changes and commit them, and you can discard any commits you make in this
state without impacting any branches by performing another checkout.
If you want to create a new branch to retain commits you create, you may
do so (now or later) by using -b with the checkout command again. Example:
git checkout -b <new-branch-name>
Applying patch luarocks_vs_compiler.patch...
successfully patched C:\Users\LORDHE~1\AppData\Local\Temp/luarocks_luasec-0.6-1-4001/luasec/src/ssl.c
gcc -O2 -c -o src/x509.o -IC:/lua32/include src/x509.c -DWIN32 -DNDEBUG -D_WINDOWS -D_USRDLL -DLSEC_EXPORTS -DBUFFER_DEBUG -DLSEC_API=__declspec(dllexport) -DLUASEC_I
NET_NTOP -DWINVER=0x0501 -D_WIN32_WINNT=0x0501 -DNTDDI_VERSION=0x05010300 -IC:\openssl32/include -Isrc/ -Isrc/luasocket
src/x509.c: In function 'push_asn1_string':
src/x509.c:149:5: warning: 'ASN1_STRING_data' is deprecated [-Wdeprecated-declarations]
lua_pushlstring(L, (char*)ASN1_STRING_data(string),
^~~~~~~~~~~~~~~
In file included from C:\openssl32/include/openssl/bn.h:31:0,
from C:\openssl32/include/openssl/asn1.h:24,
from C:\openssl32/include/openssl/objects.h:916,
from C:\openssl32/include/openssl/evp.h:27,
from C:\openssl32/include/openssl/x509.h:23,
from C:\openssl32/include/openssl/ssl.h:50,
from src/x509.c:22:
C:\openssl32/include/openssl/asn1.h:553:35: note: declared here
DEPRECATEDIN_1_1_0(unsigned char *ASN1_STRING_data(ASN1_STRING *x))
^
C:\openssl32/include/openssl/opensslconf.h:105:35: note: in definition of macro 'DECLARE_DEPRECATED'
# define DECLARE_DEPRECATED(f) f __attribute__ ((deprecated));
^
C:\openssl32/include/openssl/asn1.h:553:1: note: in expansion of macro 'DEPRECATEDIN_1_1_0'
DEPRECATEDIN_1_1_0(unsigned char *ASN1_STRING_data(ASN1_STRING *x))
^
src/x509.c: In function 'push_asn1_ip':
src/x509.c:185:3: warning: 'ASN1_STRING_data' is deprecated [-Wdeprecated-declarations]
unsigned char *ip = ASN1_STRING_data(string);
^~~~~~~~
In file included from C:\openssl32/include/openssl/bn.h:31:0,
from C:\openssl32/include/openssl/asn1.h:24,
from C:\openssl32/include/openssl/objects.h:916,
from C:\openssl32/include/openssl/evp.h:27,
from C:\openssl32/include/openssl/x509.h:23,
from C:\openssl32/include/openssl/ssl.h:50,
from src/x509.c:22:
C:\openssl32/include/openssl/asn1.h:553:35: note: declared here
DEPRECATEDIN_1_1_0(unsigned char *ASN1_STRING_data(ASN1_STRING *x))
^
C:\openssl32/include/openssl/opensslconf.h:105:35: note: in definition of macro 'DECLARE_DEPRECATED'
# define DECLARE_DEPRECATED(f) f __attribute__ ((deprecated));
^
C:\openssl32/include/openssl/asn1.h:553:1: note: in expansion of macro 'DEPRECATEDIN_1_1_0'
DEPRECATEDIN_1_1_0(unsigned char *ASN1_STRING_data(ASN1_STRING *x))
^
src/x509.c: In function 'meth_extensions':
src/x509.c:296:35: error: dereferencing pointer to incomplete type 'X509_EXTENSION {aka struct X509_extension_st}'
push_asn1_objname(L, extension->object, 1);
^~
src/x509.c: In function 'meth_pubkey':
src/x509.c:407:32: error: dereferencing pointer to incomplete type 'EVP_PKEY {aka struct evp_pkey_st}'
switch(EVP_PKEY_type(pkey->type)) {
^~
Error: Build error: Failed compiling object src/x509.o
PS C:\luarocks>
Why does LuaSec expect the explicit location of the SSL/TLS trusted certificate stores? Why doesn't it use SSL_CTX_set_default_verify_paths()
to let OpenSSL handle it? See also https://www.happyassassin.net/2015/01/12/a-note-about-ssltls-trusted-certificate-stores-and-platforms/ which provides some hints how this should be done, implemented and how fallbacks could work.
Possibly related to #73 (even running with that change applied). SEGFAULT in the middle of a dohandshake
call.
Traceback from a core dump:
(gdb) bt 3 full
#0 0x08054d63 in luaS_newlstr (L=0x9984e88, str=0x372d38 "SSL:DH:Registry",
l=15) at lstring.c:82
o = <optimized out>
h = 4194570653
step = <optimized out>
l1 = <optimized out>
#1 0x0804c96c in lua_getfield (L=0x9984e88, idx=-10000,
k=0x372d38 "SSL:DH:Registry") at lapi.c:550
i_o = 0xbfaf8574
t = 0x8067288
key = {value = {gc = 0x0, p = 0x0, n = 5.703924686114652e-311, b = 0},
tt = 1955778}
#2 0x0036d9af in dhparam_cb () from /usr/local/lib/lua/5.1/ssl.so
No symbol table info available.
#3 0x00150fe0 in ssl3_send_server_key_exchange (s=0x99d3308) at s3_srvr.c:1615
#4 0x0015432b in ssl3_accept (s=0x99d3308) at s3_srvr.c:481
#5 0x00179f2a in SSL_accept (s=0x99d3308) at ssl_lib.c:938
#6 0x001630bd in ssl23_get_client_hello (s=0x99d3308) at s23_srvr.c:655
#7 0x001639c2 in ssl23_accept (s=0x99d3308) at s23_srvr.c:212
#8 0x0017945d in SSL_do_handshake (s=0x99d3308) at ssl_lib.c:2587
#9 0x00370ca0 in meth_handshake () from /usr/local/lib/lua/5.1/ssl.so
LuaSec was unfortunately built without debug symbols.
I try build LuaSec 0.6 (using LuaRocks) and got
c:/luarocks/x64/external/include\openssl/lhash.h(198): warning C4090: 'function': different 'const' qualifiers
src/x509.c(296): error C2037: left of 'object' specifies undefined struct/union 'X509_extension_st'
src/x509.c(296): warning C4047: 'function': 'ASN1_OBJECT *' differs in levels of indirection from 'int'
src/x509.c(296): warning C4024: 'push_asn1_objname': different types for formal and actual parameter 2
src/x509.c(296): error C2198: 'push_asn1_objname': too few arguments for call
src/x509.c(300): error C2037: left of 'object' specifies undefined struct/union 'X509_extension_st'
src/x509.c(300): error C2198: 'push_asn1_objname': too few arguments for call
src/x509.c(407): error C2037: left of 'type' specifies undefined struct/union 'evp_pkey_st'
src/x509.c(407): error C2198: 'EVP_PKEY_type': too few arguments for call
Seems openssl removes defenition of X509_extension_st
and leave only declaration in public API.
As I see, redirect is not supported. It is possible you support it?
https://github.com/brunoos/luasec/blob/master/src/https.lua#L123
Thanks.
On https://luarocks.org/modules/brunoos/luasec there's homepage http://luasec.luaforge.net/ which goes to 404.
Most, or all, of the samples in the repo seems to be based on that the server sends something to the client first on connection.
In my case, I initiate a server, and wait for the client to send a request. However, the server seems to hang on peer:receive(), until I kill the client. On the other hand, if I send something from the server first, the client receives it.
My client code is written in C#, while my server code basically looks like this. Certs + handshake etc works just fine, until peer:receive() hangs.
local socket = require("socket")
local ssl = require("ssl")
local params = {
mode = "server",
protocol = "tlsv1_2",
key = "C:\\ .... \\serverkey.pem",
certificate = "C:\\ .... \\server.pem",
cafile = "C:\\ .... \\root.pem",
verify = {"peer", "fail_if_no_peer_cert"},
options = "all",
}
local server = socket.tcp()
local ctx = assert(ssl.newcontext(params))
server:setoption('reuseaddr', true)
assert( server:bind("10.20.2.92", 2000) )
server:listen()
local peer = server:accept()
peer = assert( ssl.wrap(peer, ctx) )
peer:dohandshake()
data = peer:receive()
print("receieved: " .. data)
peer:send("Pong!\n")
peer:close()
Here's a short code snippet to reproduce the problem:
local req = require 'ssl.https'.request
local resp = {}
local url = 'https://bittrex.com/api/v1.1/public/getmarketsummaries'
print( req { method = "GET", url = url, sink = ltn12.sink.table (resp) } )
print( table.concat(resp) )
For me, this gives the output:
nil tlsv1 alert internal error nil nil
My setup
It's important to mention that this problem started happening today. Before today, this use to work just fine which suggests that bittrex might have changed something with their ssl certificate or the cipher suite used. I posted about this problem over on /r/bitcoinmarkets
Another interesting observation, I tested the same get request on curl 7.23.1:
curl -v -k "https://bittrex.com/api/v1.1/public/getmarkethistory?market=BTC-XMR"
giving me this output:
* About to connect() to bittrex.com port 443 (#0)
* Trying 104.18.56.9... connected
* SSLv3, TLS handshake, Client hello (1):
* error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
* Closing connection #0
curl: (35) error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
However, if I perform the same operation on curl 7.51.0 that works! And of course, testing this in the chrome browser works fine.
Any ideas on what the tlsv1 error means and how to fix it? A search shows this same error message has happened on other languages too like python which likely suggests an error that's emanating from openssl or the way luasec is using openssl.
The following holds for https://luarocks.org/modules/luarocks/luasec,
which is the most downloaded code, and is one year old.
src/ssl.c:404:9: error: unknown type name 'COMP_METHOD'; did you mean 'CONF_METHOD'?
const COMP_METHOD *comp;
^~~~~~~~~~~
CONF_METHOD
/opt/share/libressl/include/openssl/conf.h:86:31: note: 'CONF_METHOD' declared here
typedef struct conf_method_st CONF_METHOD;
^
1 error generated.
Error: Build error: Failed compiling object src/ssl.o
note:
search -cv COMP_METHOD /opt/share/libressl
/opt/share/libressl/include/openssl/comp.h:14:typedef struct comp_method_st {
/opt/share/libressl/include/openssl/comp.h:26:} COMP_METHOD;
/opt/share/libressl/include/openssl/comp.h:29: COMP_METHOD *meth;
/opt/share/libressl/include/openssl/comp.h:39:COMP_CTX *COMP_CTX_new(COMP_METHOD *meth);
/opt/share/libressl/include/openssl/comp.h:45:COMP_METHOD *COMP_rle(void );
/opt/share/libressl/include/openssl/comp.h:46:COMP_METHOD *COMP_zlib(void );
I know that proxy is not supported in this version, but is there a possible workaround to use one?
Per https://www.openssl.org/docs/manmaster/crypto/threads.html openssl isn't thread safe by default, but it can be made to be. Can reentrancy safety be added? see also maybe http://stackoverflow.com/questions/3919420/tutorial-on-using-openssl-with-pthreads and/or wahern/luaossl@331bc57
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.