From e3d550677961de5dd0e16b81833c6bccb2ea17f7 Mon Sep 17 00:00:00 2001 From: tzssangglass Date: Sat, 6 Jun 2026 00:24:58 +0800 Subject: [PATCH] bugfix: remove sslhandshake result assert for pre-handshake errors. When `tcpsock:sslhandshake()` fails before the actual SSL handshake starts, `ngx_http_lua_ffi_socket_tcp_get_sslhandshake_result()` may return `FFI_OK` while still providing the OpenSSL error details. One example is a client private key setup failure. In that path, `rc` is `FFI_ERROR`, but `u->error_ret` is not set, so `ngx_http_lua_ffi_socket_tcp_get_sslhandshake_result` would return `FFI_OK`. The existing `assert(res == FFI_ERROR)` turns this expected error-reporting path into an assertion failure. This patch removes the assertion so Lua can return the original SSL error to the caller. --- lib/resty/core/socket.lua | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/lib/resty/core/socket.lua b/lib/resty/core/socket.lua index f68de60a7..ad50ae4a5 100644 --- a/lib/resty/core/socket.lua +++ b/lib/resty/core/socket.lua @@ -424,14 +424,10 @@ local function sslhandshake(cosocket, reused_session, server_name, ssl_verify, error("no request ctx found", 2) end - local res - if rc == FFI_ERROR then - res = C.ngx_http_lua_ffi_socket_tcp_get_sslhandshake_result(r, u, + C.ngx_http_lua_ffi_socket_tcp_get_sslhandshake_result(r, u, session_ptr, errmsg, openssl_error_code) - assert(res == FFI_ERROR) - if openssl_error_code[0] ~= 0 then return nil, openssl_error_code[0] .. ": " .. ffi_str(errmsg[0]) end @@ -443,6 +439,8 @@ local function sslhandshake(cosocket, reused_session, server_name, ssl_verify, return reused_session end + local res + if rc == FFI_OK then if reused_session == false then return true