feature: support custom trusted CA store for cosocket TLS handshake. (#401)

findns94 · web-flow · commit beb8255ce0be · 2026-05-06T16:30:52.000+08:00
Adds the cosocket-level plumbing for a new tcpsock:settrustedstore(store)
method, allowing Lua code to supply a per-handshake X509_STORE that
overrides lua_ssl_trusted_certificate for the upcoming sslhandshake().
This is needed for use cases where the set of trusted CAs is determined
at request time (e.g. per-tenant mTLS upstreams).

This is the stream-module counterpart of the same feature merged into
lua-nginx-module. The lua-resty-core binding will be added separately.

NULL store is allowed to clear a previously set trusted store on the
cosocket object.

Signed-off-by: Walker Zhao &lt;walker.zhao@konghq.com&gt;
diff --git a/src/ngx_stream_lua_socket_tcp.c b/src/ngx_stream_lua_socket_tcp.c
@@ -2066,6 +2066,21 @@ ngx_stream_lua_socket_tcp_sslhandshake(lua_State *L)
 #endif
 #endif
 
+    if (u->ssl_trusted_store) {
+        if (SSL_set1_verify_cert_store(c->ssl->connection,
+                                       u->ssl_trusted_store)
+            == 0)
+        {
+            ERR_clear_error();
+
+            lua_pushnil(L);
+            lua_pushliteral(L, "SSL_set1_verify_cert_store() failed");
+            return 2;
+        }
+
+        u->ssl_trusted_store = NULL;
+    }
+
     rc = ngx_ssl_handshake(c);
 
     dd("ngx_ssl_handshake returned %d", (int) rc);
@@ -2505,6 +2520,31 @@ ngx_stream_lua_server_ssl_handshake_retval_handler(ngx_stream_lua_request_t *r,
     return 1;
 }
 
+
+int
+ngx_stream_lua_ffi_socket_tcp_settrustedstore(ngx_stream_lua_request_t *r,
+    ngx_stream_lua_socket_tcp_upstream_t *u, void *store, char **errmsg)
+{
+    if (u == NULL
+        || u->peer.connection == NULL
+        || u->read_closed
+        || u->write_closed)
+    {
+        *errmsg = "closed";
+        return NGX_ERROR;
+    }
+
+    if (u->request != r) {
+        *errmsg = "bad request";
+        return NGX_ERROR;
+    }
+
+    u->ssl_trusted_store = store;
+
+    return NGX_OK;
+}
+
+
 #endif  /* NGX_STREAM_SSL */
 
 
diff --git a/src/ngx_stream_lua_socket_tcp.h b/src/ngx_stream_lua_socket_tcp.h
@@ -138,6 +138,7 @@ struct ngx_stream_lua_socket_tcp_upstream_s {
     char                             host[COSOCKET_HOST_LEN];
 #if (NGX_STREAM_SSL)
     ngx_str_t                        ssl_name;
+    X509_STORE                      *ssl_trusted_store;
 #endif
 
     unsigned                         ft_type:16;
diff --git a/t/171-ssl-trusted-store.t b/t/171-ssl-trusted-store.t
