tcpsock:sslhandshake

语法: session, err = tcpsock:sslhandshake(reused_session?, server_name?, ssl_verify?)

内容: rewrite_by_lua, access_by_lua*, content_by_lua*, ngx.timer.**

对当前建立的连接上完成 SSL/TLS 握手。 Does SSL/TLS handshake on the currently established connection.

The optional reused_session argument can take a former SSL session userdata returned by a previous sslhandshake call for exactly the same target. For short-lived connections, reusing SSL sessions can usually speed up the handshake by one order by magnitude but it is not so useful if the connection pool is enabled. This argument defaults to nil. If this argument takes the boolean false value, no SSL session userdata would return by this call and only a Lua boolean will be returned as the first return value; otherwise the current SSL session will always be returned as the first argument in case of successes.

The optional server_name argument is used to specify the server name for the new TLS extension Server Name Indication (SNI). Use of SNI can make different servers share the same IP address on the server side. Also, when SSL verification is enabled, this server_name argument is also used to validate the server name specified in the server certificate sent from the remote.

The optional ssl_verify argument takes a Lua boolean value to control whether to perform SSL verification. When set to true, the server certificate will be verified according to the CA certificates specified by the lua_ssl_trusted_certificate directive. You may also need to adjust the lua_ssl_verify_depth directive to control how deep we should follow along the certificate chain. Also, when the ssl_verify argument is true and the server_name argument is also specified, the latter will be used to validate the server name in the server certificate.

对已经完成 SSL/TLS 握手的连接，该方法立即返回。 For connections that have already done SSL/TLS handshake, this method returns immediately.

该特性在 v0.9.11 版本首次引入。 This method was first introduced in the v0.9.11 release.

返回目录

English source:

tcpsock:sslhandshake

syntax: session, err = tcpsock:sslhandshake(reused_session?, server_name?, ssl_verify?)

context: rewrite_by_lua, access_by_lua*, content_by_lua*, ngx.timer.**

Does SSL/TLS handshake on the currently established connection.

The optional reused_session argument can take a former SSL session userdata returned by a previous sslhandshake call for exactly the same target. For short-lived connections, reusing SSL sessions can usually speed up the handshake by one order by magnitude but it is not so useful if the connection pool is enabled. This argument defaults to nil. If this argument takes the boolean false value, no SSL session userdata would return by this call and only a Lua boolean will be returned as the first return value; otherwise the current SSL session will always be returned as the first argument in case of successes.

The optional server_name argument is used to specify the server name for the new TLS extension Server Name Indication (SNI). Use of SNI can make different servers share the same IP address on the server side. Also, when SSL verification is enabled, this server_name argument is also used to validate the server name specified in the server certificate sent from the remote.

The optional ssl_verify argument takes a Lua boolean value to control whether to perform SSL verification. When set to true, the server certificate will be verified according to the CA certificates specified by the lua_ssl_trusted_certificate directive. You may also need to adjust the lua_ssl_verify_depth directive to control how deep we should follow along the certificate chain. Also, when the ssl_verify argument is true and the server_name argument is also specified, the latter will be used to validate the server name in the server certificate.

For connections that have already done SSL/TLS handshake, this method returns immediately.

This method was first introduced in the v0.9.11 release.

Back to TOC