Is lua-resty-openssl-aux-module still required to run lua-resty-openssl in production?

Question

Is lua-resty-openssl-aux-module still required to run lua-resty-openssl in production?

Closed this issue 2 years ago · 3 comments

We are using official OpenResty Docker images as base, e.g. openresty/openresty:1.19.9.1-1-alpine-fat and installing pgmoon into it

luarocks install pgmoon

in order to access Postgres.

After upgrading the Postgres from 12.x to 14.x we ran into

[error] 216#216: *1 lua entry thread aborted: runtime error: /usr/local/openresty/luajit/share/lua/5.1/pgmoon/init.lua:397: module 'resty.openssl.ssl' not found:
 	no field package.preload['resty.openssl.ssl']
 	no file '/usr/local/openresty/site/lualib/resty/openssl/ssl.ljbc'
 	no file '/usr/local/openresty/site/lualib/resty/openssl/ssl/init.ljbc'
 	no file '/usr/local/openresty/lualib/resty/openssl/ssl.ljbc'
 	no file '/usr/local/openresty/lualib/resty/openssl/ssl/init.ljbc'
 	no file '/usr/local/openresty/site/lualib/resty/openssl/ssl.lua'
 	no file '/usr/local/openresty/site/lualib/resty/openssl/ssl/init.lua'
 	no file '/usr/local/openresty/lualib/resty/openssl/ssl.lua'
 	no file '/usr/local/openresty/lualib/resty/openssl/ssl/init.lua'
 	no file '/usr/local/openresty/site/lualib/resty/openssl/ssl.ljbc'
 	no file '/usr/local/openresty/site/lualib/resty/openssl/ssl/init.ljbc'
 	no file '/usr/local/openresty/lualib/resty/openssl/ssl.ljbc'
 	no file '/usr/local/openresty/lualib/resty/openssl/ssl/init.ljbc'
 	no file '/usr/local/openresty/site/lualib/resty/openssl/ssl.lua'
 	no file '/usr/local/openresty/site/lualib/resty/openssl/ssl/init.lua'
 	no file '/usr/local/openresty/lualib/resty/openssl/ssl.lua'
 	no file '/usr/local/openresty/lualib/resty/openssl/ssl/init.lua'
 	no file './resty/openssl/ssl.lua'
 	no file '/usr/local/openresty/luajit/share/luajit-2.1.0-beta3/resty/openssl/ssl.lua'
 	no file '/usr/local/share/lua/5.1/resty/openssl/ssl.lua'
 	no file '/usr/local/share/lua/5.1/resty/openssl/ssl/init.lua'
 	no file '/usr/local/openresty/luajit/share/lua/5.1/resty/openssl/ssl.lua'
 	no file '/usr/local/openresty/luajit/share/lua/5.1/resty/openssl/ssl/init.lua'
 	no file '/usr/local/openresty/site/lualib/resty/openssl/ssl.so'
 	no file '/usr/local/openresty/lualib/resty/openssl/ssl.so'
 	no file '/usr/local/openresty/site/lualib/resty/openssl/ssl.so'
 	no file '/usr/local/openresty/lualib/resty/openssl/ssl.so'
 	no file './resty/openssl/ssl.so'
 	no file '/usr/local/lib/lua/5.1/resty/openssl/ssl.so'
 	no file '/usr/local/openresty/luajit/lib/lua/5.1/resty/openssl/ssl.so'
 	no file '/usr/local/lib/lua/5.1/loadall.so'
 	no file '/usr/local/openresty/luajit/lib/lua/5.1/resty/openssl/ssl.so'
 	no file '/usr/local/openresty/site/lualib/resty.so'
 	no file '/usr/local/openresty/lualib/resty.so'
 	no file '/usr/local/openresty/site/lualib/resty.so'
 	no file '/usr/local/openresty/lualib/resty.so'
 	no file './resty.so'
 	no file '/usr/local/lib/lua/5.1/resty.so'
 	no file '/usr/local/openresty/luajit/lib/lua/5.1/resty.so'
 	no file '/usr/local/lib/lua/5.1/loadall.so'
 	no file '/usr/local/openresty/luajit/lib/lua/5.1/resty.so'
 stack traceback:
 coroutine 0:
 	[C]: in function 'require'
 	/usr/local/openresty/luajit/share/lua/5.1/pgmoon/init.lua:397: in function 'auth'
 	/usr/local/openresty/luajit/share/lua/5.1/pgmoon/init.lua:268: in function 'connect'

and OpenResty couldn't connect to Postgres anymore.

The fix was to add lua-resty-openssl

luarocks install lua-resty-openssl

Now the connection works, but we are getting following warnings

[lua] nginx.lua:260: get_ngx_ssl_from_socket_ctx(): note resty.openssl.auxiliary.nginx is using plain FFI and it's only intended to be used in development, consider using lua-resty-openssl.aux-module in production.

It looks like we need to install https://github.com/fffonion/lua-resty-openssl-aux-module

But, as far as I understand it, we would need to build OpenResty from source to do so.

Is lua-resty-openssl-aux-module still required to run in production?

What are the drawbacks running lua-resty-openssl in production without lua-resty-openssl-aux-module?

Is there a way to add lua-resty-openssl-aux-module to the official OpenResty Docker image without building from source?

Thanks!

Answer 1 · 2022-10-01T14:51:38.000Z

Hi @wkruse, the lua-resty-openssl-aux-module uses a compile-time calculated offset to get SSL objects, so it can never go wrong. Without that, we are using a pre-defined offset calcuclated during run-time, it will just work with a official OpenResty build (as tested in CI), but may not work if you patched it, or build from Nginx and not applying all OpenResty patches etc; and with that happens, the outcome could be a segfault.

If you are just testing out, or you are using the official openresty bundle, use it without the aux-module is fine. Alternatives are:

Build the openresty binary again, with the aux-module included, as you suggested
Use the source tarball with same version from openresty, build the aux-module as dynamic module, use it with official binary.
Use other openssl bindings like luaossl.

Answer 2 · 2022-10-01T14:57:30.000Z

Specially to your use case after upgrading the Postgres from 12.x to 14.x, it's because postgres 14 by default switch to scram-sha-256 auth, which scheme pgmoon requires the lua-resty-openssl module to support. So the other way if you just want it to work as old times, is to tell postgres to go back to md5 and pgmoon won't require lua-resty-openssl to connect.
But do note postgres introducing scram-sha-256 for better security, so you might need to audit carefully the risk.

Answer 3 · 2022-10-04T14:17:13.000Z

@fffonion Thank you for the very fast and comprehensive answer! 🍻 I'll have a look into dynamic modules. Also running without the lua-resty-openssl-aux-module is an option for us, as we are using the official OpenResty build.