SSL commands
SSL:sni()
Returns the SNI or false (if no).
This function should be used in script events CLIENTSSL_HANDSHAKE and SERVERSSL_HANDSHAKE.
Example
when CLIENTSSL_HANDSHAKE {
local svr_name = SSL:sni()
if svr_name then
debug("client handshake sni: %s\n", svr_name)
end
}
SSL: set_sni(svr_name)
Returns true if the server name indication extension has been set, otherwise false.
This function should be used in the script event SEVERSSL_CLIENTHELLO_SEND.
Example
when SERVERSSL_CLIENTHELLO_SEND {
svr_name = "www.visa.com"
debug("set Server Name Indication(SNI) in ClientHello = %s\n", svr_name)
SSL:set_sni(svr_name)
}
-- a function to print a table, i represents the number of \t for formatting purpose.function print_table(table, indent)
local space = string.rep('\t',indent)
for key, value in pairs(table) do
if(type(value)=='table') then
debug("%s sub-table[%s]\n", space, key)
print_table(value, indent+1)
else
debug("%s %s: %s\n", space, key, value)
end
end
end
SSL:cipher()
Returns the cipher in handshake (string type, in OPENSSL form). Please note that the name returned is in standard RFC format.
This function should be used in script events CLIENTSSL_HANDSHAKE and SERVERSSL_HANDSHAKE.
Example
when CLIENTSSL_HANDSHAKE {
local cipher = SSL:cipher()
if cipher then
debug("cipher in client handshake =%s\n", cipher)
end
}
SSL:version()
Returns the SSL version in handshake (string type).
This function should be used in script events CLIENTSSL_HANDSHAKE and SERVERSSL_HANDSHAKE.
Example
when CLIENTSSL_HANDSHAKE {
local ssl_version = SSL:version()
debug("client ssl version : %s\n", ssl_version)
}
SSL:alpn()
Returns the ALPN protocol selected in handshake (string type). Returns false if not presented or supported.
This function should be used in script events CLIENTSSL_HANDSHAKE and SERVERSSL_HANDSHAKE.
Example
when CLIENTSSL_HANDSHAKE {
local alpn_protocol = SSL:alpn()
if alpn_protocol then
debug("alpn_protocol in client handshake = %s\n", alpn_protocol)
end
}
SSL:client_cert_verify()
Returns the status of client-certificate-verify, whether or not it is enabled. True represents enabled, otherwise False.
This function should be ONLY used in script event CLIENTSSL_HANDSHAKE.
SSL: cert_count()
Returns the total number of certificates that the peer has offered, including the peer certificate and client certificate chains. (Integer)
This function should be ONLY used in script event CLIENTSSL_HANDSHAKE.
Example
when CLIENTSSL_HANDSHAKE {
if SSL:client_cert_verify() then
debug("client cert verify enabled\n")
local cert_cnt = SSL:cert_count()
debug("cert_cnt number %d\n", cert_cnt)
end
}
SSL: get_peer_cert_by_idx(index_value)
Returns the issuer certificate of the index of the X509 SSL certificate in the peer certificate chain, where index is a value greater than or equal to zero.
A value of zero denotes the first certificate in the chain (aka leaf peer certificate);
A value of one denotes the next, and so on. If the input value is out of range, return nil.
Return type: A table including the information of a client certificate.
This function should be ONLY used in script event CLIENTSSL_HANDSHAKE
Example
when CLIENTSSL_HANDSHAKE {
if cert_cnt >= 1 then
local cert_table = SSL:get_peer_cert_by_idx(0)
print_table(cert_table, 0)
end
debug("verify result: %d\n", SSL: verify_result())
}
SSL: verify_result()
Returns the result code from peer certificate verification. The returned code uses the same values as those of OpenSSL’s X509 verify_result (X509_V_ERR_) definitions.
Returns type: Integer. Returns -1 if the verification code can not be retrieved
This function should be ONLY used in script event CLIENTSSL_HANDSHAKE.
SSL:session(t) [TODO]
Allows you to get SSL session id / reused / remove from cache.
Input t
is a table, with a key “operation”, and there will be three choices: “get_id” or “remove” or “reused”.
Return string for get operation, and boolean for remove or reused operation.
This function should be used in script events CLIENTSSL_HANDSHAKE and SERVERSSL_HANDSHAKE.