Why and how luasec 0.6?


#1

Hello everyone.

I’m trying to create custom plugins using Kong.

When I execute: luarocks install kong, luarocks tries to install every kong dependency.

Everything works except for luasec. I get the following output:

Installing https://luarocks.org/luasec-0.6-2.src.rock
gcc -O2 -fPIC -I/usr/local/openresty/luajit/include/luajit-2.1 -c src/x509.c -o src/x509.o -DWITH_LUASOCKET -DLUASOCKET_DEBUG -I/usr/include -Isrc/ -Isrc/luasocket
In file included from src/x509.h:15:0,
                 from src/x509.c:33:
src/config.h:19:0: warning: "luaL_newlib" redefined
 #define luaL_newlib(L, R) do { lua_newtable(L); luaL_register(L, NULL, R); } while(0)
 
In file included from src/x509.c:31:0:
/usr/local/openresty/luajit/include/luajit-2.1/lauxlib.h:125:0: note: this is the location of the previous definition
 #define luaL_newlib(L, l) (luaL_newlibtable(L, l), luaL_setfuncs(L, l, 0))
 
src/x509.c: In function ‘push_asn1_string’:
src/x509.c:149:5: warning: ‘ASN1_STRING_data’ is deprecated [-Wdeprecated-declarations]
     lua_pushlstring(L, (char*)ASN1_STRING_data(string),
     ^~~~~~~~~~~~~~~
In file included from /usr/include/openssl/bn.h:31:0,
                 from /usr/include/openssl/asn1.h:24,
                 from /usr/include/openssl/objects.h:916,
                 from /usr/include/openssl/evp.h:27,
                 from /usr/include/openssl/x509.h:23,
                 from /usr/include/openssl/ssl.h:50,
                 from src/x509.c:22:
/usr/include/openssl/asn1.h:553:1: note: declared here
 DEPRECATEDIN_1_1_0(unsigned char *ASN1_STRING_data(ASN1_STRING *x))
 ^
src/x509.c: In function ‘push_asn1_ip’:
src/x509.c:185:3: warning: ‘ASN1_STRING_data’ is deprecated [-Wdeprecated-declarations]
   unsigned char *ip = ASN1_STRING_data(string);
   ^~~~~~~~
In file included from /usr/include/openssl/bn.h:31:0,
                 from /usr/include/openssl/asn1.h:24,
                 from /usr/include/openssl/objects.h:916,
                 from /usr/include/openssl/evp.h:27,
                 from /usr/include/openssl/x509.h:23,
                 from /usr/include/openssl/ssl.h:50,
                 from src/x509.c:22:
/usr/include/openssl/asn1.h:553:1: note: declared here
 DEPRECATEDIN_1_1_0(unsigned char *ASN1_STRING_data(ASN1_STRING *x))
 ^
src/x509.c: In function ‘meth_extensions’:
src/x509.c:296:35: error: dereferencing pointer to incomplete type ‘X509_EXTENSION {aka struct X509_extension_st}’
     push_asn1_objname(L, extension->object, 1);
                                   ^~
src/x509.c: In function ‘meth_pubkey’:
src/x509.c:407:32: error: dereferencing pointer to incomplete type ‘EVP_PKEY {aka struct evp_pkey_st}’
       switch(EVP_PKEY_type(pkey->type)) {
                                ^~

Error: Failed installing dependency: https://luarocks.org/luasec-0.6-2.src.rock - Build error: Failed compiling object src/x509.o

Which is the EXACT error discussed in this issue: https://github.com/brunoos/luasec/issues/101

Apparently this has been fixed in luasec 0.7 and released in Jun 27.

So my questions are:

  1. Why do Kong specifies luasec 0.6 ? Can’t we use 0.7 ?
  2. How do you guys manage to install luasec 0.6 ? I can’t make it work.

#2

Hi,

You get this error when linking LuaSec 0.6 against OpenSSL 1.1.0. You should not have this issue with OpenSSL 1.0.1, which is the version Kong is currently compatible with. Support for OpenSSL 1.1.0 is very new in OpenResty/LuaSec.

There is an open PR to bump the LuaSec version:

It is not yet merged because of the CI error, and the error hasn’t been studied yet because we are planning on offering OpenSSL 1.1 support in our next major version, for which we do not have an exact timeframe to communicate yet. Even if we merged the PR today, it would not be available until the next release anyway.

If you manage to update the rockspec and require LuaSec 0.7 instead, know that we haven’t conducted tests with it, but it most likely should be ok.


#3

Much thanks @thibaultcha !

It worked with OpenSSL 1.0.2 too.


#4

Glad to hear. FYI, I just merged https://github.com/Kong/kong/pull/3680 in master, so expect the bump to be in the next release (maybe with OpenSSL 1.1.1, who knows? :slightly_smiling_face:)