feat: support mTLS (#124)

spacewander · web-flow · commit f33e99be8697 · 2021-03-22T23:24:10.000+08:00
Fix #14
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -25,6 +25,8 @@ jobs:
             conf: Procfile-single-enable-v2
           - version: 3.4.0
             conf: Procfile-single-enable-tls
+          - version: 3.4.0
+            conf: Procfile-single-enable-mtls
 
     runs-on: "ubuntu-20.04"
     env:
@@ -50,12 +52,13 @@ jobs:
       - name: install
         run: |
           git clone https://github.com/openresty/test-nginx.git test-nginx
+          cd test-nginx && (sudo cpanm --notest . > build.log 2>&1 || (cat build.log && exit 1)) && cd ..
+
+          wget https://raw.githubusercontent.com/api7/apisix-build-tools/master/build-apisix-openresty.sh
+          chmod +x build-apisix-openresty.sh
+          OR_PREFIX=$OPENRESTY_PREFIX ./build-apisix-openresty.sh latest
+
           sudo luarocks make rockspec/lua-resty-etcd-master-0.1-0.rockspec
-          wget -qO - https://openresty.org/package/pubkey.gpg | sudo apt-key add -
-          sudo apt-get -y install software-properties-common
-          sudo add-apt-repository -y "deb http://openresty.org/package/ubuntu $(lsb_release -sc) main"
-          sudo apt-get update
-          sudo apt-get install openresty
           sudo luarocks install luacheck > build.log 2>&1 || (cat build.log && exit 1)
           sudo luarocks install dkjson > build.log 2>&1 || (cat build.log && exit 1)
           make utils
@@ -66,13 +69,13 @@ jobs:
           go get github.com/mattn/goreman
 
       - name: script
+        if: matrix.conf != 'Procfile-single-enable-mtls'
         run: |
           if [[ "$GOREMAN_CONF" == "Procfile-single-enable-tls" ]]; then
             export ETCD_ENABLE_TLS=TRUE
             export AUTH_ENDPOINT_V2=https://127.0.0.1:12379
             export ETCDCTL_EXTRA_OPTS="--insecure-transport=false --insecure-skip-tls-verify=true"
           fi
-          cd test-nginx && (sudo cpanm --notest . > build.log 2>&1 || (cat build.log && exit 1)) && cd ..
           export PATH=$OPENRESTY_PREFIX/nginx/sbin:$OPENRESTY_PREFIX/luajit/bin:$PWD/etcd-v$ETCD_VER-linux-amd64:$PATH
           etcd --version
           goreman -f ./t/$GOREMAN_CONF start > goreman.log 2>&1 &
@@ -87,3 +90,13 @@ jobs:
           luajit -v | awk '{print$2}'| grep 2.1
           make lint || exit 1
           make test
+
+      - name: script
+        if: matrix.conf == 'Procfile-single-enable-mtls'
+        run: |
+            export ETCD_ENABLE_MTLS=TRUE
+            export PATH=$OPENRESTY_PREFIX/nginx/sbin:$OPENRESTY_PREFIX/luajit/bin:$PWD/etcd-v$ETCD_VER-linux-amd64:$PATH
+            etcd --version
+            goreman -f ./t/$GOREMAN_CONF start > goreman.log 2>&1 &
+            sleep 5
+            prove -I../test-nginx/lib t/v3/mtls.t
diff --git a/api_v3.md b/api_v3.md
@@ -41,6 +41,8 @@ Method
     to suit [etcd v3 api gateway](https://github.com/etcd-io/etcd/blob/master/Documentation/dev-guide/api_grpc_gateway.md#notes).
     it will autofill by fetching etcd version if this option empty.
   - `ssl_verify`: boolean - whether to verify the etcd certificate when originating TLS connection with etcd (if you want to communicate to etcd with TLS connection, use `https` scheme in your `http_host`), default is `true`.
+  - `ssl_cert_path`： string - path to the client certificate
+  - `ssl_key_path`： string - path to the client key
   - `serializer`: string - serializer type, default `json`, also support `raw` to keep origin string value.
 
 The client method returns either a `etcd` object or an `error string`.
diff --git a/lib/resty/etcd/utils.lua b/lib/resty/etcd/utils.lua
@@ -1,4 +1,4 @@
--- https://github.com/ledgetech/lua-resty-http
+-- https://github.com/api7/lua-resty-http
 local http          = require("resty.http")
 local clear_tab     = require("table.clear")
 local split         = require("ngx.re").split
@@ -11,6 +11,11 @@ local pairs         = pairs
 local type          = type
 
 
+if not http.tls_handshake then
+    error("Bad http library. Should use api7-lua-resty-http instead")
+end
+
+
 local _M = {http = http}
 
 local normalize
diff --git a/lib/resty/etcd/v3.lua b/lib/resty/etcd/v3.lua
@@ -74,6 +74,8 @@ local function _request_uri(self, endpoint, method, uri, opts, timeout, ignore_a
         headers = headers,
         keepalive = keepalive,
         ssl_verify = self.ssl_verify,
+        ssl_cert_path = self.ssl_cert_path,
+        ssl_key_path = self.ssl_key_path,
     })
 
     if err then
@@ -118,6 +120,9 @@ function _M.new(opts)
     local user       = opts.user
     local password   = opts.password
     local ssl_verify = opts.ssl_verify
+    if ssl_verify == nil then
+        ssl_verify = true
+    end
     local serializer = opts.serializer
 
     if not typeof.uint(timeout) then
@@ -193,6 +198,9 @@ function _M.new(opts)
             key_prefix = key_prefix,
             ssl_verify = ssl_verify,
             serializer = serializer,
+
+            ssl_cert_path = opts.ssl_cert_path,
+            ssl_key_path = opts.ssl_key_path,
         },
         mt)
 end
@@ -584,26 +592,21 @@ local function request_chunk(self, endpoint, method, scheme, host, port, path, o
         end
     end
 
-    ok, err = http_cli:connect(host, port)
+    ok, err = http_cli:connect({
+        scheme = scheme,
+        host = host,
+        port = port,
+        ssl_verify = self.ssl_verify,
+        ssl_cert_path = self.ssl_cert_path,
+        ssl_key_path = self.ssl_key_path,
+    })
     if not ok then
         if health_check.conf ~= nil then
             health_check.report_failure(endpoint.http_host)
         end
         return nil, err
     end
 
-    if scheme == "https" then
-        local verify = true
-        if self.ssl_verify == false then
-            verify = false
-        end
-
-        ok, err = http_cli:ssl_handshake(nil, host, verify)
-        if not ok then
-            return nil, err
-        end
-    end
-
     local res
     res, err = http_cli:request({
         method  = method,
diff --git a/rockspec/lua-resty-etcd-master-0.1-0.rockspec b/rockspec/lua-resty-etcd-master-0.1-0.rockspec
@@ -13,7 +13,7 @@ description = {
 }
 
 dependencies = {
-   "lua-resty-http = 0.15",
+   "api7-lua-resty-http = 0.1.0",
    "lua-typeof = 0.1"
 }
 
diff --git a/t/Procfile-single-enable-mtls b/t/Procfile-single-enable-mtls
@@ -0,0 +1,6 @@
+# Use goreman to run `go get github.com/mattn/goreman`
+etcd0: etcd --enable-v2
+etcd1: etcd --name infra1 --listen-client-urls https://127.0.0.1:12379 --advertise-client-urls https://127.0.0.1:12379 --listen-peer-urls http://127.0.0.1:12380 --initial-advertise-peer-urls http://127.0.0.1:12380 --initial-cluster-token etcd-cluster-1 --initial-cluster 'infra1=http://127.0.0.1:12380,infra2=http://127.0.0.1:22380,infra3=http://127.0.0.1:32380' --initial-cluster-state new --cert-file ./t/certs/mtls_server.crt --key-file ./t/certs/mtls_server.key --client-cert-auth --trusted-ca-file ./t/certs/mtls_ca.crt --enable-v2
+etcd2: etcd --name infra2 --listen-client-urls https://127.0.0.1:22379 --advertise-client-urls https://127.0.0.1:22379 --listen-peer-urls http://127.0.0.1:22380 --initial-advertise-peer-urls http://127.0.0.1:22380 --initial-cluster-token etcd-cluster-1 --initial-cluster 'infra1=http://127.0.0.1:12380,infra2=http://127.0.0.1:22380,infra3=http://127.0.0.1:32380' --initial-cluster-state new --cert-file ./t/certs/mtls_server.crt --key-file ./t/certs/mtls_server.key --client-cert-auth --trusted-ca-file ./t/certs/mtls_ca.crt --enable-v2
+etcd3: etcd --name infra3 --listen-client-urls https://127.0.0.1:32379 --advertise-client-urls https://127.0.0.1:32379 --listen-peer-urls http://127.0.0.1:32380 --initial-advertise-peer-urls http://127.0.0.1:32380 --initial-cluster-token etcd-cluster-1 --initial-cluster 'infra1=http://127.0.0.1:12380,infra2=http://127.0.0.1:22380,infra3=http://127.0.0.1:32380' --initial-cluster-state new --cert-file ./t/certs/mtls_server.crt --key-file ./t/certs/mtls_server.key --client-cert-auth --trusted-ca-file ./t/certs/mtls_ca.crt --enable-v2
+# A learner node can be started using Procfile.learner
diff --git a/t/certs/mtls_ca.crt b/t/certs/mtls_ca.crt
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDSjCCAjICCQDmBdlKmGaJITANBgkqhkiG9w0BAQUFADBnMQswCQYDVQQGEwJj
+bjESMBAGA1UECAwJR3VhbmdEb25nMQ8wDQYDVQQHDAZaaHVIYWkxDTALBgNVBAoM
+BGFwaTcxDDAKBgNVBAsMA29wczEWMBQGA1UEAwwNY2EuYXBpc2l4LmRldjAeFw0y
+MDA2MjAxMzEzNDFaFw0zMDA2MTgxMzEzNDFaMGcxCzAJBgNVBAYTAmNuMRIwEAYD
+VQQIDAlHdWFuZ0RvbmcxDzANBgNVBAcMBlpodUhhaTENMAsGA1UECgwEYXBpNzEM
+MAoGA1UECwwDb3BzMRYwFAYDVQQDDA1jYS5hcGlzaXguZGV2MIIBIjANBgkqhkiG
+9w0BAQEFAAOCAQ8AMIIBCgKCAQEAun+Gq/bp7CcZ9i5ZdjuCvyZVXsiAaBELVi/Q
+QQtC90z5aQyWudTPB1Lcpk5HosbT73eHh03hFCRMFv6Miase1T59KJ4zGSFKoFEr
+j2cbNmWFJEhTGce1pn52zMzZrXERYhKBA0n4bwHK/IND0XeEZ2RQPtGnGBqj3vKL
+3px+mOzIeMy4VMSkIkL2jlgo5jN0IjQIsvHRSrhIWzFhr6qtIJhuh0oI6gs+/yvA
+vspGeVFtIg/1PY3bOgFfhJg08/Aw7vgMjmADypEbBabLaWOZ8RZ3Ci2is6cL/1wX
+Sr8OIIBXTmTGmXEuSsMsBgC7BFwEY4XEsGx8QQJsrh1dSf2t0QIDAQABMA0GCSqG
+SIb3DQEBBQUAA4IBAQCKC98wWieC66NHAYb9ICOwr+XTmoFABpFNaM4bPXMD4IUq
+BaMGfBh92e4ANz2bm1D3J0ZNH3TVC7OhF2ymi6wSMde/Ygkh5xu2HgTEX2QTDQVd
+J27jwEIe45VLdvuu33jvE/iNNQHI6J6zP45gs/FS+CwMoYRnNcC+428YUf9XMcgM
+UkeMOnnkhw1OUzmoACY705hAEAPFbb7KkQ109lgbh6cucMy7Nw/N1t6Pyuxlqteg
+d8Wy6VFYPRRK43dYoA9B0yvsZCERvxgR1IrDjo0B2wIDzM4eM6ldLfnr8pPnBFfS
+g/Pdo6VZsXeSv3o00lBEY/25Vqxn3sPBK4E7a+mX
+-----END CERTIFICATE-----
diff --git a/t/certs/mtls_client.crt b/t/certs/mtls_client.crt
@@ -0,0 +1,69 @@
+Certificate:
+    Data:
+        Version: 1 (0x0)
+        Serial Number: 64207 (0xfacf)
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=cn, ST=GuangDong, L=ZhuHai, O=api7, OU=ops, CN=ca.apisix.dev
+        Validity
+            Not Before: Jun 20 13:15:00 2020 GMT
+            Not After : Jul  8 13:15:00 2030 GMT
+        Subject: C=cn, ST=GuangDong, O=api7, L=ZhuHai, CN=client.apisix.dev
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:9f:28:8f:2e:88:41:ff:89:f6:62:91:29:d1:6b:
+                    7f:c4:d8:1e:28:85:55:91:c2:3a:3f:23:1c:83:11:
+                    6a:26:81:1e:2d:2e:4d:69:48:98:4f:ff:84:82:2d:
+                    6b:8c:41:31:56:4d:b4:aa:b7:52:05:63:2e:19:6d:
+                    54:87:1f:21:a8:34:f9:89:1a:b1:d1:24:21:84:fa:
+                    c8:29:7f:39:f4:1a:35:78:95:74:0f:24:3d:24:e8:
+                    64:75:09:7d:8c:a3:54:d6:74:5a:92:27:f1:dc:e4:
+                    04:30:71:01:67:3d:fa:0b:03:0b:01:cb:8c:aa:ae:
+                    59:9f:f7:a6:40:53:2b:65:ff:b6:64:8d:fe:0f:ee:
+                    62:64:24:7b:4c:fd:68:12:47:4a:46:86:36:53:00:
+                    64:5f:e4:32:56:a0:ee:75:92:2d:e2:dc:92:3e:d7:
+                    99:8e:86:69:e7:0a:99:e4:b2:71:95:3d:f9:7d:da:
+                    af:76:1f:3f:f8:bf:78:aa:13:e5:13:84:f6:11:a5:
+                    c1:9b:9d:d7:73:32:f3:da:09:78:9a:be:0f:01:fe:
+                    ed:8b:55:b9:f8:97:46:9d:6a:6a:90:19:ea:4e:02:
+                    30:ff:d7:1a:da:39:53:f6:5b:6d:96:d0:fc:ed:0d:
+                    72:78:ac:b7:be:71:aa:4d:4b:8a:06:b9:25:1f:90:
+                    81:0d
+                Exponent: 65537 (0x10001)
+    Signature Algorithm: sha256WithRSAEncryption
+         72:a7:1f:15:21:ba:4f:e7:2f:64:a0:e5:40:7c:e0:ea:09:7b:
+         95:cf:80:d0:6f:54:c2:8d:d1:cf:cd:00:f2:95:20:f9:e2:9e:
+         f5:1c:1b:f9:87:78:a7:b1:3f:31:34:b0:c8:1a:44:da:2c:ef:
+         93:76:d7:df:44:5f:27:6a:51:cb:09:f2:32:f4:70:db:50:da:
+         4e:49:41:75:e0:d2:7b:4d:0b:8b:6e:0a:02:0a:00:e9:ce:f3:
+         bf:72:e6:14:86:df:a7:b9:ef:09:80:a1:52:a7:69:b8:23:7a:
+         3d:3d:cc:6d:64:91:7b:c0:9a:98:2a:a3:17:95:0a:ee:e1:ed:
+         f2:be:02:ea:cb:6e:c1:82:4d:a1:e8:03:9a:46:d6:d7:07:0f:
+         12:50:7e:95:5c:6c:17:f0:40:34:81:5b:74:90:8e:24:6a:5f:
+         8e:77:ff:4d:67:c3:a9:1b:39:e2:ca:62:b6:89:ca:c6:86:f1:
+         95:36:2b:cf:96:a5:6e:89:0e:e6:dc:88:78:f0:7d:09:e9:53:
+         65:35:e9:72:a2:be:1c:5e:b8:a6:2b:57:f2:0d:2f:4b:31:8f:
+         f7:d9:ad:a3:58:12:bb:c9:5b:38:79:96:5b:c8:74:d2:e6:79:
+         23:e6:bd:be:74:25:42:2c:fa:50:ea:9f:53:28:6d:35:f3:0e:
+         9b:82:15:70
+-----BEGIN CERTIFICATE-----
+MIIDOjCCAiICAwD6zzANBgkqhkiG9w0BAQsFADBnMQswCQYDVQQGEwJjbjESMBAG
+A1UECAwJR3VhbmdEb25nMQ8wDQYDVQQHDAZaaHVIYWkxDTALBgNVBAoMBGFwaTcx
+DDAKBgNVBAsMA29wczEWMBQGA1UEAwwNY2EuYXBpc2l4LmRldjAeFw0yMDA2MjAx
+MzE1MDBaFw0zMDA3MDgxMzE1MDBaMF0xCzAJBgNVBAYTAmNuMRIwEAYDVQQIDAlH
+dWFuZ0RvbmcxDTALBgNVBAoMBGFwaTcxDzANBgNVBAcMBlpodUhhaTEaMBgGA1UE
+AwwRY2xpZW50LmFwaXNpeC5kZXYwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQCfKI8uiEH/ifZikSnRa3/E2B4ohVWRwjo/IxyDEWomgR4tLk1pSJhP/4SC
+LWuMQTFWTbSqt1IFYy4ZbVSHHyGoNPmJGrHRJCGE+sgpfzn0GjV4lXQPJD0k6GR1
+CX2Mo1TWdFqSJ/Hc5AQwcQFnPfoLAwsBy4yqrlmf96ZAUytl/7Zkjf4P7mJkJHtM
+/WgSR0pGhjZTAGRf5DJWoO51ki3i3JI+15mOhmnnCpnksnGVPfl92q92Hz/4v3iq
+E+UThPYRpcGbnddzMvPaCXiavg8B/u2LVbn4l0adamqQGepOAjD/1xraOVP2W22W
+0PztDXJ4rLe+capNS4oGuSUfkIENAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAHKn
+HxUhuk/nL2Sg5UB84OoJe5XPgNBvVMKN0c/NAPKVIPninvUcG/mHeKexPzE0sMga
+RNos75N2199EXydqUcsJ8jL0cNtQ2k5JQXXg0ntNC4tuCgIKAOnO879y5hSG36e5
+7wmAoVKnabgjej09zG1kkXvAmpgqoxeVCu7h7fK+AurLbsGCTaHoA5pG1tcHDxJQ
+fpVcbBfwQDSBW3SQjiRqX453/01nw6kbOeLKYraJysaG8ZU2K8+WpW6JDubciHjw
+fQnpU2U16XKivhxeuKYrV/INL0sxj/fZraNYErvJWzh5llvIdNLmeSPmvb50JUIs
++lDqn1MobTXzDpuCFXA=
+-----END CERTIFICATE-----
diff --git a/t/certs/mtls_client.key b/t/certs/mtls_client.key
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAnyiPLohB/4n2YpEp0Wt/xNgeKIVVkcI6PyMcgxFqJoEeLS5N
+aUiYT/+Egi1rjEExVk20qrdSBWMuGW1Uhx8hqDT5iRqx0SQhhPrIKX859Bo1eJV0
+DyQ9JOhkdQl9jKNU1nRakifx3OQEMHEBZz36CwMLAcuMqq5Zn/emQFMrZf+2ZI3+
+D+5iZCR7TP1oEkdKRoY2UwBkX+QyVqDudZIt4tySPteZjoZp5wqZ5LJxlT35fdqv
+dh8/+L94qhPlE4T2EaXBm53XczLz2gl4mr4PAf7ti1W5+JdGnWpqkBnqTgIw/9ca
+2jlT9lttltD87Q1yeKy3vnGqTUuKBrklH5CBDQIDAQABAoIBAHDe5bPdQ9jCcW3z
+fpGax/DER5b6//UvpfkSoGy/E+Wcmdb2yEVLC2FoVwOuzF+Z+DA5SU/sVAmoDZBQ
+vapZxJeygejeeo5ULkVNSFhNdr8LOzJ54uW+EHK1MFDj2xq61jaEK5sNIvRA7Eui
+SJl8FXBrxwmN3gNJRBwzF770fImHUfZt0YU3rWKw5Qin7QnlUzW2KPUltnSEq/xB
+kIzyWpuj7iAm9wTjH9Vy06sWCmxj1lzTTXlanjPb1jOTaOhbQMpyaAzRgQN8PZiE
+YKCarzVj7BJr7/vZYpnQtQDY12UL5n33BEqMP0VNHVqv+ZO3bktfvlwBru5ZJ7Cf
+URLsSc0CgYEAyz7FzV7cZYgjfUFD67MIS1HtVk7SX0UiYCsrGy8zA19tkhe3XVpc
+CZSwkjzjdEk0zEwiNAtawrDlR1m2kverbhhCHqXUOHwEpujMBjeJCNUVEh3OABr8
+vf2WJ6D1IRh8FA5CYLZP7aZ41fcxAnvIPAEThemLQL3C4H5H5NG2WFsCgYEAyHhP
+onpS/Eo/OXKYFLR/mvjizRVSomz1lVVL+GWMUYQsmgsPyBJgyAOX3Pqt9catgxhM
+DbEr7EWTxth3YeVzamiJPNVK0HvCax9gQ0KkOmtbrfN54zBHOJ+ieYhsieZLMgjx
+iu7Ieo6LDGV39HkvekzutZpypiCpKlMaFlCFiLcCgYEAmAgRsEj4Nh665VPvuZzH
+ZIgZMAlwBgHR7/v6l7AbybcVYEXLTNJtrGEEH6/aOL8V9ogwwZuIvb/TEidCkfcf
+zg/pTcGf2My0MiJLk47xO6EgzNdso9mMG5ZYPraBBsuo7NupvWxCp7NyCiOJDqGH
+K5NmhjInjzsjTghIQRq5+qcCgYEAxnm/NjjvslL8F69p/I3cDJ2/RpaG0sMXvbrO
+VWaMryQyWGz9OfNgGIbeMu2Jj90dar6ChcfUmb8lGOi2AZl/VGmc/jqaMKFnElHl
+J5JyMFicUzPMiG8DBH+gB71W4Iy+BBKwugHBQP2hkytewQ++PtKuP+RjADEz6vCN
+0mv0WS8CgYBnbMRP8wIOLJPRMw/iL9BdMf606X4xbmNn9HWVp2mH9D3D51kDFvls
+7y2vEaYkFv3XoYgVN9ZHDUbM/YTUozKjcAcvz0syLQb8wRwKeo+XSmo09+360r18
+zRugoE7bPl39WdGWaW3td0qf1r9z3sE2iWUTJPRQ3DYpsLOYIgyKmw==
+-----END RSA PRIVATE KEY-----
diff --git a/t/certs/mtls_server.crt b/t/certs/mtls_server.crt
@@ -0,0 +1,69 @@
+Certificate:
+    Data:
+        Version: 1 (0x0)
+        Serial Number: 64206 (0xface)
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=cn, ST=GuangDong, L=ZhuHai, O=api7, OU=ops, CN=ca.apisix.dev
+        Validity
+            Not Before: Jun 20 13:14:34 2020 GMT
+            Not After : Jun 18 13:14:34 2030 GMT
+        Subject: C=cn, ST=GuangDong, O=api7, L=ZhuHai, CN=admin.apisix.dev
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:9b:45:2a:e1:c9:6e:a7:af:af:bd:46:5c:5e:5f:
+                    72:66:02:78:69:16:fd:f9:69:8e:47:68:0f:8d:35:
+                    92:c4:14:40:5c:cf:57:3d:41:ea:13:7b:f4:de:c8:
+                    ab:e8:62:56:1e:60:61:f6:38:65:5f:30:b5:91:25:
+                    79:07:12:45:ce:24:31:86:1f:2c:a6:cb:1d:8b:4b:
+                    9e:5f:1f:c7:b6:f3:e8:98:ee:b3:70:c7:9e:5d:10:
+                    ce:29:e4:22:68:69:9e:df:ae:f6:bb:11:e8:b8:f1:
+                    07:bf:2d:d5:57:f2:e4:07:8a:da:d2:7b:8a:53:d1:
+                    b4:f4:42:19:9a:14:98:01:3e:23:27:3a:0f:ad:d0:
+                    1d:c5:31:9a:ee:ae:df:7f:fb:2e:34:0b:51:ca:b4:
+                    8c:59:ae:86:5f:95:69:2b:4a:c6:2d:a5:ae:04:46:
+                    7a:93:09:15:72:0a:78:ef:98:7d:00:b5:b4:b2:f2:
+                    e2:a9:2e:04:fb:de:84:ad:da:8e:a3:31:53:3a:d5:
+                    91:cd:77:f5:b8:ea:eb:14:aa:d9:62:d1:12:79:87:
+                    08:27:6d:c1:b9:e3:7d:f1:07:52:3c:a3:34:6a:c1:
+                    96:cf:a2:84:cc:14:50:49:40:0b:38:3c:3b:1e:df:
+                    57:6f:f2:05:35:92:9b:4f:b1:21:0b:f7:62:3a:2d:
+                    83:c7
+                Exponent: 65537 (0x10001)
+    Signature Algorithm: sha256WithRSAEncryption
+         7a:1c:a3:d8:d4:97:5d:91:d2:c8:31:c4:40:ef:f1:38:ac:5c:
+         b9:74:66:81:94:4f:71:02:38:49:5a:0d:7b:10:17:73:a5:96:
+         3e:de:0e:a4:75:8c:1b:c7:51:f9:f6:eb:9d:f4:bd:4c:1c:92:
+         41:d0:16:c6:73:c1:f9:7c:b6:71:7d:16:53:13:fa:70:90:c0:
+         95:e3:a3:51:30:96:02:f2:32:32:fe:a9:d1:ef:c5:7e:04:58:
+         ca:20:ef:d0:43:8c:52:8d:52:3a:71:ed:0f:87:4e:8b:c6:28:
+         51:56:13:fd:71:81:10:cc:2f:2c:aa:8d:6a:93:d7:52:34:08:
+         23:7b:2b:a7:a4:3e:6b:8f:c3:af:59:b9:1c:b8:d8:6c:a3:88:
+         c7:bd:b5:e1:eb:6b:6a:f2:7d:a3:89:c6:b0:21:f8:1b:9a:dc:
+         bf:ef:d6:21:91:7f:65:99:4d:f4:49:24:ab:46:09:a0:c9:a1:
+         64:14:f4:56:73:ce:1b:22:dd:b7:1f:58:0f:29:ae:6a:6e:41:
+         6e:b4:5c:90:97:4e:59:4e:cf:e3:a1:89:d1:5a:65:a3:68:2f:
+         b9:97:82:6f:4c:21:cb:f6:9b:7d:fd:d8:07:70:14:cd:10:fb:
+         bf:03:70:fa:51:7c:56:4c:1b:a5:87:d3:1b:18:5c:22:87:6f:
+         04:08:59:53
+-----BEGIN CERTIFICATE-----
+MIIDOTCCAiECAwD6zjANBgkqhkiG9w0BAQsFADBnMQswCQYDVQQGEwJjbjESMBAG
+A1UECAwJR3VhbmdEb25nMQ8wDQYDVQQHDAZaaHVIYWkxDTALBgNVBAoMBGFwaTcx
+DDAKBgNVBAsMA29wczEWMBQGA1UEAwwNY2EuYXBpc2l4LmRldjAeFw0yMDA2MjAx
+MzE0MzRaFw0zMDA2MTgxMzE0MzRaMFwxCzAJBgNVBAYTAmNuMRIwEAYDVQQIDAlH
+dWFuZ0RvbmcxDTALBgNVBAoMBGFwaTcxDzANBgNVBAcMBlpodUhhaTEZMBcGA1UE
+AwwQYWRtaW4uYXBpc2l4LmRldjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
+ggEBAJtFKuHJbqevr71GXF5fcmYCeGkW/flpjkdoD401ksQUQFzPVz1B6hN79N7I
+q+hiVh5gYfY4ZV8wtZEleQcSRc4kMYYfLKbLHYtLnl8fx7bz6Jjus3DHnl0Qzink
+Imhpnt+u9rsR6LjxB78t1Vfy5AeK2tJ7ilPRtPRCGZoUmAE+Iyc6D63QHcUxmu6u
+33/7LjQLUcq0jFmuhl+VaStKxi2lrgRGepMJFXIKeO+YfQC1tLLy4qkuBPvehK3a
+jqMxUzrVkc139bjq6xSq2WLREnmHCCdtwbnjffEHUjyjNGrBls+ihMwUUElACzg8
+Ox7fV2/yBTWSm0+xIQv3Yjotg8cCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAehyj
+2NSXXZHSyDHEQO/xOKxcuXRmgZRPcQI4SVoNexAXc6WWPt4OpHWMG8dR+fbrnfS9
+TBySQdAWxnPB+Xy2cX0WUxP6cJDAleOjUTCWAvIyMv6p0e/FfgRYyiDv0EOMUo1S
+OnHtD4dOi8YoUVYT/XGBEMwvLKqNapPXUjQII3srp6Q+a4/Dr1m5HLjYbKOIx721
+4etravJ9o4nGsCH4G5rcv+/WIZF/ZZlN9Ekkq0YJoMmhZBT0VnPOGyLdtx9YDymu
+am5BbrRckJdOWU7P46GJ0Vplo2gvuZeCb0why/abff3YB3AUzRD7vwNw+lF8Vkwb
+pYfTGxhcIodvBAhZUw==
+-----END CERTIFICATE-----
diff --git a/t/certs/mtls_server.key b/t/certs/mtls_server.key
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAm0Uq4clup6+vvUZcXl9yZgJ4aRb9+WmOR2gPjTWSxBRAXM9X
+PUHqE3v03sir6GJWHmBh9jhlXzC1kSV5BxJFziQxhh8spssdi0ueXx/HtvPomO6z
+cMeeXRDOKeQiaGme3672uxHouPEHvy3VV/LkB4ra0nuKU9G09EIZmhSYAT4jJzoP
+rdAdxTGa7q7ff/suNAtRyrSMWa6GX5VpK0rGLaWuBEZ6kwkVcgp475h9ALW0svLi
+qS4E+96ErdqOozFTOtWRzXf1uOrrFKrZYtESeYcIJ23BueN98QdSPKM0asGWz6KE
+zBRQSUALODw7Ht9Xb/IFNZKbT7EhC/diOi2DxwIDAQABAoIBAC3NJW0dAissw+ZN
+Twn3lcNJj0NQqPJdlL6zj4LT/ssgPiwibVWAkA/XTNA62ZrfBxBG1h7PW/fMYoLC
+TwUq+rRoMMOjhoRc/gYM9FaTBVKOeFpEb2IhQDGrt2TcCtpJ7beF4PolukRztRlL
+59bdqy4eY5YbIx6+iWZT6UFuObiDqi7i4SLWEgK+/P4Uk8/SmhVqIWcj1m3SPK6I
+YbzsgXiT64fNd7/O06ISKia1UzvUCtH7tbxWxCvsqw+PqQT+YuEmNY1pOQGYp0dU
+4ndzvrP0Ajuu3xH7aYP/Kilkz69PPMLygwNey4HRIAuUqw/HBfTR0/ccRSuhrYxb
+9QaOP0ECgYEAyuqLo/tjWrFiJnDbhK3z2qcydktFS58da2QitSRYlQ6AQXjZ3+v7
+buL1QV59aXzIGTZz3gjO+omdpfIagBI47YnWIUtj+NylNROWv+aZXQwgC7ayQWTg
+eBu8L2YXBvAR9TgHhqj3Fl4YcuipVE3XFVjjvLjrbE1nssMmaJqi95kCgYEAw+O7
+Zdj/NedbI2GtnZv31YlLmrMdtmeAmU2x8eC5v30Kx3GCU9DdZzImsaYxxjfSL+6c
+eP/DF8JHWIGo9GQPcMSijHsaNMIwgv6+5rx+Lp/zsjwRApJsVQeoff2ZdWjnFsi3
+rRHE8QZfWMqcnOsr4io7xfVd3t4tV22BBrnt8l8CgYEAncU3xcxUN9PryI+/Xq4S
+CFQvvCJSQrX4neNByS31Yg/gUQex/5Tv7guxPZ5GTJqkylW4SU73/3y4gqp3SFTi
+xm6Be2mu1XRZT6dnctXNMLeYwwLOHmJc1YZbD0+FX/ORQuTJlT4Sv+VxhQa5gb70
+GLkAeWAeTBrzId7yIir5wyECgYAw2iJqC+vZrZD1Ce8aV0M/ZbYNJo5KZxWTJeUy
+xTCNqMl/Y7d036nXipJLy36uSE2K1p7/LgmhazoPwIY6LJoNLXy8PBcVATjH8m/5
+axis2AcWdBRp58pMilRi11PmC/tVm0jzSHMtCMHOivjzyVJwXMf7Xm3CnvX/z7dV
+zhihUQKBgHWtWfNk/svgLp6w8T6aMgyAb9ud5pX/CbNZhGNRqhPhJkss1tFr6/Mv
+bJiZoEP3C0sDdA1JRuMkXm5EE60xyhzCNmv5H0cQ3C2Y9Q9ly89ggwIXNiNfKWpP
+VrdvXQ3NkP/RaDy83B9dN2Jb6lUpcNQnB5Q5yAlsYaYgsGBedcvc
+-----END RSA PRIVATE KEY-----
diff --git a/t/v3/mtls.t b/t/v3/mtls.t

Original file line number	Diff line number	Diff line change
`@@ -13,7 +13,7 @@ description = {`
`13`	`13`	`}`
`14`	`14`
`15`	`15`	`dependencies = {`
`16`		`- "lua-resty-http = 0.15",`
	`16`	`+ "api7-lua-resty-http = 0.1.0",`
`17`	`17`	`"lua-typeof = 0.1"`
`18`	`18`	`}`
`19`	`19`