fffonion
diff --git a/‎.github/workflows/tests.yml
+17-4 b/‎.github/workflows/tests.yml
+17-4
diff --git a/‎README.md
+84 b/‎README.md
+84
diff --git a/‎lib/resty/openssl.lua
+2 b/‎lib/resty/openssl.lua
+2
@@ -39,10 +39,10 @@ jobs:
         #   openssl_opts: "fips --with-fipsdir=/home/runner/work/cache/ssl/fips"
         # latest and one older version with alpha release
         - nginx: "1.17.8"
-          openssl: "3.0.0-alpha9"
+          openssl: "3.0.0-alpha10"
           nginx_cc_opts: "-Wno-error"
         - nginx: "1.19.3"
-          openssl: "3.0.0-alpha9"
+          openssl: "3.0.0-alpha10"
           nginx_cc_opts: "-Wno-error"
 
     env:
@@ -91,6 +91,7 @@ jobs:
         git clone https://github.com/simpl/ngx_devel_kit.git ./ndk-nginx-module
         git clone https://github.com/openresty/lua-nginx-module.git ./lua-nginx-module -b v0.10.17
         git clone https://github.com/openresty/no-pool-nginx.git ./no-pool-nginx
+        git clone https://github.com/fffonion/lua-resty-openssl-aux-module ./lua-resty-openssl-aux-module
         # lua libraries at parent directory of current repository
         popd
         git clone https://github.com/openresty/lua-resty-core.git ../lua-resty-core -b v0.1.19
@@ -138,9 +139,11 @@ jobs:
         if ["$USE_VALGRIND" != ""]; then NGINX_CC_OPTS="$NGINX_CC_OPTS -O0"; fi
         export PATH=$BASE_PATH/work/nginx/sbin:$BASE_PATH/../nginx-devel-utils:$PATH
         export LD_LIBRARY_PATH=$LUAJIT_LIB:$LD_LIBRARY_PATH
+        export NGX_LUA_LOC=$BASE_PATH/../lua-nginx-module
+        export NGX_STREAM_LUA_LOC=$BASE_PATH/../stream-lua-nginx-module
         export
         cd $BASE_PATH
-        if [ ! -e work ]; then ngx-build $NGINX_VERSION --add-module=../ndk-nginx-module --add-module=../lua-nginx-module --with-http_ssl_module --with-cc-opt="-I$OPENSSL_INC $NGINX_CC_OPTS" --with-ld-opt="-L$OPENSSL_LIB -Wl,-rpath,$OPENSSL_LIB" --with-debug > build.log 2>&1 || (cat build.log && exit 1); fi
+        if [ ! -e work ]; then ngx-build $NGINX_VERSION --add-module=../ndk-nginx-module --add-module=../lua-nginx-module --add-module=../lua-resty-openssl-aux-module --with-http_ssl_module --with-cc-opt="-I$OPENSSL_INC $NGINX_CC_OPTS" --with-ld-opt="-L$OPENSSL_LIB -Wl,-rpath,$OPENSSL_LIB" --with-debug > build.log 2>&1 || (cat build.log && exit 1); fi
         nginx -V
         ldd `which nginx`|grep -E 'luajit|ssl|pcre'
 
@@ -150,11 +153,21 @@ jobs:
         export PATH=$BASE_PATH/work/nginx/sbin:$PATH
         TEST_NGINX_TIMEOUT=10 prove -j$JOBS -r t/ 2>&1
 
+        echo "Nginx SSL plain FFI"
+        export CI_SKIP_NGINX_C=1
+        TEST_NGINX_TIMEOUT=10 prove -j$JOBS t/openssl/ssl*.t 2>&1
+
     - name: Run Valgrind
       if: ${{ matrix.valgrind != '' }}
       run: |
         export LD_LIBRARY_PATH=$LUAJIT_LIB:$LD_LIBRARY_PATH
         export TEST_NGINX_USE_VALGRIND='--num-callers=100 -q --tool=memcheck --leak-check=full --show-possibly-lost=no --gen-suppressions=all --suppressions=valgrind.suppress --track-origins=yes' TEST_NGINX_TIMEOUT=60 TEST_NGINX_SLEEP=1
         export PATH=$BASE_PATH/work/nginx/sbin:$PATH
         stdbuf -o 0 -e 0 prove -j$JOBS -r t/ 2>&1 | grep -v "Connection refused" | grep -v "Retry connecting after" | tee output.log
-        if grep -q 'insert_a_suppression_name_here' output.log; then echo "Valgrind found problems"; exit 1; fi
+        if grep -q 'insert_a_suppression_name_here' output.log; then echo "Valgrind found problems"; exit 1; fi
+
+        echo "Nginx SSL plain FFI"
+        export CI_SKIP_NGINX_C=1
+        stdbuf -o 0 -e 0 prove -j$JOBS t/openssl/ssl*.t 2>&1 | grep -v "Connection refused" | grep -v "Retry connecting after" | tee output.log
+        if grep -q 'insert_a_suppression_name_here' output.log; then echo "Valgrind found problems"; exit 1; fi
+        
@@ -208,6 +208,14 @@ Table of Contents
   * [resty.openssl.x509.revoked](#restyopensslx509revoked)
     + [revoked.new](#revokednew)
     + [revoked.istype](#revokedistype)
+  * [resty.openssl.ssl](#restyopensslssl)
+    + [ssl.from_request](#sslfrom_request)
+    + [ssl.from_socket](#sslfrom_socket)
+    + [ssl:get_peer_certificate](#sslget_peer_certificate)
+    + [ssl:get_peer_cert_chain](#sslget_peer_cert_chain)
+  * [resty.openssl.ssl_ctx](#restyopensslssl_ctx)
+    + [ssl_ctx.from_request](#ssl_ctxfrom_request)
+    + [ssl_ctx.from_socket](#ssl_ctxfrom_socket)
   * [Functions for stack-like objects](#functions-for-stack-like-objects)
     + [metamethods](#metamethods)
     + [each](#each)
@@ -281,6 +289,8 @@ return {
   extensions = require("resty.openssl.x509.extensions"),
   name = require("resty.openssl.x509.name"),
   store = require("resty.openssl.x509.store"),
+  ssl = require("resty.openssl.ssl"),
+  ssl_ctx = require("resty.openssl.ssl_ctx"),
 }
 ```
 
@@ -3123,6 +3133,80 @@ Returns `true` if table is an instance of `revoked`. Returns `false` otherwise.
 
 [Back to TOC](#table-of-contents)
 
+## resty.openssl.ssl
+
+Module to interact with SSL connection.
+
+**This module is currently considered experimental.**
+
+**Note: to use this module in production, user is encouraged to compile [lua-resty-openssl-aux-module](https://github.com/fffonion/lua-resty-openssl-aux-module).**
+
+[Back to TOC](#table-of-contents)
+
+### ssl.from_request
+
+**syntax**: *sess, err = ssl.from_request()*
+
+Wraps the `SSL*` instance from current downstream request.
+
+[Back to TOC](#table-of-contents)
+
+### ssl.from_socket
+
+**syntax**: *sess, err = ssl.from_socket(sock)*
+
+Wraps the `SSL*` instance from a TCP cosocket, the cosocket must have already
+been called `sslhandshake`.
+
+[Back to TOC](#table-of-contents)
+
+### ssl:get_peer_certificate
+
+**syntax**: *x509, err = ssl:get_peer_certificate()*
+
+Return the peer certificate as a [x509](#restyopensslx509) instance. Depending on the type
+of `ssl`, peer certificate means the server certificate on client side, or the client certificate
+on server side.
+
+[Back to TOC](#table-of-contents)
+
+### ssl:get_peer_cert_chain
+
+**syntax**: *chain, err = ssl:get_peer_certificate()*
+
+Return the whole peer certificate chain as a [x509.chain](#restyopensslx509chain) instance.
+Depending on the type of `ssl`, peer certificate means the server certificate on client side,
+or the client certificate on server side.
+
+[Back to TOC](#table-of-contents)
+
+## resty.openssl.ssl_ctx
+
+Module to interact with SSL_CTX context.
+
+**This module is currently considered experimental.**
+
+**Note: to use this module in production, user is encouraged to compile [lua-resty-openssl-aux-module](https://github.com/fffonion/lua-resty-openssl-aux-module).**
+
+[Back to TOC](#table-of-contents)
+
+### ssl_ctx.from_request
+
+**syntax**: *ctx, err = ssl_ctx.from_request()*
+
+Wraps the `SSL_CTX*` instance from current downstream request.
+
+[Back to TOC](#table-of-contents)
+
+### ssl_ctx.from_request
+
+**syntax**: *sess, err = ssl_ctx.from_socket(sock)*
+
+Wraps the `SSL_CTX*` instance from a TCP cosocket, the cosocket must have already
+been called `sslhandshake`.
+
+[Back to TOC](#table-of-contents)
+
 ## Functions for stack-like objects
 
 [Back to TOC](#table-of-contents)
 
@@ -23,6 +23,8 @@ local _M = {
   revoked = require("resty.openssl.x509.revoked"),
   store = require("resty.openssl.x509.store"),
   pkcs12 = require("resty.openssl.pkcs12"),
+  ssl = require("resty.openssl.ssl"),
+  ssl_ctx = require("resty.openssl.ssl_ctx"),
 }
 
 if OPENSSL_30 then
Original file line number	Diff line number	Diff line change
`@@ -23,6 +23,8 @@ local _M = {`
`23`	`23`	`revoked = require("resty.openssl.x509.revoked"),`
`24`	`24`	`store = require("resty.openssl.x509.store"),`
`25`	`25`	`pkcs12 = require("resty.openssl.pkcs12"),`
	`26`	`+ ssl = require("resty.openssl.ssl"),`
	`27`	`+ ssl_ctx = require("resty.openssl.ssl_ctx"),`
`26`	`28`	`}`
`27`	`29`
`28`	`30`	`if OPENSSL_30 then`