From 0408d66234ecd6bccfd67de275f2f5d330ee3d1a Mon Sep 17 00:00:00 2001
From: Elvin Efendi <elvin.efendiyev@gmail.com>
Date: Tue, 28 Aug 2018 23:56:09 -0400
Subject: [PATCH] apply nginx patch to make ssl_certificate_by_lua_block work
 properly

---
 images/nginx/Makefile                         |  2 +-
 images/nginx/rootfs/build.sh                  |  3 ++
 .../patches/openresty-ssl_cert_cb_yield.patch | 42 +++++++++++++++++++
 3 files changed, 46 insertions(+), 1 deletion(-)
 create mode 100644 images/nginx/rootfs/patches/openresty-ssl_cert_cb_yield.patch

diff --git a/images/nginx/Makefile b/images/nginx/Makefile
index d373777fa..5e11f4e6e 100644
--- a/images/nginx/Makefile
+++ b/images/nginx/Makefile
@@ -13,7 +13,7 @@
 # limitations under the License.
 
 # 0.0.0 shouldn't clobber any released builds
-TAG ?= 0.60
+TAG ?= 0.61
 REGISTRY ?= quay.io/kubernetes-ingress-controller
 ARCH ?= $(shell go env GOARCH)
 DOCKER ?= docker
diff --git a/images/nginx/rootfs/build.sh b/images/nginx/rootfs/build.sh
index d967ee8ef..8f4ddbaa6 100755
--- a/images/nginx/rootfs/build.sh
+++ b/images/nginx/rootfs/build.sh
@@ -421,6 +421,9 @@ Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-999-EXCLUSION-RULES-AFTE
 # build nginx
 cd "$BUILD_PATH/nginx-$NGINX_VERSION"
 
+# apply Nginx patches
+patch -p1 < /patches/openresty-ssl_cert_cb_yield.patch
+
 WITH_FLAGS="--with-debug \
   --with-compat \
   --with-pcre-jit \
diff --git a/images/nginx/rootfs/patches/openresty-ssl_cert_cb_yield.patch b/images/nginx/rootfs/patches/openresty-ssl_cert_cb_yield.patch
new file mode 100644
index 000000000..e3940391f
--- /dev/null
+++ b/images/nginx/rootfs/patches/openresty-ssl_cert_cb_yield.patch
@@ -0,0 +1,42 @@
+# HG changeset patch
+# User Yichun Zhang <agentzh@openresty.org>
+# Date 1451762084 28800
+#      Sat Jan 02 11:14:44 2016 -0800
+# Node ID 449f0461859c16e95bdb18e8be6b94401545d3dd
+# Parent  78b4e10b4367b31367aad3c83c9c3acdd42397c4
+SSL: handled SSL_CTX_set_cert_cb() callback yielding.
+
+OpenSSL 1.0.2+ introduces SSL_CTX_set_cert_cb() to allow custom
+callbacks to serve the SSL certificiates and private keys dynamically
+and lazily. The callbacks may yield for nonblocking I/O or sleeping.
+Here we added support for such usage in NGINX 3rd-party modules
+(like ngx_lua) in NGINX's event handlers for downstream SSL
+connections.
+
+diff -r 78b4e10b4367 -r 449f0461859c src/event/ngx_event_openssl.c
+--- a/src/event/ngx_event_openssl.c	Thu Dec 17 16:39:15 2015 +0300
++++ b/src/event/ngx_event_openssl.c	Sat Jan 02 11:14:44 2016 -0800
+@@ -1210,6 +1210,23 @@
+         return NGX_AGAIN;
+     }
+ 
++#if OPENSSL_VERSION_NUMBER >= 0x10002000L
++    if (sslerr == SSL_ERROR_WANT_X509_LOOKUP) {
++        c->read->handler = ngx_ssl_handshake_handler;
++        c->write->handler = ngx_ssl_handshake_handler;
++
++        if (ngx_handle_read_event(c->read, 0) != NGX_OK) {
++            return NGX_ERROR;
++        }
++
++        if (ngx_handle_write_event(c->write, 0) != NGX_OK) {
++            return NGX_ERROR;
++        }
++
++        return NGX_AGAIN;
++    }
++#endif
++
+     err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0;
+ 
+     c->ssl->no_wait_shutdown = 1;