feature: add mtls client cert support (#72)

Co-authored-by: Datong Sun <[email protected]>

Author: ADD-SP

README.markdown

@@ -394,6 +394,21 @@ SSL handshake if the `wss://` scheme is used.
 
     Specifies custom headers to be sent in the handshake request. The table is expected to contain strings in the format `{"a-header: a header value", "another-header: another header value"}`.
 
+* `client_cert`
+
+    Specifies a client certificate chain cdata object that will be used while TLS handshaking with remote server. 
+    These objects can be created using 
+    [ngx.ssl.parse_pem_cert](https://github.com/openresty/lua-resty-core/blob/master/lib/ngx/ssl.md#parse_pem_cert) 
+    function provided by lua-resty-core. 
+    Note that specifying the `client_cert` option requires corresponding `client_priv_key` be provided too. See below.
+
+* `client_priv_key`
+
+    Specifies a private key corresponds to the `client_cert` option above. 
+    These objects can be created using 
+    [ngx.ssl.parse_pem_priv_key](https://github.com/openresty/lua-resty-core/blob/master/lib/ngx/ssl.md#parse_pem_priv_key) 
+    function provided by lua-resty-core.
+
 The SSL connection mode (`wss://`) requires at least `ngx_lua` 0.9.11 or OpenResty 1.7.4.1.
 
 [Back to TOC](#table-of-contents)

lib/resty/websocket/client.lua

@@ -26,6 +26,7 @@ local type = type
 local debug = ngx.config.debug
 local ngx_log = ngx.log
 local ngx_DEBUG = ngx.DEBUG
+local assert = assert
 local ssl_support = true
 
 if not ngx.config
@@ -98,7 +99,9 @@ function _M.connect(self, uri, opts)
         path = "/"
     end
 
-    local ssl_verify, headers, proto_header, origin_header, sock_opts = false
+    local ssl_verify, server_name, headers, proto_header, origin_header
+    local sock_opts = false
+    local client_cert, client_priv_key
 
     if opts then
         local protos = opts.protocols
@@ -122,11 +125,20 @@ function _M.connect(self, uri, opts)
             sock_opts = { pool = pool }
         end
 
-        if opts.ssl_verify then
+        client_cert = opts.client_cert
+        client_priv_key = opts.client_priv_key
+
+        if client_cert then
+            assert(client_priv_key,
+                   "client_priv_key must be provided with client_cert")
+        end
+
+        if opts.ssl_verify or opts.server_name then
             if not ssl_support then
                 return nil, "ngx_lua 0.9.11+ required for SSL sockets"
             end
-            ssl_verify = true
+            ssl_verify = opts.ssl_verify
+            server_name = opts.server_name or host
         end
 
         if opts.headers then
@@ -151,7 +163,13 @@ function _M.connect(self, uri, opts)
         if not ssl_support then
             return nil, "ngx_lua 0.9.11+ required for SSL sockets"
         end
-        ok, err = sock:sslhandshake(false, host, ssl_verify)
+        if client_cert then
+            ok, err = sock:setclientcert(client_cert, client_priv_key)
+            if not ok then
+                return nil, "failed to set TLS client certificate: " .. err
+            end
+        end
+        ok, err = sock:sslhandshake(false, server_name, ssl_verify)
         if not ok then
             return nil, "ssl handshake failed: " .. err
         end

t/cert/mtls_ca.crt

@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDPDCCAiQCE02SO/h/om49Gjo0vAbL7/G0E5cwDQYJKoZIhvcNAQELBQAwWjEL
+MAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxEjAQBgNVBAoMCU9wZW5S
+ZXN0eTEiMCAGA1UEAwwZT3BlblJlc3R5IFRlc3RpbmcgUm9vdCBDQTAgFw0yMjAz
+MjIxMTUxNTJaGA8yMTIyMDIyNjExNTE1MlowWjELMAkGA1UEBhMCQVUxEzARBgNV
+BAgMClNvbWUtU3RhdGUxEjAQBgNVBAoMCU9wZW5SZXN0eTEiMCAGA1UEAwwZT3Bl
+blJlc3R5IFRlc3RpbmcgUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
+AQoCggEBAKaitHvQzQf1/pqD9ybzu2c2x6cOfAer4mRBrVJb7ib3UJYz9TEOG9OH
+NbfEvTzv7svgW/s2HB/f3HLP9DYKRQe6aTuTS7OrxQqO8qE5aXNeG+KmhJANP0tD
+6LsnubtnvKwIh+SDArEjjz5ZIyu/HWgh9Aajb95WCdvwThassJpiMgASukn41zWi
+ugqjv9EUM+mn73Klv9gggPQAJzjidqYABzU6NqUKZwPHWLut4fbLt66P335bZ2tI
+529mrRnwRDbbhZ6AuQU3TCqUYeLCmK5Cxiw1zHOsXOr7BGY5UvNa0n6t6RfAtETm
+XIijMtNhOuCoqpczVe7jwKbAjcOQfa0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEA
+GS96499Wn8Pyo5FOW3Z+4r5QQSr9f3g+gNY/5yQRdhs4NS3Seoe9fSTyyqaf0j0/
+ctYWM08PkC5NIrtjBbpyT1TZDiCu6MbyTMjkpkfXwhLzNrVAEvgafdKwGe22eNeg
+CNCb4HglZS8sBPIFf39h2MPwXPAxpnSWUmszu8tul7wNr15ho52TGdOkL7u2GZVX
+5tYGr+lK7gatOSAtRKsoxmPrIYe0ny3YGkpLtnzbF6Ejel+eopYi/vQApHsOTy0D
+ZV2PZ9Bn4YcrY1LZRRJqzCuXSfX5m0EUTIwpDMx+bv3iEeb5ItyLk5hRzYkRX81X
+vZ6a4jis7U92TLmcyyZYhg==
+-----END CERTIFICATE-----

t/cert/mtls_ca.key

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCmorR70M0H9f6a
+g/cm87tnNsenDnwHq+JkQa1SW+4m91CWM/UxDhvThzW3xL087+7L4Fv7Nhwf39xy
+z/Q2CkUHumk7k0uzq8UKjvKhOWlzXhvipoSQDT9LQ+i7J7m7Z7ysCIfkgwKxI48+
+WSMrvx1oIfQGo2/eVgnb8E4WrLCaYjIAErpJ+Nc1oroKo7/RFDPpp+9ypb/YIID0
+ACc44namAAc1OjalCmcDx1i7reH2y7euj99+W2drSOdvZq0Z8EQ224WegLkFN0wq
+lGHiwpiuQsYsNcxzrFzq+wRmOVLzWtJ+rekXwLRE5lyIozLTYTrgqKqXM1Xu48Cm
+wI3DkH2tAgMBAAECggEAGLsUGz4pd9GACHGmeC77NL3SEs6ZBNBzSJrgvNTs+vaA
+jNJIRRAJfDLYe54k0crwP2zcaeOld+uS/a00WuLaTOPTI2bgeNl45HDDvL7XEiq4
+68H38aMtrh91hnVGYPRr8YJQnM7+0shqxX+YMzFpjV9gpq2R+Eb/rpczF7Vofnjw
+A/MHyBOT8XIb2E4YiAjN7T3rPnDVNp27pZRIp02P3ZI4F7IQSLhEzY54eFQe23+7
+cRjw8oFpHxGn4fGLISUri9z38U32Q7HCC8PvTy2zekx3Ifdrq0S/I7mAqXM+XeHZ
+o/fdJxiwvAPnUufFR79lX6zvUo2bKtkkJniDUpkMtwKBgQDXMbN96BF2IcDIsHPl
+fGnYA+e6OTF++cDt4Ge64oL8FaGY6/+aJ3X9NvPMNhf3WRqTomNkuGiHjSEkTfR/
+BgQ3Z7x2v055+dAdLPUh/+flEcv5aPqZqBzYYNrhUC8jjte2zt5VN4SmlL6wCDWt
+A5UPnMGg5uExBScAIPu/8quCHwKBgQDGO8uq5YvWmFy3m9tD4g9cxyh2EStovptQ
+S3zH/nWBCP2Rx9YixFbZvjYujVWcuCC9D/5CwLpcyEa3NIRF4RByAgzB/AGABi2Q
+JlpAByYrbqtFMN17qBwpBrTwdgs+JD8cN8rPgSviZlL8xOIdX8Mw1HuCFtasBvUW
+95Wrqb8+swKBgQCTaxjrR++uXbETys2aiIB52zMD/+pIchAY5YIqJMJWrvrlJ8cS
+c7YAoYSigOwqJoBuYvB0L2Bse+IYXM8Btb1tt0MElknMhbZsRkAn6oeSBX8WfTQv
+z1rzYGaRs7yXP2PHeDAXcNEOzRdUwEsFG08iQuDiuUfLrRvqmq3b8QJNQQKBgHaJ
+iRdPHhibkU3F6A6mnhMXkG1RhQikedFA4oPg+DjJvH8w5S5zA5A++r1JjHkjbYhA
+iQU3o/kZVZf10mbK13+lFCXnYKpCh3pcRLlmzP9JtSaxuq9X7kbmGMp1e/GT0R05
+i5AbqLdAAr3dqWxxOBH57UT0DThfDK3ILPqyjYabAoGAXgtdrmgFOfywNRuq0Qox
+Eh+EYY4SnrZUFUFraVV7zZsRlJXTE8kxBGh73j0sX409Wbmy1CEoFw91f9FBIZzJ
+CjaF4Xod77FVnanL+rOUMHEdaYo2LzATRFZJzB/3D60hkHJjP3fCvY+Xln7Lt35B
+HDQslqp0wC9aeznXl+eMQYY=
+-----END PRIVATE KEY-----

t/cert/mtls_client.crt

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDFzCCAf8CFElxMXCkerhj2Kjjh+Hm3cucOlILMA0GCSqGSIb3DQEBCwUAMFox
+CzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMRIwEAYDVQQKDAlPcGVu
+UmVzdHkxIjAgBgNVBAMMGU9wZW5SZXN0eSBUZXN0aW5nIFJvb3QgQ0EwHhcNMjIw
+MzIyMTIwMjU5WhcNMzIwMzE5MTIwMjU5WjA2MQswCQYDVQQGEwJBVTETMBEGA1UE
+CAwKU29tZS1TdGF0ZTESMBAGA1UECgwJT3BlblJlc3R5MIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAyqq9ZO3Zx3nVly5ZHao5HecjhafNdHIM735y5sim
+WINjpqBr4b0hwdrvUBfNLVpf5qLXf8NDH9Rb7gS9/gs+bmVrqDVKsvYjBpbvA/v1
+YdAk9PlmITxSRaYQyIu0EQAw5nZq9FMiAvGynEYKXir4vSqou4Av7FgAOBQQE3Mm
+G0XjAgFbTw2dQRH0M8f5a7Tu/BdfEkNRQb7n++m7JZoTIBfESUkhaN0DR33JSqdh
+ysrvH3KZq5DkVsX131kM6Y3lfWARdpFNANo0r3FSB31F46HttnjfNR5+GurA2wOE
+ymb7cDGpuWonjhT9ohJtN2fWDUTIf4LRuLYLjzmq6O5SnQIDAQABMA0GCSqGSIb3
+DQEBCwUAA4IBAQAdEMkoOA1bovMjzp3HpKQcygpalSa+Ipyqe5UJy/UsRaqupxcq
+bDjfHkqcjcqtuDnxKMksxFFPPPcoXEwBzTcQExfPchqRkX9Fa+SRsLri5kLVGtBm
+DZTXqvbH51MQKDTs2CfKtZQn8WxzU2pQyd4ae3Qwc1S/I+/5HsX0xmv6BwMXzeqj
+VjO4vk6wnbgKMqMUEAsHjcWqmc6yBBmh2EN2X1wMfpuH8iJQWAv4QBPXPUGnV2Jh
+RoPDko/Fyx4yLv3T7BiHDJ2Sf0xtKtxP6eKMo8IGeGod0cueSRQ7w7hFSNd7+4SW
+6QOdJ347xcyMyAwpCnqsmSxspLkBtfYOnvn8
+-----END CERTIFICATE-----

t/cert/mtls_client.key

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDKqr1k7dnHedWX
+Llkdqjkd5yOFp810cgzvfnLmyKZYg2OmoGvhvSHB2u9QF80tWl/motd/w0Mf1Fvu
+BL3+Cz5uZWuoNUqy9iMGlu8D+/Vh0CT0+WYhPFJFphDIi7QRADDmdmr0UyIC8bKc
+RgpeKvi9Kqi7gC/sWAA4FBATcyYbReMCAVtPDZ1BEfQzx/lrtO78F18SQ1FBvuf7
+6bslmhMgF8RJSSFo3QNHfclKp2HKyu8fcpmrkORWxfXfWQzpjeV9YBF2kU0A2jSv
+cVIHfUXjoe22eN81Hn4a6sDbA4TKZvtwMam5aieOFP2iEm03Z9YNRMh/gtG4tguP
+Oaro7lKdAgMBAAECggEAKKMlyNgcg+/9EQxdGCKqw0E2kTU9cCzyRQ9w0K/JExR9
+Zcri9ueqnildNQ0gughWFHPwjBDGI9q7+DUBN7Bfe1lgxeCxssLB8S9Qi9b4s/09
+e9WKUf27bXXIBb5lg8crBvsVpRoKRtbZ/pXYvFsXdy7XmIkyksxudtAnDQ9Yw7zb
+R3tSeJScx267XObPunep5kvm27iCv2BQCGhRppIoZeh6VxEJIKKsyGoG12XrFyQZ
+DTQ3Eh3T9JwolAZu3fyV5l1QxSlCrg0uIchNFODmN9mqQwjjsYoz4nnv17r/tmJw
+nuz56M3P638IXTTEwDkr5AqylT9yUT50V2xIz5lGLQKBgQDbS+teT2T/Zi2Bd6XE
+q4WzXaC1VLzhSaGGceZjPGtGJLV7n4qCEJ2y1lN43L456AW5Ef8hIWwM9lE6UbPL
+makfEccztjZRk/8G93IcEX0vQZyxBlLgIkCb9sCZdhqQqwX4tfe/m9GhPXMT6lD0
+TLD/7fCyMSgt9LpEN1rCb9XUrwKBgQDslkz28STIFslapN6xK6dTgOUtAsDkCg48
+fd6Z4C+yi4HCpH81PPBUfgvDUfDSYetU7I/ZboWVJvwaPzb5pxnw489uDrUauaIx
+a71jGE6JXIixWKMC5zE7/nPxFmyPBzM175ezBw/K9cYhgbt5F6ORRbbOA1oBW767
+tyjfeZ64cwKBgQC8F/4lwkuKlIVrishwS/49vozde3UWdyVIP+GwNF5+p3XSNyGC
+NeZNQnAONqgi2tQtzTXboOMgqxU4xGNGuuHIeGM4A43LovkXbJ4/XPDW25weaqIj
+BL4OCDNibV6Tv1072jhJ7Mh9WEugRVZydGVM3zWYYXlpEYPChwgdxfbOmQKBgBjr
+b+nm1n/43nacvRQeS/6gqgMGsjiS0pMOkv7UPVHqHd3Zo8iAxbOwnx6Qp/QQ+k+0
+pyY43Psr4wwEso6zSik0ZanrBKpu+SWJeqZQbh1L0N4VPv5USbxO/flb6k1abct1
+lB34VXKEVr06w/tqQQFRPYMPmVBhUILHNRfs4In/AoGAWRYRN1ktIQvdrWl9arNG
+J1a2MY3Ek1RTpBRx5lRg5JsjCgnyDQB6LtXgmir3n3c1dinA6Ct2dyg++K4N5ntn
+2PEa6MXIWjvRvbcaLnS+21iGch4FWS/Xwyd7vj+4nU5VXKPeLjagM5uCm1PTOK3f
+zAKenQxYOMxVdosUPNB/MMI=
+-----END PRIVATE KEY-----

t/cert/mtls_server.crt

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDLDCCAhQCFACm5o1DAUE5rcxAm4J0zmlxjt0CMA0GCSqGSIb3DQEBCwUAMFox
+CzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMRIwEAYDVQQKDAlPcGVu
+UmVzdHkxIjAgBgNVBAMMGU9wZW5SZXN0eSBUZXN0aW5nIFJvb3QgQ0EwIBcNMjIw
+MzIyMTIwMTMzWhgPMjEyMjAyMjYxMjAxMzNaMEkxCzAJBgNVBAYTAkFVMRMwEQYD
+VQQIDApTb21lLVN0YXRlMRIwEAYDVQQKDAlPcGVuUmVzdHkxETAPBgNVBAMMCHRl
+c3QuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuj3XwuffQXHa
+9+BNlKuYC8itkl7ydQEe3JDm0/49twXSMO9/U0/wBaHLsLo4HS95HZ9Ed/jXzAph
+eJxn3MZ5spbDKJzqv0kqzLrhEtOW0GNLVoqnjC4Z7My/punI5v2wvqULgHmFgxAT
+oa0plOfAEZPpjIjwA6ottZmHYNMsT5fC1E3wq4hqDFOgu4INAt96VlOaBKF27XHt
+//omwpaueubfxmDwJ8Mh6AWxj0tdxNWwuxGURsBFarLPRaeIkTrCu7vMEPWLuSpC
+gBDmcHsOXEvpX0w1EExcawzd40xJ3hoCvdUaH9Jrz+f2DCZNKJgCt7svUvgygt4v
+gLuExRxYVwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQCRqRbPStilYE3CVff9NEGR
+j+j0XV0xQoOEDHMgoemzR+MMysnlUSA0d+5LcHIVq9Iz8WvsIX/QlCvKTlwJWiF1
+u0ZHDqgyfk5aNUTH1Hi2mMNg/0ssZcLmnHHYxBM65tBp1iNsV54isRzjko5tRoBZ
+e9x2/r/+8Pm9hk6nnPkTiPxeMkkKQAMk5mremGT7jFd3xO5sDkdZL7Ga8Kt70s1+
+XROKySFEC+ngvP5YNWZ/zI43lUS0E4wo6DIKrHkQkv7noq4ewoiuuxoB1fmKXu+c
+WcxJaAF2O5pV0Y94KRTG+bT3afW7RMHnfkYf4VENMKABxZXgmmg12g3mtYei6rdR
+-----END CERTIFICATE-----

t/cert/mtls_server.key

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC6PdfC599Bcdr3
+4E2Uq5gLyK2SXvJ1AR7ckObT/j23BdIw739TT/AFocuwujgdL3kdn0R3+NfMCmF4
+nGfcxnmylsMonOq/SSrMuuES05bQY0tWiqeMLhnszL+m6cjm/bC+pQuAeYWDEBOh
+rSmU58ARk+mMiPADqi21mYdg0yxPl8LUTfCriGoMU6C7gg0C33pWU5oEoXbtce3/
++ibClq565t/GYPAnwyHoBbGPS13E1bC7EZRGwEVqss9Fp4iROsK7u8wQ9Yu5KkKA
+EOZwew5cS+lfTDUQTFxrDN3jTEneGgK91Rof0mvP5/YMJk0omAK3uy9S+DKC3i+A
+u4TFHFhXAgMBAAECggEAE+5JWFDjKghKtCs7cjUY3O35cUga712S1WzmXvp+1UbY
+syb2O866s4eYmk2bcrghYIOqWqJ1SZ80xikKzmwpGu0abo64aockfuti6dZd9egi
+aF0HSC+o05gnzG+JcfrlPsm/3NxkZt3CFBPJdueEPP1UyZbgBKxiHuSSwdBnlg7L
+Zu64iXqO+juz9GppkwuakJa/3e6mk0el5B6JY+Gk8b0sPrd9z7FrXyq7DffaQ2ON
+18I+r/dDyxVPV+0tAU+64YFtWjKzoIGhrPenOdk7s+DPiIuXnEuun65Q/w/hVWKy
+Wm64lstNoxU4RShxYGV3MznKgJ1XJyT9YzwqjqW20QKBgQDTa8lVIomHxSIlfMH+
+lLRsoFoYIBYUwjcEy9jxh2llJHTPX0CKphpH/ByqwzYn+iVHrCfxYwSkWnN/KsGg
+Ix7b+BemhbRIUukjOU8QI5/p5LgrmmC1orpZ54o8cVl9K77I/hBhGhUZzHuzTLH9
+ViPUhDrARNtXUKBV3Y+TmfhtpwKBgQDhgudculLDzq20sYOqb/NB+SlcowZDkLaN
+TXIhYKmGK8DaJeiojVmIOqOl8+P/j4cQg3m54KZ8T/4bQt2ynBwmYH4+2lUbpGf9
+N6I9CEWmjX7ZARZYI4RvM1aDPrSbC6xb0W6nC4wQkjhck6ngNTHkHYdE+Q6vHy7P
+gAmVfBb10QKBgQCe8ATnD5O8kaJd9DASptAMaW/Rey2eZXLfFC//QwEknAeEbeMj
+WEOhohIa/a4U16R3ASD2Aq5Wr/jrvMTbEgv86cE92n3xcQL7C/Y399AcEWmyvde+
+NJtLQxlU3xGbW+uNRhIiLW13e5Xy8NFN1hgRh2ZzbFBIj8A5TNrG55UvOQKBgQCM
+rI4K6CgNAXaWi02pGmDSvM0yfne/2hwmlTMm4xedHNoWuyMhUduSAZJoSXXmy+/j
+O0DJ1PvF/Fh1RQbrDjr5LaRTLPt+XNaJvRS1od1hAk8oq2b24GESxSGoiYs8VNHW
+DRVLmwZqp+wExBBqToSq2kixm/OvBnK6+hIAcAIaoQKBgG0kwGYFumhYNOO7qVjL
+AnfXbml94n7QGc8hWNs3aq6wKH0Oc3mSzMlsClnV0bVUnyF5fxTDwtZ4g1hRio4A
++h321+H+7SxqrK/P5S9bhhyPMM0wByRU/Wa6pRQ6+NvFFY0fU3faVd3j2rcBEm41
+6H6KpGxP868KXvVcot92emgZ
+-----END PRIVATE KEY-----

t/cs.t

@@ -22,6 +22,15 @@ check_accum_error_log();
 no_long_string();
 #no_diff();
 
+sub read_file {
+    my $infile = shift;
+    open my $in, $infile
+        or die "cannot open $infile for reading: $!";
+    my $cert = do { local $/; <$in> };
+    close $in;
+    $cert;
+}
+
 run_tests();
 
 __DATA__
@@ -2056,3 +2065,129 @@ GET /c
 failed to receive: failed to receive the first 2 bytes: closed
 --- error_log
 failed to send close: bad status code
+
+
+
+=== TEST 29: mutual TLS with client certs
+--- no_check_leak
+--- http_config eval: $::HttpConfig
+--- config
+    listen $TEST_NGINX_RAND_PORT_1 ssl;
+    server_name test.com;
+    ssl_certificate ../../cert/mtls_server.crt;
+    ssl_certificate_key ../../cert/mtls_server.key;
+    ssl_client_certificate ../../cert/mtls_ca.crt;
+    ssl_verify_client      on;
+    server_tokens off;
+
+    resolver 127.0.0.1:1953 ipv6=off;
+    resolver_timeout 1s;
+
+    lua_ssl_trusted_certificate ../../cert/mtls_ca.crt;
+    lua_ssl_verify_depth 2;
+
+    location = /c {
+        content_by_lua_block {
+            local ssl = require "ngx.ssl"
+            local f = assert(io.open('t/cert/mtls_client.crt'))
+            local cert_data = f:read("*a")
+            f:close()
+
+            f = assert(io.open('t/cert/mtls_client.key'))
+            local key_data = f:read("*a")
+            f:close()
+
+            local chain = assert(ssl.parse_pem_cert(cert_data))
+            local priv = assert(ssl.parse_pem_priv_key(key_data))
+
+            local client = require "resty.websocket.client"
+            local wb, err = client:new()
+
+            local uri = "wss://test.com:$TEST_NGINX_RAND_PORT_1/s"
+            local ok, err = wb:connect(uri, {ssl_verify = true, client_cert = chain, client_priv_key = priv})
+            if not ok then
+                ngx.say("failed to connect: " .. err)
+                return
+            end
+
+            local data = "hello"
+            local bytes, err = wb:send_text(data)
+            if not bytes then
+                ngx.say("failed to send frame: ", err)
+                return
+            end
+
+            local typ
+            data, typ, err = wb:recv_frame()
+            if not data then
+                ngx.say("failed to receive 2nd frame: ", err)
+                return
+            end
+
+            ngx.say("received: ", data, " (", typ, ")")
+
+            local ok, err = wb:close()
+            if not ok then
+                ngx.say("failed to close conn: ", err)
+                return
+            end
+        }
+    }
+
+    location = /s {
+        content_by_lua '
+            local server = require "resty.websocket.server"
+            local wb, err = server:new()
+            if not wb then
+                ngx.log(ngx.ERR, "failed to new websocket: ", err)
+                return ngx.exit(444)
+            end
+
+            local data, typ, err = wb:recv_frame()
+            if not data then
+                -- ngx.log(ngx.ERR, "failed to receive a frame: ", err)
+                return ngx.exit(444)
+            end
+
+            -- send it back!
+            local bytes, err = wb:send_text(data)
+            if not bytes then
+                ngx.log(ngx.ERR, "failed to send the 2nd text: ", err)
+                return ngx.exit(444)
+            end
+        ';
+    }
+--- udp_listen: 1953
+--- udp_reply eval
+sub {
+    # Get DNS request ID from passed UDP datagram
+    my $dns_id = unpack("n", shift);
+    # Set name and encode it
+    my $name = "test.com";
+    $name =~ s/([^.]+)\.?/chr(length($1)) . $1/ge;
+    $name .= "\0";
+    my $s = '';
+    $s .= pack("n", $dns_id);
+    # DNS response flags, hardcoded
+    my $flags = (1 << 15) + (0 << 11) + (0 << 10) + (0 << 9) + (1 << 8) + (1 << 7) + 0;
+    $flags = pack("n", $flags);
+    $s .= $flags;
+    $s .= pack("nnnn", 1, 1, 0, 0);
+    $s .= $name;
+    $s .= pack("nn", 1, 1);
+    # Set response address and pack it
+    my @addr = split /\./, "127.0.0.1";
+    my $data = pack("CCCC", @addr);
+    $s .= $name. pack("nnNn", 1, 1, 1, 4) . $data;
+    return $s;
+}
+--- request
+GET /c
+--- response_body
+received: hello (text)
+
+--- no_error_log
+[error]
+[warn]
+
+--- timeout: 10