lua-http https failures on Ubuntu 18

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

lua-http https failures on Ubuntu 18

Russell Haley
Hi,

I'm trying to create a little http(s) client using lua-http. I've never run into these issues before so I think they are related to Ubuntu, but I'm (clearly) no expert. My current platform is Ubuntu 18 LTS. I was initially receiving what I'll describe as a missing cipher error when I was using openssl 1.1.0 so I upgraded to 1.1.1a based on the directions here: 


I removed and reinstalled lua-http/cqueues/luaossl after the upgrade and now I am getting the following errors:

russellh@sfm-dev:~/lua/client$ ./lua test.lua "https://www.starfishmedical.com"
starttls: error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
russellh@sfm-dev:~/lua/client$ ./lua test.lua "https://google.com"
starttls: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:unable to get local issuer certificate
russellh@sfm-dev:~/lua/client$ ./lua test.lua "https://verisign.com"
starttls: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:self signed certificate in certificate chain

I checked luaossl to ensure it's pointing at the correct version of openssl and everything seems copacetic. I've used luarocks to create a "package" repository, so the init.lua file simply sets the package.path and package.cpath to point to the correct lua_modules directory (same as the lua code at the bottom of this message). 

russellh@sfm-dev:~/lua/sfiot_client$ ./lua -i init.lua 
Lua 5.3.5  Copyright (C) 1994-2018 Lua.org, PUC-Rio
> ssl = require 'openssl'
> for i,v in pairs(ssl) do print(i,v) end
SSLEAY_BUILT_ON 2
NO_MD2 true
SSLEAY_PLATFORM 3
NO_SCTP true
SSLEAY_VERSION_NUMBER 269488175
SSLEAY_VERSION 0
NO_RC5 true
SSLEAY_CFLAGS 1
SHLIB_VERSION_NUMBER 1.1
NO_STATIC_ENGINE true
extensionSupported function: 0x7fb87ff08840
SSLEAY_DIR 4
version function: 0x7fb87ff15750
NO_UNIT_TEST true
SHLIB_VERSION_HISTORY
VERSION_TEXT OpenSSL 1.1.1b  26 Feb 2019
VERSION_NUMBER 269488175

I recognize that all three errors are different, but I'm wondering if I'm missing a root CA package? I also recognize that this could be asked on the askubuntu site, or even an openssl support site, or even the lua-http github site, but I thought I'd start here for future searchability. Finally, here is my source code:


package.cpath = './lua_modules/lib/lua/5.3/?.so;./?.so'
package.path = './lua_modules/share/lua/5.3/?.lua;./lua_modules/share/lua/5.3/?/init.lua;./lua_modules/share/lua/5.3/?.lua;./lua_modules/share/lua/5.3/?/init.lua;./?.lua;./?/init.lua'

local request = require 'http.request'
local rolling_logger = require "logging.rolling_file"
local conf = require('config')

local logger = rolling_logger(conf.base_path .. "/" .. conf.debug_file_name, conf.file_roll_size or 1024*1024*10, conf.max_log_files or 31)
if not logger then
print("logger failed")
os.exit(-1)
end

local uri = arg[1]
local req_timeout = 10

local req = request.new_from_uri(uri)

local headers, stream = req:go(req_timeout)
if headers == nil then
logger:error("failed. no headers")
--return nil, "request failed"
--io.stderr:write(tostring(stream), "\n")
--os.exit(1)
end

if not stream then 
print('no stream')
else
print(stream)
--~ for i,v in pairs(stream) do
--~ print (i,v)
--~ end
os.exit(-1)
local body, err = stream:get_body_as_string()
if not body and err then
logger:error("failed. no body.")
--return nil, "request failed."
else
print(body)
end
end

Thanks,
Russ
Reply | Threaded
Open this post in threaded view
|

Re: lua-http https failures on Ubuntu 18

Daurnimator
On Wed, 1 May 2019 at 06:46, Russell Haley <[hidden email]> wrote:

>
> Hi,
>
> I'm trying to create a little http(s) client using lua-http. I've never run into these issues before so I think they are related to Ubuntu, but I'm (clearly) no expert. My current platform is Ubuntu 18 LTS. I was initially receiving what I'll describe as a missing cipher error when I was using openssl 1.1.0 so I upgraded to 1.1.1a based on the directions here:
>
> https://askubuntu.com/questions/1102803/how-to-upgrade-openssl-1-1-0-to-1-1-1-in-ubuntu-18-04
>
> I removed and reinstalled lua-http/cqueues/luaossl after the upgrade and now I am getting the following errors:
>
> russellh@sfm-dev:~/lua/client$ ./lua test.lua "https://www.starfishmedical.com"
> starttls: error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
> russellh@sfm-dev:~/lua/client$ ./lua test.lua "https://google.com"
> starttls: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:unable to get local issuer certificate
> russellh@sfm-dev:~/lua/client$ ./lua test.lua "https://verisign.com"
> starttls: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:self signed certificate in certificate chain
>
> I checked luaossl to ensure it's pointing at the correct version of openssl and everything seems copacetic. I've used luarocks to create a "package" repository, so the init.lua file simply sets the package.path and package.cpath to point to the correct lua_modules directory (same as the lua code at the bottom of this message).
>
> russellh@sfm-dev:~/lua/sfiot_client$ ./lua -i init.lua
> Lua 5.3.5  Copyright (C) 1994-2018 Lua.org, PUC-Rio
> > ssl = require 'openssl'
> > for i,v in pairs(ssl) do print(i,v) end
> SSLEAY_BUILT_ON 2
> NO_MD2 true
> SSLEAY_PLATFORM 3
> NO_SCTP true
> SSLEAY_VERSION_NUMBER 269488175
> SSLEAY_VERSION 0
> NO_RC5 true
> SSLEAY_CFLAGS 1
> SHLIB_VERSION_NUMBER 1.1
> NO_STATIC_ENGINE true
> extensionSupported function: 0x7fb87ff08840
> SSLEAY_DIR 4
> version function: 0x7fb87ff15750
> NO_UNIT_TEST true
> SHLIB_VERSION_HISTORY
> VERSION_TEXT OpenSSL 1.1.1b  26 Feb 2019
> VERSION_NUMBER 269488175
>
> I recognize that all three errors are different, but I'm wondering if I'm missing a root CA package? I also recognize that this could be asked on the askubuntu site, or even an openssl support site, or even the lua-http github site, but I thought I'd start here for future searchability. Finally, here is my source code:
>
>
> package.cpath = './lua_modules/lib/lua/5.3/?.so;./?.so'
> package.path = './lua_modules/share/lua/5.3/?.lua;./lua_modules/share/lua/5.3/?/init.lua;./lua_modules/share/lua/5.3/?.lua;./lua_modules/share/lua/5.3/?/init.lua;./?.lua;./?/init.lua'
>
> local request = require 'http.request'
> local rolling_logger = require "logging.rolling_file"
> local conf = require('config')
>
> local logger = rolling_logger(conf.base_path .. "/" .. conf.debug_file_name, conf.file_roll_size or 1024*1024*10, conf.max_log_files or 31)
> if not logger then
> print("logger failed")
> os.exit(-1)
> end
>
> local uri = arg[1]
> local req_timeout = 10
>
> local req = request.new_from_uri(uri)
>
> local headers, stream = req:go(req_timeout)
> if headers == nil then
> logger:error("failed. no headers")
> --return nil, "request failed"
> --io.stderr:write(tostring(stream), "\n")
> --os.exit(1)
> end
>
> if not stream then
> print('no stream')
> else
> print(stream)
> --~ for i,v in pairs(stream) do
> --~ print (i,v)
> --~ end
> os.exit(-1)
> local body, err = stream:get_body_as_string()
> if not body and err then
> logger:error("failed. no body.")
> --return nil, "request failed."
> else
> print(body)
> end
> end
>
> Thanks,
> Russ

My guess is that your system is missing the root CAs.

luaossl/lua-http uses OpenSSL's X509_STORE_set_default_paths function
to load your system's trust roots.

Reply | Threaded
Open this post in threaded view
|

Re: lua-http https failures on Ubuntu 18

Russell Haley


On Tue, Apr 30, 2019 at 10:31 PM Daurnimator <[hidden email]> wrote:
On Wed, 1 May 2019 at 06:46, Russell Haley <[hidden email]> wrote:
>
> Hi,
>
> I'm trying to create a little http(s) client using lua-http. I've never run into these issues before so I think they are related to Ubuntu, but I'm (clearly) no expert. My current platform is Ubuntu 18 LTS. I was initially receiving what I'll describe as a missing cipher error when I was using openssl 1.1.0 so I upgraded to 1.1.1a based on the directions here:
>
> https://askubuntu.com/questions/1102803/how-to-upgrade-openssl-1-1-0-to-1-1-1-in-ubuntu-18-04
>
> I removed and reinstalled lua-http/cqueues/luaossl after the upgrade and now I am getting the following errors:
>
> russellh@sfm-dev:~/lua/client$ ./lua test.lua "https://www.starfishmedical.com"
> starttls: error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
> russellh@sfm-dev:~/lua/client$ ./lua test.lua "https://google.com"
> starttls: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:unable to get local issuer certificate
> russellh@sfm-dev:~/lua/client$ ./lua test.lua "https://verisign.com"
> starttls: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:self signed certificate in certificate chain
>
> I checked luaossl to ensure it's pointing at the correct version of openssl and everything seems copacetic. I've used luarocks to create a "package" repository, so the init.lua file simply sets the package.path and package.cpath to point to the correct lua_modules directory (same as the lua code at the bottom of this message).
>
> russellh@sfm-dev:~/lua/sfiot_client$ ./lua -i init.lua
> Lua 5.3.5  Copyright (C) 1994-2018 Lua.org, PUC-Rio
> > ssl = require 'openssl'
> > for i,v in pairs(ssl) do print(i,v) end
> SSLEAY_BUILT_ON 2
> NO_MD2 true
> SSLEAY_PLATFORM 3
> NO_SCTP true
> SSLEAY_VERSION_NUMBER 269488175
> SSLEAY_VERSION 0
> NO_RC5 true
> SSLEAY_CFLAGS 1
> SHLIB_VERSION_NUMBER 1.1
> NO_STATIC_ENGINE true
> extensionSupported function: 0x7fb87ff08840
> SSLEAY_DIR 4
> version function: 0x7fb87ff15750
> NO_UNIT_TEST true
> SHLIB_VERSION_HISTORY
> VERSION_TEXT OpenSSL 1.1.1b  26 Feb 2019
> VERSION_NUMBER 269488175
>
> I recognize that all three errors are different, but I'm wondering if I'm missing a root CA package? I also recognize that this could be asked on the askubuntu site, or even an openssl support site, or even the lua-http github site, but I thought I'd start here for future searchability. Finally, here is my source code:
>
>
> package.cpath = './lua_modules/lib/lua/5.3/?.so;./?.so'
> package.path = './lua_modules/share/lua/5.3/?.lua;./lua_modules/share/lua/5.3/?/init.lua;./lua_modules/share/lua/5.3/?.lua;./lua_modules/share/lua/5.3/?/init.lua;./?.lua;./?/init.lua'
>
> local request = require 'http.request'
> local rolling_logger = require "logging.rolling_file"
> local conf = require('config')
>
> local logger = rolling_logger(conf.base_path .. "/" .. conf.debug_file_name, conf.file_roll_size or 1024*1024*10, conf.max_log_files or 31)
> if not logger then
> print("logger failed")
> os.exit(-1)
> end
>
> local uri = arg[1]
> local req_timeout = 10
>
> local req = request.new_from_uri(uri)
>
> local headers, stream = req:go(req_timeout)
> if headers == nil then
> logger:error("failed. no headers")
> --return nil, "request failed"
> --io.stderr:write(tostring(stream), "\n")
> --os.exit(1)
> end
>
> if not stream then
> print('no stream')
> else
> print(stream)
> --~ for i,v in pairs(stream) do
> --~ print (i,v)
> --~ end
> os.exit(-1)
> local body, err = stream:get_body_as_string()
> if not body and err then
> logger:error("failed. no body.")
> --return nil, "request failed."
> else
> print(body)
> end
> end
>
> Thanks,
> Russ

My guess is that your system is missing the root CAs.

luaossl/lua-http uses OpenSSL's X509_STORE_set_default_paths function
to load your system's trust roots.
I ran a simple test against https://www.starfishmedical.com in a FreeBSD jail here at home with no problems. I did some testing with openssl s_client at work before I left today and if I don't include -CApath in the command, the certificate fails:

russellh@canary-dev:~/lua/sfiot_client$ openssl s_client -connect www.starfishmedical.com:443
CONNECTED(00000003)
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = starfishmedical.com
verify return:1
---
Certificate chain
 0 s:CN = starfishmedical.com
   i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
 1 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
...

If I include -CApath /etc/ssl/certs, then everything works fine:

russellh@canary-dev:~/lua/sfiot_client$ openssl s_client -CApath /etc/ssl/certs -connect www.starfishmedical.com:443
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = starfishmedical.com
verify return:1
---
Certificate chain
 0 s:CN = starfishmedical.com
   i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
 1 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
...

There was an old post about openssl defaulting to the openssl directory for root certificates but that was supposedly patched in ubuntu 12. I'm going to check if there is an openssl build option to include the path to certs, perhaps it's something I've done wrong when I switched to 1.1.1b.

Russ
Reply | Threaded
Open this post in threaded view
|

Re: lua-http https failures on Ubuntu 18

Daurnimator
On Thu, 2 May 2019 at 15:23, Russell Haley <[hidden email]> wrote:

> On Tue, Apr 30, 2019 at 10:31 PM Daurnimator <[hidden email]> wrote:
>> luaossl/lua-http uses OpenSSL's X509_STORE_set_default_paths function
>> to load your system's trust roots.
>
> I ran a simple test against https://www.starfishmedical.com in a FreeBSD jail here at home with no problems. I did some testing with openssl s_client at work before I left today and if I don't include -CApath in the command, the certificate fails:
>
> russellh@canary-dev:~/lua/sfiot_client$ openssl s_client -connect www.starfishmedical.com:443
> CONNECTED(00000003)
> depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
> verify error:num=20:unable to get local issuer certificate
> verify return:1
> depth=0 CN = starfishmedical.com
> verify return:1
> ---
> Certificate chain
>  0 s:CN = starfishmedical.com
>    i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
>  1 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
>    i:O = Digital Signature Trust Co., CN = DST Root CA X3
>
> ...
>
>
> If I include -CApath /etc/ssl/certs, then everything works fine:
>
>
> russellh@canary-dev:~/lua/sfiot_client$ openssl s_client -CApath /etc/ssl/certs -connect www.starfishmedical.com:443
> CONNECTED(00000003)
> depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
> verify return:1
> depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
> verify return:1
> depth=0 CN = starfishmedical.com
> verify return:1
> ---
> Certificate chain
>  0 s:CN = starfishmedical.com
>    i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
>  1 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
>    i:O = Digital Signature Trust Co., CN = DST Root CA X3
> ---
>
> ...
>
>
> There was an old post about openssl defaulting to the openssl directory for root certificates but that was supposedly patched in ubuntu 12. I'm going to check if there is an openssl build option to include the path to certs, perhaps it's something I've done wrong when I switched to 1.1.1b.
>
> Russ

When finding CAs, OpenSSL will try to look in the directory:
`getenv(X509_get_default_cert_dir_env())`,
which *should* be `"SSL_CERT_DIR"`

If that env var does not exist, it will look in `X509_get_default_cert_dir()`,
which *should* be `OPENSSLDIR "/certs"`,
where OPENSSLDIR is usually `"/etc/ssl"`,
though you can adjust at ./configure time.

My suspicion is that at configure time you've passed a custom OPENSSLDIR.
How did you compile your OpenSSL?
What options did you pass to configure?

Reply | Threaded
Open this post in threaded view
|

Re: lua-http https failures on Ubuntu 18

Russell Haley


On Wed, May 1, 2019 at 10:45 PM Daurnimator <[hidden email]> wrote:
On Thu, 2 May 2019 at 15:23, Russell Haley <[hidden email]> wrote:
> On Tue, Apr 30, 2019 at 10:31 PM Daurnimator <[hidden email]> wrote:
>> luaossl/lua-http uses OpenSSL's X509_STORE_set_default_paths function
>> to load your system's trust roots.
>
> I ran a simple test against https://www.starfishmedical.com in a FreeBSD jail here at home with no problems. I did some testing with openssl s_client at work before I left today and if I don't include -CApath in the command, the certificate fails:
>
> russellh@canary-dev:~/lua/sfiot_client$ openssl s_client -connect www.starfishmedical.com:443
> CONNECTED(00000003)
> depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
> verify error:num=20:unable to get local issuer certificate
> verify return:1
> depth=0 CN = starfishmedical.com
> verify return:1
> ---
> Certificate chain
>  0 s:CN = starfishmedical.com
>    i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
>  1 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
>    i:O = Digital Signature Trust Co., CN = DST Root CA X3
>
> ...
>
>
> If I include -CApath /etc/ssl/certs, then everything works fine:
>
>
> russellh@canary-dev:~/lua/sfiot_client$ openssl s_client -CApath /etc/ssl/certs -connect www.starfishmedical.com:443
> CONNECTED(00000003)
> depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
> verify return:1
> depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
> verify return:1
> depth=0 CN = starfishmedical.com
> verify return:1
> ---
> Certificate chain
>  0 s:CN = starfishmedical.com
>    i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
>  1 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
>    i:O = Digital Signature Trust Co., CN = DST Root CA X3
> ---
>
> ...
>
>
> There was an old post about openssl defaulting to the openssl directory for root certificates but that was supposedly patched in ubuntu 12. I'm going to check if there is an openssl build option to include the path to certs, perhaps it's something I've done wrong when I switched to 1.1.1b.
>
> Russ

When finding CAs, OpenSSL will try to look in the directory:
`getenv(X509_get_default_cert_dir_env())`,
which *should* be `"SSL_CERT_DIR"`

If that env var does not exist, it will look in `X509_get_default_cert_dir()`,
which *should* be `OPENSSLDIR "/certs"`,
where OPENSSLDIR is usually `"/etc/ssl"`,
though you can adjust at ./configure time.

My suspicion is that at configure time you've passed a custom OPENSSLDIR.
How did you compile your OpenSSL?
What options did you pass to configure?
The default configuration used /usr/local/ssl for OPENSSLDIR and the wiki confused me (https://wiki.openssl.org/index.php/Compilation_and_Installation#PREFIX_and_OPENSSLDIR). Thanks for clarifying, I changed OPENSSLDIR to /etc/ssl. I can now get various sites such as FreeBSD.org, verisign.com, google.com but our starfish site seems to be failing on a sslv3 error:

russellh@canary-dev:~/lua/sfiot_client$ ./lua test.lua "https://www.starfishmedical.com"
Failed to retrieve request. No headers. starttls: error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure

Code:

dofile ('init.lua')
local request = require 'http.request'
local rolling_logger = require "logging.rolling_file"
local conf = require('config')

local logger = rolling_logger(conf.base_path .. "/" .. conf.debug_file_name, conf.file_roll_size or 1024*1024*10, conf.max_log_files or 31)
if not logger then
    print("logger failed")
    os.exit(-1)
end

local function logError(msg)
    logger:error(msg)
    print(msg)
end

uri = arg[1]
local req_timeout = 10

local req = request.new_from_uri(uri)

local headers, stream = req:go(req_timeout)
if headers == nil then
    logError(string.format("Failed to retrieve request. No headers. %s", stream))
    os.exit(-2)
end

if not stream then
    logError('Failed to retrieve request. No Stream (check with a urologist).')
    os.exit(-3)
else

    local body, err = stream:get_body_as_string()
    if not body and err then
        logError("No body was returned from the stream. %s", (err or "no error message available"))
    else
        print(body)
    end
end

Feel free to punt on this one, it's not a show stopper (but does annoy me).

Thanks again Daurnimator.
Russ
Reply | Threaded
Open this post in threaded view
|

Re: lua-http https failures on Ubuntu 18

Daurnimator
On Fri, 3 May 2019 at 02:20, Russell Haley <[hidden email]> wrote:
> I can now get various sites such as FreeBSD.org, verisign.com, google.com but our starfish site seems to be failing on a sslv3 error:
>
> russellh@canary-dev:~/lua/sfiot_client$ ./lua test.lua "https://www.starfishmedical.com"
> Failed to retrieve request. No headers. starttls: error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure

This is an interesting failure...

It seems like your web server doesn't support prime256v1 ephemeral
keys (which is the default in lua-http).
Now this isn't *recommended*, but it shouldn't have broken lua-http.

Reading through the OpenSSL source, it looks like the behaviour of
SSL_CTX_set_tmp_ecdh hugely changed from 1.0.2 to 1.1.0
Breaking luaossl recommendations and lua-http in the process...
I will have to do some further research here.
Created https://github.com/daurnimator/lua-http/issues/150 to track.

> if not stream then
>     logError('Failed to retrieve request. No Stream (check with a urologist).')

ha.

Reply | Threaded
Open this post in threaded view
|

Re: lua-http https failures on Ubuntu 18

Daurnimator
On Fri, 3 May 2019 at 11:06, Daurnimator <[hidden email]> wrote:

>
> On Fri, 3 May 2019 at 02:20, Russell Haley <[hidden email]> wrote:
> > I can now get various sites such as FreeBSD.org, verisign.com, google.com but our starfish site seems to be failing on a sslv3 error:
> >
> > russellh@canary-dev:~/lua/sfiot_client$ ./lua test.lua "https://www.starfishmedical.com"
> > Failed to retrieve request. No headers. starttls: error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
>
> This is an interesting failure...
>
> It seems like your web server doesn't support prime256v1 ephemeral
> keys (which is the default in lua-http).
> Now this isn't *recommended*, but it shouldn't have broken lua-http.
>
> Reading through the OpenSSL source, it looks like the behaviour of
> SSL_CTX_set_tmp_ecdh hugely changed from 1.0.2 to 1.1.0
> Breaking luaossl recommendations and lua-http in the process...
> I will have to do some further research here.
> Created https://github.com/daurnimator/lua-http/issues/150 to track.

Could you give https://github.com/daurnimator/lua-http/pull/154 a try?