fixme/todo cleanup

not much worth doing right now.

proxy_lua.c

@@ -442,6 +442,11 @@ static int mcplib_backend(lua_State *L) {
         }
         lua_pop(L, 1);
 
+        if (lua_getfield(L, 1, "tls") != LUA_TNIL) {
+            be->tunables.use_tls = lua_toboolean(L, -1);
+        }
+        lua_pop(L, 1);
+
         if (lua_getfield(L, 1, "failurelimit") != LUA_TNIL) {
             int limit = luaL_checkinteger(L, -1);
             if (limit < 0) {
@@ -673,6 +678,10 @@ static mcp_backend_wrap_t *_mcplib_make_backendconn(lua_State *L, mcp_backend_la
         STAT_UL(ctx);
         bec->connect_flags = flags;
 
+        if (be->tunables.use_tls && !ctx->tls_ctx) {
+            proxy_lua_error(L, "TLS requested but not initialized: call mcp.init_tls()");
+            return NULL;
+        }
         mcp_tls_backend_init(ctx, bec);
 
         bec->event_thread = e;
@@ -1124,13 +1133,17 @@ static int mcplib_backend_use_tls(lua_State *L) {
     ctx->tunables.use_tls = state;
     STAT_UL(ctx);
 
-    // TODO: should move this to the config thread:
-    // - post mcp_config_globals but pre everything else
-    // - also handle if certs changed/etc.
-    if (state == 1) {
-        // TODO: pass failure error here we can print/log it.
-        mcp_tls_init(ctx);
-    }
+    return 0;
+}
+
+// TODO: error checking.
+static int mcplib_init_tls(lua_State *L) {
+    proxy_ctx_t *ctx = PROXY_GET_CTX(L);
+#ifndef PROXY_TLS
+    proxy_lua_error(L, "cannot run mcp.init_tls: TLS support not compiled");
+#else
+    mcp_tls_init(ctx);
+#endif
 
     return 0;
 }
@@ -1781,6 +1794,7 @@ int proxy_register_libs(void *ctx, LIBEVENT_THREAD *t, void *state) {
         {"backend_flap_backoff_max", mcplib_backend_flap_backoff_max},
         {"backend_use_iothread", mcplib_backend_use_iothread},
         {"backend_use_tls", mcplib_backend_use_tls},
+        {"init_tls", mcplib_init_tls},
         {"tcp_keepalive", mcplib_tcp_keepalive},
         {"active_req_limit", mcplib_active_req_limit},
         {"buffer_memory_limit", mcplib_buffer_memory_limit},

proxy_network.c

@@ -336,7 +336,6 @@ void proxy_run_backend_queue(be_head_t *head) {
         if (bec->connecting || bec->validating) {
             P_DEBUG("%s: deferring IO pending connecting (%s:%s)\n", __func__, be->name, be->port);
         } else {
-            // FIXME: doesn't work with tls disabled.
             if (!bec->ssl) {
                 flags = _flush_pending_write(bec);
             } else {

proxy_tls.c

@@ -21,7 +21,6 @@
  *   SSL_connect()) for defense against bugs in our code or OpenSSL.
  */
 
-// TODO: int -> enum?
 int mcp_tls_init(proxy_ctx_t *ctx) {
     if (ctx->tls_ctx) {
         return MCP_TLS_OK;
@@ -205,6 +204,10 @@ int mcp_tls_writev(struct mcp_backendconn_s *be, int iovcnt) {
     proxy_event_thread_t *et = be->event_thread;
     // TODO: move this to event thread init to remove branch and move error
     // handling to startup time.
+    // Actually we won't know if TLS is in use until a backend shows up and
+    // tries to write... so I'm not sure where to move this. TLS compiled in
+    // but not used would waste memory.
+    // Maybe can at least mark it unlikely()?
     if (et->tls_wbuf_size == 0) {
         et->tls_wbuf_size = TLS_WBUF_SIZE;
         et->tls_wbuf = malloc(et->tls_wbuf_size);