utils.lua attempt to call kdf.new is nil

[mwmix]

I am seeing the following error when attempting to use lua-resty-session 4.1.2 or 4.0.5. However, if I downgrade to lua-resty-session 4.0.3 I no longer see the error and everything looks to work.

/usr/local/share/lua/5.1/resty/session/utils.lua:496: attempt to call field 'new' (a nil value)

My luarocks list output looks like:

root@app-a-754dbfb744-k7qgn:/# luarocks list

Rocks installed for Lua 5.1
---------------------------

lua-ffi-zlib
   0.6-0 (installed) - /usr/local/lib/luarocks/rocks-5.1

lua-resty-http
   0.17.2-0 (installed) - /usr/local/lib/luarocks/rocks-5.1

lua-resty-jwt
   0.2.3-0 (installed) - /usr/local/lib/luarocks/rocks-5.1

lua-resty-openidc
   1.8.0-1 (installed) - /usr/local/lib/luarocks/rocks-5.1

lua-resty-openssl
   1.6.1-1 (installed) - /usr/local/lib/luarocks/rocks-5.1

lua-resty-session
   4.1.2-1 (installed) - /usr/local/lib/luarocks/rocks-5.1

root@app-a-754dbfb744-k7qgn:/#

The full error looks like:

2025/06/30 01:58:31 [error] 14#14: *5 lua entry thread aborted: runtime error: /usr/local/sh
are/lua/5.1/resty/session/utils.lua:496: attempt to call field 'new' (a nil value)
stack traceback:
coroutine 0:
    /usr/local/share/lua/5.1/resty/session/utils.lua: in function 'derive_hmac_sha256_key'
    /usr/local/share/lua/5.1/resty/session.lua:277: in function 'calculate_mac'
    /usr/local/share/lua/5.1/resty/session.lua:691: in function 'open'
    /usr/local/share/lua/5.1/resty/session.lua:1921: in function 'open'
    /usr/local/share/lua/5.1/resty/session.lua:2681: in function 'open'
    /usr/local/share/lua/5.1/resty/session.lua:2711: in function 'start'
    /usr/local/share/lua/5.1/resty/openidc.lua:1518: in function 'authenticate'
    access_by_lua(nginx.conf:104):20: in main chunk, client: 127.0.0.1, server: app-a.app-a.svc.cluster.local, request: "GET / HTTP/1.1", host: "app-a.staging.example.com
:8000"
127.0.0.1 - - [30/Jun/2025:01:58:31 +0000] "GET / HTTP/1.1" 500 585 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/137.0.0.0 Safari/537.36
" "-"

I am using the following DOCKERFILE for building my container and testing.

FROM openresty/openresty:1.25.3.2-bullseye-fat

ARG LUAROCKS_VERSION=3.12.1
ENV LUAROCKS_VERSION=${LUAROCKS_VERSION}

RUN apt-get update && \
    apt-get -y upgrade && \
    apt-get -y install wget unzip make gcc

RUN wget https://luarocks.org/releases/luarocks-${LUAROCKS_VERSION}.tar.gz && \
    tar zxpf luarocks-${LUAROCKS_VERSION}.tar.gz && \
    cd luarocks-${LUAROCKS_VERSION} && \
    ./configure && \
    make && \
    make install && \
    cd ../ && \
    rm -f luarocks-${LUAROCKS_VERSION}.tar.gz && \
    rm -rf luarocks-${LUAROCKS_VERSION}/

RUN luarocks install lua-resty-session 4.1.2 && \
    luarocks install lua-resty-http && \
    luarocks install lua-resty-openidc && \
    luarocks install lua-resty-jwt

And my nginx.conf looks like:

pcre_jit on;

#pid        logs/nginx.pid;

events {
    worker_connections  1024;
}

http {
    include       mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  logs/access.log  main;

    client_body_temp_path /var/run/openresty/nginx-client-body;
    proxy_temp_path       /var/run/openresty/nginx-proxy;
    fastcgi_temp_path     /var/run/openresty/nginx-fastcgi;
    uwsgi_temp_path       /var/run/openresty/nginx-uwsgi;
    scgi_temp_path        /var/run/openresty/nginx-scgi;

    sendfile        on;
    keepalive_timeout  65;

    resolver 10.96.0.10;

    lua_ssl_trusted_certificate /ca_cert/ca.crt;

    # cache for discovery metadata documents
    lua_shared_dict discovery 1m;
    # cache for JWKs
    lua_shared_dict jwks 1m;

    server {
      listen       443 ssl;
      server_name  app-a.app-a.svc.cluster.local app-a.app-a.svc app-a.staging.example.com;
      ssl_certificate /cert/tls.crt;
      ssl_certificate_key /cert/tls.key;
      ssl_protocols TLSv1.2 TLSv1.3;
      ssl_ciphers HIGH:!aNULL:!MD5;

      location / {

        access_by_lua_block {
            local opts = {
               redirect_uri = "https://app-a.staging.example.com:8000/code",
               discovery = "https://keycloak-discovery.keycloak.svc.cluster.local:8443/realms/example/.well-known/openid-configuration",
               scope = "openid email profile",
               renew_access_token_on_expiry = true,
               access_token_expires_in = 300,
               access_token_expires_leeway = 5,
               revoke_tokens_on_logout = true,
               use_pkce = true
            }

            local session_opts = {
                cookie_http_only = true,
                cookie_secure = true,
                cookie_same_site = "Lax",
                remember = true
            }

            local res, err = require("resty.openidc").authenticate(opts, nil, nil, session_opts)

            if err then
              ngx.status = 500
              ngx.say(err)
              ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR)
            end

            ngx.req.set_header("X-USER", res.id_token.sub)
        }

        proxy_pass http://localhost:8080;
      }
    }
}

include /etc/nginx/conf.d/*.main;

[bungle]

@mwmix thanks for reporting!

[bungle]

@mwmix what version of OpenSSL do you have in your system. Are you perhaps using older than 3.0.0?

[bungle]

@mwmix can you try newer Debian than (you may need to switch to Ubuntu):

FROM openresty/openresty:1.25.3.2-bullseye-fat

[bungle]

Meanwhile, I guess we can try to investigate how to get compatibility with older OpenSSL back.

[bungle]

The OpenSSL states that < 3 is not supported anymore (unless paid quite a lot of money):
https://openssl-library.org/policies/releasestrat/

[mwmix]

Hey ty for the info I'll give it a whirl here in the next few days and report back.