You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficserver.apache.org by ma...@apache.org on 2019/07/17 01:07:21 UTC
[trafficserver] branch master updated: Enable logging of the
Elliptic Curve used to communicate with the client
This is an automated email from the ASF dual-hosted git repository.
masaori pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficserver.git
The following commit(s) were added to refs/heads/master by this push:
new effbc51 Enable logging of the Elliptic Curve used to communicate with the client
effbc51 is described below
commit effbc513139988c8a0971fd48adc586f883ba754
Author: Valentin Gutierrez <vg...@wikimedia.org>
AuthorDate: Tue Jul 16 11:50:55 2019 +0700
Enable logging of the Elliptic Curve used to communicate with the client
---
doc/admin-guide/logging/formatting.en.rst | 3 +++
iocore/net/P_SSLNetVConnection.h | 16 ++++++++++++++++
proxy/http/HttpSM.cc | 2 ++
proxy/http/HttpSM.h | 1 +
proxy/logging/Log.cc | 5 +++++
proxy/logging/LogAccess.cc | 13 +++++++++++++
proxy/logging/LogAccess.h | 1 +
7 files changed, 41 insertions(+)
diff --git a/doc/admin-guide/logging/formatting.en.rst b/doc/admin-guide/logging/formatting.en.rst
index e909f42..dc416d3 100644
--- a/doc/admin-guide/logging/formatting.en.rst
+++ b/doc/admin-guide/logging/formatting.en.rst
@@ -577,6 +577,7 @@ SSL / Encryption
.. _cqssr:
.. _cqssv:
.. _cqssc:
+.. _cqssu:
.. _pqssl:
Fields which expose the use, or lack thereof, of specific SSL and encryption
@@ -592,6 +593,8 @@ cqssr Client Request SSL session ticket reused status; indicates if the current
handshake.
cqssv Client Request SSL version used to communicate with the client.
cqssc Client Request SSL Cipher used by |TS| to communicate with the client.
+cqssu Client Request SSL Elliptic Curve used by |TS| to communicate with the
+ client when using an ECDHE cipher.
pqssl Proxy Request Indicates whether the connection from |TS| to the origin
was over SSL or not.
===== ============== ==========================================================
diff --git a/iocore/net/P_SSLNetVConnection.h b/iocore/net/P_SSLNetVConnection.h
index bea84aa..952cccb 100644
--- a/iocore/net/P_SSLNetVConnection.h
+++ b/iocore/net/P_SSLNetVConnection.h
@@ -37,6 +37,7 @@
#include <openssl/ssl.h>
#include <openssl/err.h>
+#include <openssl/objects.h>
#include "P_EventSystem.h"
#include "P_UnixNetVConnection.h"
@@ -309,6 +310,21 @@ public:
return ssl ? SSL_get_cipher_name(ssl) : nullptr;
}
+ const char *
+ getSSLCurve() const
+ {
+ if (!ssl) {
+ return nullptr;
+ }
+
+ int curve_nid = SSL_get_shared_curve(ssl, 0);
+
+ if (curve_nid == NID_undef) {
+ return nullptr;
+ }
+ return OBJ_nid2sn(curve_nid);
+ }
+
bool
has_tunnel_destination() const
{
diff --git a/proxy/http/HttpSM.cc b/proxy/http/HttpSM.cc
index 3b9ce8b..8c6afa1 100644
--- a/proxy/http/HttpSM.cc
+++ b/proxy/http/HttpSM.cc
@@ -481,6 +481,8 @@ HttpSM::attach_client_session(ProxyTransaction *client_vc, IOBufferReader *buffe
client_sec_protocol = protocol ? protocol : "-";
const char *cipher = ssl_vc->getSSLCipherSuite();
client_cipher_suite = cipher ? cipher : "-";
+ const char *curve = ssl_vc->getSSLCurve();
+ client_curve = curve ? curve : "-";
if (!client_tcp_reused) {
// Copy along the TLS handshake timings
milestones[TS_MILESTONE_TLS_HANDSHAKE_START] = ssl_vc->sslHandshakeBeginTime;
diff --git a/proxy/http/HttpSM.h b/proxy/http/HttpSM.h
index 95ca9d8..829958b 100644
--- a/proxy/http/HttpSM.h
+++ b/proxy/http/HttpSM.h
@@ -546,6 +546,7 @@ public:
const char *client_protocol = "-";
const char *client_sec_protocol = "-";
const char *client_cipher_suite = "-";
+ const char *client_curve = "-";
int server_transact_count = 0;
TransactionMilestones milestones;
diff --git a/proxy/logging/Log.cc b/proxy/logging/Log.cc
index 16e34e9..d38c099 100644
--- a/proxy/logging/Log.cc
+++ b/proxy/logging/Log.cc
@@ -505,6 +505,11 @@ Log::init_fields()
global_field_list.add(field, false);
field_symbol_hash.emplace("cqssc", field);
+ field = new LogField("client_curve", "cqssu", LogField::STRING, &LogAccess::marshal_client_security_curve,
+ (LogField::UnmarshalFunc)&LogAccess::unmarshal_str);
+ global_field_list.add(field, false);
+ field_symbol_hash.emplace("cqssu", field);
+
Ptr<LogFieldAliasTable> finish_status_map = make_ptr(new LogFieldAliasTable);
finish_status_map->init(N_LOG_FINISH_CODE_TYPES, LOG_FINISH_FIN, "FIN", LOG_FINISH_INTR, "INTR", LOG_FINISH_TIMEOUT, "TIMEOUT");
diff --git a/proxy/logging/LogAccess.cc b/proxy/logging/LogAccess.cc
index d673068..91f6c7f 100644
--- a/proxy/logging/LogAccess.cc
+++ b/proxy/logging/LogAccess.cc
@@ -1856,6 +1856,19 @@ LogAccess::marshal_client_security_cipher_suite(char *buf)
return round_len;
}
+int
+LogAccess::marshal_client_security_curve(char *buf)
+{
+ const char *curve = m_http_sm->client_curve;
+ int round_len = LogAccess::strlen(curve);
+
+ if (buf) {
+ marshal_str(buf, curve, round_len);
+ }
+
+ return round_len;
+}
+
/*-------------------------------------------------------------------------
-------------------------------------------------------------------------*/
diff --git a/proxy/logging/LogAccess.h b/proxy/logging/LogAccess.h
index 1d35627..264ccea 100644
--- a/proxy/logging/LogAccess.h
+++ b/proxy/logging/LogAccess.h
@@ -153,6 +153,7 @@ public:
inkcoreapi int marshal_client_req_mptcp_state(char *); // INT
inkcoreapi int marshal_client_security_protocol(char *); // STR
inkcoreapi int marshal_client_security_cipher_suite(char *); // STR
+ inkcoreapi int marshal_client_security_curve(char *); // STR
inkcoreapi int marshal_client_finish_status_code(char *); // INT
inkcoreapi int marshal_client_req_id(char *); // INT
inkcoreapi int marshal_client_req_uuid(char *); // STR