You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficserver.apache.org by su...@apache.org on 2019/06/21 22:50:37 UTC
[trafficserver] branch master updated (130dcd0 -> 42b7694)
This is an automated email from the ASF dual-hosted git repository.
sudheerv pushed a change to branch master
in repository https://gitbox.apache.org/repos/asf/trafficserver.git.
from 130dcd0 Auto port selection for more autests
new 59b02ba Add metrics to track SSLv3 and TLS versions
new cac7766 Use SSL_version() directly instead of SSL_get_version() which returns a string (Thanks @maskit for the pointer).
new 42b7694 Fix build error for pre openssl-1.1.1
The 3 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
iocore/net/P_SSLNetVConnection.h | 1 +
iocore/net/SSLNetVConnection.cc | 30 +++++++++++++++++++++++++++++-
iocore/net/SSLStats.cc | 12 ++++++++++++
iocore/net/SSLStats.h | 7 +++++++
4 files changed, 49 insertions(+), 1 deletion(-)
[trafficserver] 01/03: Add metrics to track SSLv3 and TLS versions
Posted by su...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
sudheerv pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficserver.git
commit 59b02bae506e2521894ccd071856317dba9344a6
Author: Sudheer Vinukonda <su...@apache.org>
AuthorDate: Tue Jun 18 10:01:08 2019 -0700
Add metrics to track SSLv3 and TLS versions
---
iocore/net/P_SSLNetVConnection.h | 2 ++
iocore/net/SSLNetVConnection.cc | 33 ++++++++++++++++++++++++++++++++-
iocore/net/SSLStats.cc | 12 ++++++++++++
iocore/net/SSLStats.h | 7 +++++++
4 files changed, 53 insertions(+), 1 deletion(-)
diff --git a/iocore/net/P_SSLNetVConnection.h b/iocore/net/P_SSLNetVConnection.h
index 23733a2..d093e73 100644
--- a/iocore/net/P_SSLNetVConnection.h
+++ b/iocore/net/P_SSLNetVConnection.h
@@ -355,6 +355,8 @@ public:
int populate_protocol(std::string_view *results, int n) const override;
const char *protocol_contains(std::string_view tag) const override;
+ void increment_ssl_version_metric(const char *version) const;
+
/**
* Populate the current object based on the socket information in in the
* con parameter and the ssl object in the arg parameter
diff --git a/iocore/net/SSLNetVConnection.cc b/iocore/net/SSLNetVConnection.cc
index 16d8e1b..4d9444b 100644
--- a/iocore/net/SSLNetVConnection.cc
+++ b/iocore/net/SSLNetVConnection.cc
@@ -1267,11 +1267,12 @@ SSLNetVConnection::sslServerHandShakeEvent(int &err)
SSL_INCREMENT_DYN_STAT_EX(ssl_total_handshake_time_stat, ssl_handshake_time);
SSL_INCREMENT_DYN_STAT(ssl_total_success_handshake_count_in_stat);
}
-
{
const unsigned char *proto = nullptr;
unsigned len = 0;
+ increment_ssl_version_metric(getSSLProtocol());
+
// If it's possible to negotiate both NPN and ALPN, then ALPN
// is preferred since it is the server's preference. The server
// preference would not be meaningful if we let the client
@@ -1812,6 +1813,36 @@ SSLNetVConnection::populate(Connection &con, Continuation *c, void *arg)
return EVENT_DONE;
}
+void
+SSLNetVConnection::increment_ssl_version_metric(const char *version) const
+{
+ if (version) {
+ // openSSL guarantees the case of the protocol string.
+ if (version[0] == 'T' && version[1] == 'L' && version[2] == 'S' && version[3] == 'v' && version[4] == '1') {
+ if (version[5] == 0) {
+ SSL_INCREMENT_DYN_STAT(ssl_total_tlsv1);
+ } else if (version[5] == '.' && version[7] == 0) {
+ switch (version[6]) {
+ case '1':
+ SSL_INCREMENT_DYN_STAT(ssl_total_tlsv11);
+ break;
+ case '2':
+ SSL_INCREMENT_DYN_STAT(ssl_total_tlsv12);
+ break;
+ case '3':
+ SSL_INCREMENT_DYN_STAT(ssl_total_tlsv13);
+ break;
+ default:
+ break;
+ }
+ }
+ }
+ } else if (version[0] == 'S' && version[1] == 'S' && version[2] == 'L' && version[3] == 'v' && version[4] == '3' &&
+ version[5] == 0) {
+ SSL_INCREMENT_DYN_STAT(ssl_total_sslv3);
+ }
+}
+
std::string_view
SSLNetVConnection::map_tls_protocol_to_tag(const char *proto_string) const
{
diff --git a/iocore/net/SSLStats.cc b/iocore/net/SSLStats.cc
index b15f5d6..5b466c5 100644
--- a/iocore/net/SSLStats.cc
+++ b/iocore/net/SSLStats.cc
@@ -205,6 +205,18 @@ SSLInitializeStatistics()
RecRegisterRawStat(ssl_rsb, RECT_PROCESS, "proxy.process.ssl.ssl_ocsp_refresh_cert_failure", RECD_INT, RECP_PERSISTENT,
(int)ssl_ocsp_refresh_cert_failure_stat, RecRawStatSyncCount);
+ /* SSL Version stats */
+ RecRegisterRawStat(ssl_rsb, RECT_PROCESS, "proxy.process.ssl.ssl_total_sslv3", RECD_COUNTER, RECP_PERSISTENT,
+ (int)ssl_total_sslv3, RecRawStatSyncCount);
+ RecRegisterRawStat(ssl_rsb, RECT_PROCESS, "proxy.process.ssl.ssl_total_tlsv1", RECD_COUNTER, RECP_PERSISTENT,
+ (int)ssl_total_tlsv1, RecRawStatSyncCount);
+ RecRegisterRawStat(ssl_rsb, RECT_PROCESS, "proxy.process.ssl.ssl_total_tlsv11", RECD_COUNTER, RECP_PERSISTENT,
+ (int)ssl_total_tlsv11, RecRawStatSyncCount);
+ RecRegisterRawStat(ssl_rsb, RECT_PROCESS, "proxy.process.ssl.ssl_total_tlsv12", RECD_COUNTER, RECP_PERSISTENT,
+ (int)ssl_total_tlsv12, RecRawStatSyncCount);
+ RecRegisterRawStat(ssl_rsb, RECT_PROCESS, "proxy.process.ssl.ssl_total_tlsv13", RECD_COUNTER, RECP_PERSISTENT,
+ (int)ssl_total_tlsv13, RecRawStatSyncCount);
+
// Get and register the SSL cipher stats. Note that we are using the default SSL context to obtain
// the cipher list. This means that the set of ciphers is fixed by the build configuration and not
// filtered by proxy.config.ssl.server.cipher_suite. This keeps the set of cipher suites stable across
diff --git a/iocore/net/SSLStats.h b/iocore/net/SSLStats.h
index ff38df0..66dbeff 100644
--- a/iocore/net/SSLStats.h
+++ b/iocore/net/SSLStats.h
@@ -102,6 +102,13 @@ enum SSL_Stats {
ssl_ocsp_refreshed_cert_stat,
ssl_ocsp_refresh_cert_failure_stat,
+ /* SSL/TLS versions */
+ ssl_total_sslv3,
+ ssl_total_tlsv1,
+ ssl_total_tlsv11,
+ ssl_total_tlsv12,
+ ssl_total_tlsv13,
+
ssl_cipher_stats_start = 100,
ssl_cipher_stats_end = 300,
[trafficserver] 03/03: Fix build error for pre openssl-1.1.1
Posted by su...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
sudheerv pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficserver.git
commit 42b7694c418cd965252e8def0352deb010dc4ec2
Author: Sudheer Vinukonda <su...@apache.org>
AuthorDate: Thu Jun 20 14:51:54 2019 -0700
Fix build error for pre openssl-1.1.1
---
iocore/net/SSLNetVConnection.cc | 2 ++
1 file changed, 2 insertions(+)
diff --git a/iocore/net/SSLNetVConnection.cc b/iocore/net/SSLNetVConnection.cc
index 7a460ca..b4ef157 100644
--- a/iocore/net/SSLNetVConnection.cc
+++ b/iocore/net/SSLNetVConnection.cc
@@ -1829,9 +1829,11 @@ SSLNetVConnection::increment_ssl_version_metric(int version) const
case TLS1_2_VERSION:
SSL_INCREMENT_DYN_STAT(ssl_total_tlsv12);
break;
+#ifdef TLS1_3_VERSION
case TLS1_3_VERSION:
SSL_INCREMENT_DYN_STAT(ssl_total_tlsv13);
break;
+#endif
default:
Debug("ssl", "Unrecognized SSL version %d", version);
break;
[trafficserver] 02/03: Use SSL_version() directly instead of
SSL_get_version() which returns a string (Thanks @maskit for the pointer).
Posted by su...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
sudheerv pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficserver.git
commit cac7766f7483e70040ec81164d2a8cde5a9c4233
Author: Sudheer Vinukonda <su...@apache.org>
AuthorDate: Thu Jun 20 12:42:20 2019 -0700
Use SSL_version() directly instead of SSL_get_version() which returns a string
(Thanks @maskit for the pointer).
---
iocore/net/P_SSLNetVConnection.h | 3 +--
iocore/net/SSLNetVConnection.cc | 45 ++++++++++++++++++----------------------
2 files changed, 21 insertions(+), 27 deletions(-)
diff --git a/iocore/net/P_SSLNetVConnection.h b/iocore/net/P_SSLNetVConnection.h
index d093e73..bea84aa 100644
--- a/iocore/net/P_SSLNetVConnection.h
+++ b/iocore/net/P_SSLNetVConnection.h
@@ -355,8 +355,6 @@ public:
int populate_protocol(std::string_view *results, int n) const override;
const char *protocol_contains(std::string_view tag) const override;
- void increment_ssl_version_metric(const char *version) const;
-
/**
* Populate the current object based on the socket information in in the
* con parameter and the ssl object in the arg parameter
@@ -403,6 +401,7 @@ public:
private:
std::string_view map_tls_protocol_to_tag(const char *proto_string) const;
bool update_rbio(bool move_to_socket);
+ void increment_ssl_version_metric(int version) const;
enum SSLHandshakeStatus sslHandshakeStatus = SSL_HANDSHAKE_ONGOING;
bool sslClientRenegotiationAbort = false;
diff --git a/iocore/net/SSLNetVConnection.cc b/iocore/net/SSLNetVConnection.cc
index 4d9444b..7a460ca 100644
--- a/iocore/net/SSLNetVConnection.cc
+++ b/iocore/net/SSLNetVConnection.cc
@@ -1271,7 +1271,7 @@ SSLNetVConnection::sslServerHandShakeEvent(int &err)
const unsigned char *proto = nullptr;
unsigned len = 0;
- increment_ssl_version_metric(getSSLProtocol());
+ increment_ssl_version_metric(SSL_version(ssl));
// If it's possible to negotiate both NPN and ALPN, then ALPN
// is preferred since it is the server's preference. The server
@@ -1814,32 +1814,27 @@ SSLNetVConnection::populate(Connection &con, Continuation *c, void *arg)
}
void
-SSLNetVConnection::increment_ssl_version_metric(const char *version) const
+SSLNetVConnection::increment_ssl_version_metric(int version) const
{
- if (version) {
- // openSSL guarantees the case of the protocol string.
- if (version[0] == 'T' && version[1] == 'L' && version[2] == 'S' && version[3] == 'v' && version[4] == '1') {
- if (version[5] == 0) {
- SSL_INCREMENT_DYN_STAT(ssl_total_tlsv1);
- } else if (version[5] == '.' && version[7] == 0) {
- switch (version[6]) {
- case '1':
- SSL_INCREMENT_DYN_STAT(ssl_total_tlsv11);
- break;
- case '2':
- SSL_INCREMENT_DYN_STAT(ssl_total_tlsv12);
- break;
- case '3':
- SSL_INCREMENT_DYN_STAT(ssl_total_tlsv13);
- break;
- default:
- break;
- }
- }
- }
- } else if (version[0] == 'S' && version[1] == 'S' && version[2] == 'L' && version[3] == 'v' && version[4] == '3' &&
- version[5] == 0) {
+ switch (version) {
+ case SSL3_VERSION:
SSL_INCREMENT_DYN_STAT(ssl_total_sslv3);
+ break;
+ case TLS1_VERSION:
+ SSL_INCREMENT_DYN_STAT(ssl_total_tlsv1);
+ break;
+ case TLS1_1_VERSION:
+ SSL_INCREMENT_DYN_STAT(ssl_total_tlsv11);
+ break;
+ case TLS1_2_VERSION:
+ SSL_INCREMENT_DYN_STAT(ssl_total_tlsv12);
+ break;
+ case TLS1_3_VERSION:
+ SSL_INCREMENT_DYN_STAT(ssl_total_tlsv13);
+ break;
+ default:
+ Debug("ssl", "Unrecognized SSL version %d", version);
+ break;
}
}