You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@trafficserver.apache.org by br...@apache.org on 2014/07/17 19:24:15 UTC

[2/3] git commit: TS-1146: added counters to TLS ticket callback

TS-1146: added counters to TLS ticket callback


Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo
Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/a65742cd
Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/a65742cd
Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/a65742cd

Branch: refs/heads/master
Commit: a65742cd81de5f21ed65d7bc8d7ece2046c5ff6d
Parents: 5762069
Author: Alexey Ivanov <ai...@linkedin.com>
Authored: Fri Jul 4 21:05:01 2014 -0700
Committer: Brian Geffon <br...@apache.org>
Committed: Thu Jul 17 10:23:51 2014 -0700

----------------------------------------------------------------------
 iocore/net/P_SSLUtils.h |  4 ++++
 iocore/net/SSLUtils.cc  | 19 ++++++++++++++++++-
 2 files changed, 22 insertions(+), 1 deletion(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/trafficserver/blob/a65742cd/iocore/net/P_SSLUtils.h
----------------------------------------------------------------------
diff --git a/iocore/net/P_SSLUtils.h b/iocore/net/P_SSLUtils.h
index 5145cb7..b1bf01c 100644
--- a/iocore/net/P_SSLUtils.h
+++ b/iocore/net/P_SSLUtils.h
@@ -64,6 +64,10 @@ enum SSL_Stats
   ssl_user_agent_session_timeout_stat,
   ssl_total_handshake_time_stat,
   ssl_total_success_handshake_count_stat,
+  ssl_total_tickets_created_stat,
+  ssl_total_tickets_verified_stat,
+  ssl_total_tickets_not_found_stat,
+  ssl_total_tickets_renewed_stat,
 
   ssl_cipher_stats_start = 100,
   ssl_cipher_stats_end = 300,

http://git-wip-us.apache.org/repos/asf/trafficserver/blob/a65742cd/iocore/net/SSLUtils.cc
----------------------------------------------------------------------
diff --git a/iocore/net/SSLUtils.cc b/iocore/net/SSLUtils.cc
index 2d26adc..5ee77e2 100644
--- a/iocore/net/SSLUtils.cc
+++ b/iocore/net/SSLUtils.cc
@@ -644,6 +644,21 @@ SSLInitializeStatistics()
                      RECD_INT, RECP_PERSISTENT, (int) ssl_total_success_handshake_count_stat,
                      RecRawStatSyncCount);
 
+  // TLS tickets
+  RecRegisterRawStat(ssl_rsb, RECT_PROCESS, "proxy.process.ssl.total_tickets_created",
+                     RECD_INT, RECP_PERSISTENT, (int) ssl_total_tickets_created_stat,
+                     RecRawStatSyncCount);
+  RecRegisterRawStat(ssl_rsb, RECT_PROCESS, "proxy.process.ssl.total_tickets_verified",
+                     RECD_INT, RECP_PERSISTENT, (int) ssl_total_tickets_verified_stat,
+                     RecRawStatSyncCount);
+  RecRegisterRawStat(ssl_rsb, RECT_PROCESS, "proxy.process.ssl.total_tickets_not_found",
+                     RECD_INT, RECP_PERSISTENT, (int) ssl_total_tickets_not_found_stat,
+                     RecRawStatSyncCount);
+  // TODO: ticket renewal is not used right now.
+  RecRegisterRawStat(ssl_rsb, RECT_PROCESS, "proxy.process.ssl.total_tickets_renewed",
+                     RECD_INT, RECP_PERSISTENT, (int) ssl_total_tickets_renewed_stat,
+                     RecRawStatSyncCount);
+
   // Get and register the SSL cipher stats. Note that we are using the default SSL context to obtain
   // the cipher list. This means that the set of ciphers is fixed by the build configuration and not
   // filtered by proxy.config.ssl.server.cipher_suite. This keeps the set of cipher suites stable across
@@ -1493,11 +1508,12 @@ ssl_callback_session_ticket(
     EVP_EncryptInit_ex(cipher_ctx, EVP_aes_128_cbc(), NULL, ssl_ticket_key->aes_key, iv);
     HMAC_Init_ex(hctx, ssl_ticket_key->hmac_secret, 16, evp_md_func, NULL);
     Debug("ssl", "create ticket for a new session");
-
+    SSL_INCREMENT_DYN_STAT(ssl_total_tickets_created_stat);
     return 0;
   } else if (enc == 0) {
     if (memcmp(keyname, ssl_ticket_key->key_name, 16)) {
       Error("keyname is not consistent.");
+      SSL_INCREMENT_DYN_STAT(ssl_total_tickets_not_found_stat);
       return 0;
     }
 
@@ -1505,6 +1521,7 @@ ssl_callback_session_ticket(
     HMAC_Init_ex(hctx, ssl_ticket_key->hmac_secret, 16, evp_md_func, NULL);
 
     Debug("ssl", "verify the ticket for an existing session.");
+    SSL_INCREMENT_DYN_STAT(ssl_total_tickets_verified_stat);
     return 1;
   }

Re: [2/3] git commit: TS-1146: added counters to TLS ticket callback

Posted by James Peach <jp...@apache.org>.

On Jul 17, 2014, at 10:24 AM, briang@apache.org wrote:

> TS-1146: added counters to TLS ticket callback

This is a new feature, so it should have had a new Jira ticket.

> 
> 
> Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo
> Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/a65742cd
> Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/a65742cd
> Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/a65742cd
> 
> Branch: refs/heads/master
> Commit: a65742cd81de5f21ed65d7bc8d7ece2046c5ff6d
> Parents: 5762069
> Author: Alexey Ivanov <ai...@linkedin.com>
> Authored: Fri Jul 4 21:05:01 2014 -0700
> Committer: Brian Geffon <br...@apache.org>
> Committed: Thu Jul 17 10:23:51 2014 -0700
> 
> ----------------------------------------------------------------------
> iocore/net/P_SSLUtils.h |  4 ++++
> iocore/net/SSLUtils.cc  | 19 ++++++++++++++++++-
> 2 files changed, 22 insertions(+), 1 deletion(-)
> ----------------------------------------------------------------------
> 
> 
> http://git-wip-us.apache.org/repos/asf/trafficserver/blob/a65742cd/iocore/net/P_SSLUtils.h
> ----------------------------------------------------------------------
> diff --git a/iocore/net/P_SSLUtils.h b/iocore/net/P_SSLUtils.h
> index 5145cb7..b1bf01c 100644
> --- a/iocore/net/P_SSLUtils.h
> +++ b/iocore/net/P_SSLUtils.h
> @@ -64,6 +64,10 @@ enum SSL_Stats
>   ssl_user_agent_session_timeout_stat,
>   ssl_total_handshake_time_stat,
>   ssl_total_success_handshake_count_stat,
> +  ssl_total_tickets_created_stat,
> +  ssl_total_tickets_verified_stat,
> +  ssl_total_tickets_not_found_stat,
> +  ssl_total_tickets_renewed_stat,
> 
>   ssl_cipher_stats_start = 100,
>   ssl_cipher_stats_end = 300,
> 
> http://git-wip-us.apache.org/repos/asf/trafficserver/blob/a65742cd/iocore/net/SSLUtils.cc
> ----------------------------------------------------------------------
> diff --git a/iocore/net/SSLUtils.cc b/iocore/net/SSLUtils.cc
> index 2d26adc..5ee77e2 100644
> --- a/iocore/net/SSLUtils.cc
> +++ b/iocore/net/SSLUtils.cc
> @@ -644,6 +644,21 @@ SSLInitializeStatistics()
>                      RECD_INT, RECP_PERSISTENT, (int) ssl_total_success_handshake_count_stat,
>                      RecRawStatSyncCount);
> 
> +  // TLS tickets
> +  RecRegisterRawStat(ssl_rsb, RECT_PROCESS, "proxy.process.ssl.total_tickets_created",
> +                     RECD_INT, RECP_PERSISTENT, (int) ssl_total_tickets_created_stat,
> +                     RecRawStatSyncCount);
> +  RecRegisterRawStat(ssl_rsb, RECT_PROCESS, "proxy.process.ssl.total_tickets_verified",
> +                     RECD_INT, RECP_PERSISTENT, (int) ssl_total_tickets_verified_stat,
> +                     RecRawStatSyncCount);
> +  RecRegisterRawStat(ssl_rsb, RECT_PROCESS, "proxy.process.ssl.total_tickets_not_found",
> +                     RECD_INT, RECP_PERSISTENT, (int) ssl_total_tickets_not_found_stat,
> +                     RecRawStatSyncCount);
> +  // TODO: ticket renewal is not used right now.
> +  RecRegisterRawStat(ssl_rsb, RECT_PROCESS, "proxy.process.ssl.total_tickets_renewed",
> +                     RECD_INT, RECP_PERSISTENT, (int) ssl_total_tickets_renewed_stat,
> +                     RecRawStatSyncCount);

I think that better stat names would be:

	proxy.process.ssl.session_tickets.created
	proxy.process.ssl.session_tickets.verified
	proxy.process.ssl.session_tickets.not_found
	proxy.process.ssl.session_tickets.renewed

This namespacing makes it easier to collect the group in metrics systems, ie. proxy.process.ssl.session_tickets.*

> +
>   // Get and register the SSL cipher stats. Note that we are using the default SSL context to obtain
>   // the cipher list. This means that the set of ciphers is fixed by the build configuration and not
>   // filtered by proxy.config.ssl.server.cipher_suite. This keeps the set of cipher suites stable across
> @@ -1493,11 +1508,12 @@ ssl_callback_session_ticket(
>     EVP_EncryptInit_ex(cipher_ctx, EVP_aes_128_cbc(), NULL, ssl_ticket_key->aes_key, iv);
>     HMAC_Init_ex(hctx, ssl_ticket_key->hmac_secret, 16, evp_md_func, NULL);
>     Debug("ssl", "create ticket for a new session");
> -
> +    SSL_INCREMENT_DYN_STAT(ssl_total_tickets_created_stat);
>     return 0;
>   } else if (enc == 0) {
>     if (memcmp(keyname, ssl_ticket_key->key_name, 16)) {
>       Error("keyname is not consistent.");
> +      SSL_INCREMENT_DYN_STAT(ssl_total_tickets_not_found_stat);
>       return 0;
>     }
> 
> @@ -1505,6 +1521,7 @@ ssl_callback_session_ticket(
>     HMAC_Init_ex(hctx, ssl_ticket_key->hmac_secret, 16, evp_md_func, NULL);
> 
>     Debug("ssl", "verify the ticket for an existing session.");
> +    SSL_INCREMENT_DYN_STAT(ssl_total_tickets_verified_stat);
>     return 1;
>   }
> 
>

Re: [2/3] git commit: TS-1146: added counters to TLS ticket callback

Posted by James Peach <jp...@apache.org>.

On Jul 17, 2014, at 10:24 AM, briang@apache.org wrote:

> TS-1146: added counters to TLS ticket callback

This is a new feature, so it should have had a new Jira ticket.

> 
> 
> Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo
> Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/a65742cd
> Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/a65742cd
> Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/a65742cd
> 
> Branch: refs/heads/master
> Commit: a65742cd81de5f21ed65d7bc8d7ece2046c5ff6d
> Parents: 5762069
> Author: Alexey Ivanov <ai...@linkedin.com>
> Authored: Fri Jul 4 21:05:01 2014 -0700
> Committer: Brian Geffon <br...@apache.org>
> Committed: Thu Jul 17 10:23:51 2014 -0700
> 
> ----------------------------------------------------------------------
> iocore/net/P_SSLUtils.h |  4 ++++
> iocore/net/SSLUtils.cc  | 19 ++++++++++++++++++-
> 2 files changed, 22 insertions(+), 1 deletion(-)
> ----------------------------------------------------------------------
> 
> 
> http://git-wip-us.apache.org/repos/asf/trafficserver/blob/a65742cd/iocore/net/P_SSLUtils.h
> ----------------------------------------------------------------------
> diff --git a/iocore/net/P_SSLUtils.h b/iocore/net/P_SSLUtils.h
> index 5145cb7..b1bf01c 100644
> --- a/iocore/net/P_SSLUtils.h
> +++ b/iocore/net/P_SSLUtils.h
> @@ -64,6 +64,10 @@ enum SSL_Stats
>   ssl_user_agent_session_timeout_stat,
>   ssl_total_handshake_time_stat,
>   ssl_total_success_handshake_count_stat,
> +  ssl_total_tickets_created_stat,
> +  ssl_total_tickets_verified_stat,
> +  ssl_total_tickets_not_found_stat,
> +  ssl_total_tickets_renewed_stat,
> 
>   ssl_cipher_stats_start = 100,
>   ssl_cipher_stats_end = 300,
> 
> http://git-wip-us.apache.org/repos/asf/trafficserver/blob/a65742cd/iocore/net/SSLUtils.cc
> ----------------------------------------------------------------------
> diff --git a/iocore/net/SSLUtils.cc b/iocore/net/SSLUtils.cc
> index 2d26adc..5ee77e2 100644
> --- a/iocore/net/SSLUtils.cc
> +++ b/iocore/net/SSLUtils.cc
> @@ -644,6 +644,21 @@ SSLInitializeStatistics()
>                      RECD_INT, RECP_PERSISTENT, (int) ssl_total_success_handshake_count_stat,
>                      RecRawStatSyncCount);
> 
> +  // TLS tickets
> +  RecRegisterRawStat(ssl_rsb, RECT_PROCESS, "proxy.process.ssl.total_tickets_created",
> +                     RECD_INT, RECP_PERSISTENT, (int) ssl_total_tickets_created_stat,
> +                     RecRawStatSyncCount);
> +  RecRegisterRawStat(ssl_rsb, RECT_PROCESS, "proxy.process.ssl.total_tickets_verified",
> +                     RECD_INT, RECP_PERSISTENT, (int) ssl_total_tickets_verified_stat,
> +                     RecRawStatSyncCount);
> +  RecRegisterRawStat(ssl_rsb, RECT_PROCESS, "proxy.process.ssl.total_tickets_not_found",
> +                     RECD_INT, RECP_PERSISTENT, (int) ssl_total_tickets_not_found_stat,
> +                     RecRawStatSyncCount);
> +  // TODO: ticket renewal is not used right now.
> +  RecRegisterRawStat(ssl_rsb, RECT_PROCESS, "proxy.process.ssl.total_tickets_renewed",
> +                     RECD_INT, RECP_PERSISTENT, (int) ssl_total_tickets_renewed_stat,
> +                     RecRawStatSyncCount);

I think that better stat names would be:

	proxy.process.ssl.session_tickets.created
	proxy.process.ssl.session_tickets.verified
	proxy.process.ssl.session_tickets.not_found
	proxy.process.ssl.session_tickets.renewed

This namespacing makes it easier to collect the group in metrics systems, ie. proxy.process.ssl.session_tickets.*

> +
>   // Get and register the SSL cipher stats. Note that we are using the default SSL context to obtain
>   // the cipher list. This means that the set of ciphers is fixed by the build configuration and not
>   // filtered by proxy.config.ssl.server.cipher_suite. This keeps the set of cipher suites stable across
> @@ -1493,11 +1508,12 @@ ssl_callback_session_ticket(
>     EVP_EncryptInit_ex(cipher_ctx, EVP_aes_128_cbc(), NULL, ssl_ticket_key->aes_key, iv);
>     HMAC_Init_ex(hctx, ssl_ticket_key->hmac_secret, 16, evp_md_func, NULL);
>     Debug("ssl", "create ticket for a new session");
> -
> +    SSL_INCREMENT_DYN_STAT(ssl_total_tickets_created_stat);
>     return 0;
>   } else if (enc == 0) {
>     if (memcmp(keyname, ssl_ticket_key->key_name, 16)) {
>       Error("keyname is not consistent.");
> +      SSL_INCREMENT_DYN_STAT(ssl_total_tickets_not_found_stat);
>       return 0;
>     }
> 
> @@ -1505,6 +1521,7 @@ ssl_callback_session_ticket(
>     HMAC_Init_ex(hctx, ssl_ticket_key->hmac_secret, 16, evp_md_func, NULL);
> 
>     Debug("ssl", "verify the ticket for an existing session.");
> +    SSL_INCREMENT_DYN_STAT(ssl_total_tickets_verified_stat);
>     return 1;
>   }
> 
>