You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficserver.apache.org by zw...@apache.org on 2022/07/07 16:46:50 UTC
[trafficserver] branch 9.2.x updated: add log format for whether origin TLS connection resumed an existing TLS session (#8745)
This is an automated email from the ASF dual-hosted git repository.
zwoop pushed a commit to branch 9.2.x
in repository https://gitbox.apache.org/repos/asf/trafficserver.git
The following commit(s) were added to refs/heads/9.2.x by this push:
new 5116cfe1a add log format for whether origin TLS connection resumed an existing TLS session (#8745)
5116cfe1a is described below
commit 5116cfe1aa7649ae053dd5220de0609ba3e16577
Author: Fei Deng <du...@gmail.com>
AuthorDate: Mon Mar 21 18:17:52 2022 -0500
add log format for whether origin TLS connection resumed an existing TLS session (#8745)
(cherry picked from commit 68070195721127854befa9fa99823e806f197f67)
---
doc/admin-guide/logging/formatting.en.rst | 3 +++
iocore/net/TLSSessionResumptionSupport.cc | 14 +++++++++++++-
iocore/net/TLSSessionResumptionSupport.h | 7 +++++--
proxy/http/HttpSM.cc | 4 ++++
proxy/http/HttpSM.h | 1 +
proxy/logging/Log.cc | 5 +++++
proxy/logging/LogAccess.cc | 9 +++++++++
proxy/logging/LogAccess.h | 1 +
8 files changed, 41 insertions(+), 3 deletions(-)
diff --git a/doc/admin-guide/logging/formatting.en.rst b/doc/admin-guide/logging/formatting.en.rst
index 4b982af3d..2849694d0 100644
--- a/doc/admin-guide/logging/formatting.en.rst
+++ b/doc/admin-guide/logging/formatting.en.rst
@@ -637,6 +637,9 @@ cqssu Client Request SSL Elliptic Curve used by |TS| to communicate with the
cqssa Client Request ALPN Protocol ID negotiated with the client.
pqssl Proxy Request Indicates whether the connection from |TS| to the origin
was over SSL or not.
+pqssr Proxy Request SSL session ticket reused status from |TS| to the origin;
+ indicates if the current request hit the SSL session ticket
+ and avoided a full SSL handshake.
pscert Proxy Request 1 if origin requested certificate from |TS| during TLS
handshake but no client certificate was defined. 2 if origin
requested certificate from |TS| during TLS handshake and a
diff --git a/iocore/net/TLSSessionResumptionSupport.cc b/iocore/net/TLSSessionResumptionSupport.cc
index 94ab306c1..9984b4731 100644
--- a/iocore/net/TLSSessionResumptionSupport.cc
+++ b/iocore/net/TLSSessionResumptionSupport.cc
@@ -122,6 +122,12 @@ TLSSessionResumptionSupport::getSSLSessionCacheHit() const
return this->_sslSessionCacheHit;
}
+bool
+TLSSessionResumptionSupport::getSSLOriginSessionCacheHit() const
+{
+ return this->_sslOriginSessionCacheHit;
+}
+
ssl_curve_id
TLSSessionResumptionSupport::getSSLCurveNID() const
{
@@ -187,7 +193,7 @@ TLSSessionResumptionSupport::getOriginSession(SSL *ssl, const std::string &looku
shared_sess.reset();
} else {
SSL_INCREMENT_DYN_STAT(ssl_origin_session_cache_hit);
- this->_setSSLSessionCacheHit(true);
+ this->_setSSLOriginSessionCacheHit(true);
this->_setSSLCurveNID(curve);
}
} else {
@@ -304,6 +310,12 @@ TLSSessionResumptionSupport::_setSSLSessionCacheHit(bool state)
this->_sslSessionCacheHit = state;
}
+void
+TLSSessionResumptionSupport::_setSSLOriginSessionCacheHit(bool state)
+{
+ this->_sslOriginSessionCacheHit = state;
+}
+
void
TLSSessionResumptionSupport::_setSSLCurveNID(ssl_curve_id curve_nid)
{
diff --git a/iocore/net/TLSSessionResumptionSupport.h b/iocore/net/TLSSessionResumptionSupport.h
index 5f1fa37a9..fb27ed3a3 100644
--- a/iocore/net/TLSSessionResumptionSupport.h
+++ b/iocore/net/TLSSessionResumptionSupport.h
@@ -48,6 +48,7 @@ public:
int enc);
#endif
bool getSSLSessionCacheHit() const;
+ bool getSSLOriginSessionCacheHit() const;
ssl_curve_id getSSLCurveNID() const;
SSL_SESSION *getSession(SSL *ssl, const unsigned char *id, int len, int *copy);
@@ -60,8 +61,9 @@ protected:
private:
static int _ex_data_index;
- bool _sslSessionCacheHit = false;
- int _sslCurveNID = NID_undef;
+ bool _sslSessionCacheHit = false;
+ bool _sslOriginSessionCacheHit = false;
+ int _sslCurveNID = NID_undef;
#ifdef HAVE_SSL_CTX_SET_TLSEXT_TICKET_KEY_EVP_CB
int _setSessionInformation(ssl_ticket_key_block *keyblock, SSL *ssl, unsigned char *keyname, unsigned char *iv,
@@ -76,5 +78,6 @@ private:
#endif
void _setSSLSessionCacheHit(bool state);
+ void _setSSLOriginSessionCacheHit(bool state);
void _setSSLCurveNID(ssl_curve_id curve_nid);
};
diff --git a/proxy/http/HttpSM.cc b/proxy/http/HttpSM.cc
index 676cc452b..e1bd524c5 100644
--- a/proxy/http/HttpSM.cc
+++ b/proxy/http/HttpSM.cc
@@ -6308,6 +6308,10 @@ HttpSM::attach_server_session()
server_connection_is_ssl = true;
}
+ if (auto tsrs = dynamic_cast<TLSSessionResumptionSupport *>(server_vc)) {
+ server_ssl_reused = tsrs->getSSLOriginSessionCacheHit();
+ }
+
server_protocol = server_txn->get_protocol_string();
// Initiate a read on the session so that the SM and not
diff --git a/proxy/http/HttpSM.h b/proxy/http/HttpSM.h
index 8a8664e79..72f1ad526 100644
--- a/proxy/http/HttpSM.h
+++ b/proxy/http/HttpSM.h
@@ -542,6 +542,7 @@ public:
bool client_ssl_reused = false;
bool client_connection_is_ssl = false;
bool is_internal = false;
+ bool server_ssl_reused = false;
bool server_connection_is_ssl = false;
bool is_waiting_for_full_body = false;
bool is_using_post_buffer = false;
diff --git a/proxy/logging/Log.cc b/proxy/logging/Log.cc
index 3c07e7e5a..438aba4f1 100644
--- a/proxy/logging/Log.cc
+++ b/proxy/logging/Log.cc
@@ -747,6 +747,11 @@ Log::init_fields()
global_field_list.add(field, false);
field_symbol_hash.emplace("pqssl", field);
+ field = new LogField("proxy_req_ssl_reused", "pqssr", LogField::dINT, &LogAccess::marshal_proxy_req_ssl_reused,
+ &LogAccess::unmarshal_int_to_str);
+ global_field_list.add(field, false);
+ field_symbol_hash.emplace("pqssr", field);
+
field = new LogField("proxy_request_all_header_fields", "pqah", LogField::STRING, &LogAccess::marshal_proxy_req_all_header_fields,
&LogUtils::unmarshalMimeHdr);
global_field_list.add(field, false);
diff --git a/proxy/logging/LogAccess.cc b/proxy/logging/LogAccess.cc
index f14e03c04..7cef1ff19 100644
--- a/proxy/logging/LogAccess.cc
+++ b/proxy/logging/LogAccess.cc
@@ -2475,6 +2475,15 @@ LogAccess::marshal_proxy_req_is_ssl(char *buf)
return INK_MIN_ALIGN;
}
+int
+LogAccess::marshal_proxy_req_ssl_reused(char *buf)
+{
+ if (buf) {
+ marshal_int(buf, m_http_sm->server_ssl_reused ? 1 : 0);
+ }
+ return INK_MIN_ALIGN;
+}
+
/*-------------------------------------------------------------------------
-------------------------------------------------------------------------*/
diff --git a/proxy/logging/LogAccess.h b/proxy/logging/LogAccess.h
index 2f2956d6d..db799131c 100644
--- a/proxy/logging/LogAccess.h
+++ b/proxy/logging/LogAccess.h
@@ -189,6 +189,7 @@ public:
int marshal_proxy_host_name(char *); // STR
int marshal_proxy_host_ip(char *); // STR
int marshal_proxy_req_is_ssl(char *); // INT
+ int marshal_proxy_req_ssl_reused(char *); // INT
int marshal_proxy_req_all_header_fields(char *); // STR
//