You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficserver.apache.org by zw...@apache.org on 2022/07/07 16:46:50 UTC

[trafficserver] branch 9.2.x updated: add log format for whether origin TLS connection resumed an existing TLS session (#8745)

This is an automated email from the ASF dual-hosted git repository.

zwoop pushed a commit to branch 9.2.x
in repository https://gitbox.apache.org/repos/asf/trafficserver.git


The following commit(s) were added to refs/heads/9.2.x by this push:
     new 5116cfe1a  add log format for whether origin TLS connection resumed an existing TLS session (#8745)
5116cfe1a is described below

commit 5116cfe1aa7649ae053dd5220de0609ba3e16577
Author: Fei Deng <du...@gmail.com>
AuthorDate: Mon Mar 21 18:17:52 2022 -0500

     add log format for whether origin TLS connection resumed an existing TLS session (#8745)
    
    (cherry picked from commit 68070195721127854befa9fa99823e806f197f67)
---
 doc/admin-guide/logging/formatting.en.rst |  3 +++
 iocore/net/TLSSessionResumptionSupport.cc | 14 +++++++++++++-
 iocore/net/TLSSessionResumptionSupport.h  |  7 +++++--
 proxy/http/HttpSM.cc                      |  4 ++++
 proxy/http/HttpSM.h                       |  1 +
 proxy/logging/Log.cc                      |  5 +++++
 proxy/logging/LogAccess.cc                |  9 +++++++++
 proxy/logging/LogAccess.h                 |  1 +
 8 files changed, 41 insertions(+), 3 deletions(-)

diff --git a/doc/admin-guide/logging/formatting.en.rst b/doc/admin-guide/logging/formatting.en.rst
index 4b982af3d..2849694d0 100644
--- a/doc/admin-guide/logging/formatting.en.rst
+++ b/doc/admin-guide/logging/formatting.en.rst
@@ -637,6 +637,9 @@ cqssu  Client Request SSL Elliptic Curve used by |TS| to communicate with the
 cqssa  Client Request ALPN Protocol ID negotiated with the client.
 pqssl  Proxy Request  Indicates whether the connection from |TS| to the origin
                       was over SSL or not.
+pqssr  Proxy Request  SSL session ticket reused status from |TS| to the origin;
+                      indicates if the current request hit the SSL session ticket
+                      and avoided a full SSL handshake.
 pscert Proxy Request  1 if origin requested certificate from |TS| during TLS
                       handshake but no client certificate was defined. 2 if origin
                       requested certificate from |TS| during TLS handshake and a
diff --git a/iocore/net/TLSSessionResumptionSupport.cc b/iocore/net/TLSSessionResumptionSupport.cc
index 94ab306c1..9984b4731 100644
--- a/iocore/net/TLSSessionResumptionSupport.cc
+++ b/iocore/net/TLSSessionResumptionSupport.cc
@@ -122,6 +122,12 @@ TLSSessionResumptionSupport::getSSLSessionCacheHit() const
   return this->_sslSessionCacheHit;
 }
 
+bool
+TLSSessionResumptionSupport::getSSLOriginSessionCacheHit() const
+{
+  return this->_sslOriginSessionCacheHit;
+}
+
 ssl_curve_id
 TLSSessionResumptionSupport::getSSLCurveNID() const
 {
@@ -187,7 +193,7 @@ TLSSessionResumptionSupport::getOriginSession(SSL *ssl, const std::string &looku
       shared_sess.reset();
     } else {
       SSL_INCREMENT_DYN_STAT(ssl_origin_session_cache_hit);
-      this->_setSSLSessionCacheHit(true);
+      this->_setSSLOriginSessionCacheHit(true);
       this->_setSSLCurveNID(curve);
     }
   } else {
@@ -304,6 +310,12 @@ TLSSessionResumptionSupport::_setSSLSessionCacheHit(bool state)
   this->_sslSessionCacheHit = state;
 }
 
+void
+TLSSessionResumptionSupport::_setSSLOriginSessionCacheHit(bool state)
+{
+  this->_sslOriginSessionCacheHit = state;
+}
+
 void
 TLSSessionResumptionSupport::_setSSLCurveNID(ssl_curve_id curve_nid)
 {
diff --git a/iocore/net/TLSSessionResumptionSupport.h b/iocore/net/TLSSessionResumptionSupport.h
index 5f1fa37a9..fb27ed3a3 100644
--- a/iocore/net/TLSSessionResumptionSupport.h
+++ b/iocore/net/TLSSessionResumptionSupport.h
@@ -48,6 +48,7 @@ public:
                            int enc);
 #endif
   bool getSSLSessionCacheHit() const;
+  bool getSSLOriginSessionCacheHit() const;
   ssl_curve_id getSSLCurveNID() const;
 
   SSL_SESSION *getSession(SSL *ssl, const unsigned char *id, int len, int *copy);
@@ -60,8 +61,9 @@ protected:
 private:
   static int _ex_data_index;
 
-  bool _sslSessionCacheHit = false;
-  int _sslCurveNID         = NID_undef;
+  bool _sslSessionCacheHit       = false;
+  bool _sslOriginSessionCacheHit = false;
+  int _sslCurveNID               = NID_undef;
 
 #ifdef HAVE_SSL_CTX_SET_TLSEXT_TICKET_KEY_EVP_CB
   int _setSessionInformation(ssl_ticket_key_block *keyblock, SSL *ssl, unsigned char *keyname, unsigned char *iv,
@@ -76,5 +78,6 @@ private:
 #endif
 
   void _setSSLSessionCacheHit(bool state);
+  void _setSSLOriginSessionCacheHit(bool state);
   void _setSSLCurveNID(ssl_curve_id curve_nid);
 };
diff --git a/proxy/http/HttpSM.cc b/proxy/http/HttpSM.cc
index 676cc452b..e1bd524c5 100644
--- a/proxy/http/HttpSM.cc
+++ b/proxy/http/HttpSM.cc
@@ -6308,6 +6308,10 @@ HttpSM::attach_server_session()
     server_connection_is_ssl = true;
   }
 
+  if (auto tsrs = dynamic_cast<TLSSessionResumptionSupport *>(server_vc)) {
+    server_ssl_reused = tsrs->getSSLOriginSessionCacheHit();
+  }
+
   server_protocol = server_txn->get_protocol_string();
 
   // Initiate a read on the session so that the SM and not
diff --git a/proxy/http/HttpSM.h b/proxy/http/HttpSM.h
index 8a8664e79..72f1ad526 100644
--- a/proxy/http/HttpSM.h
+++ b/proxy/http/HttpSM.h
@@ -542,6 +542,7 @@ public:
   bool client_ssl_reused              = false;
   bool client_connection_is_ssl       = false;
   bool is_internal                    = false;
+  bool server_ssl_reused              = false;
   bool server_connection_is_ssl       = false;
   bool is_waiting_for_full_body       = false;
   bool is_using_post_buffer           = false;
diff --git a/proxy/logging/Log.cc b/proxy/logging/Log.cc
index 3c07e7e5a..438aba4f1 100644
--- a/proxy/logging/Log.cc
+++ b/proxy/logging/Log.cc
@@ -747,6 +747,11 @@ Log::init_fields()
   global_field_list.add(field, false);
   field_symbol_hash.emplace("pqssl", field);
 
+  field = new LogField("proxy_req_ssl_reused", "pqssr", LogField::dINT, &LogAccess::marshal_proxy_req_ssl_reused,
+                       &LogAccess::unmarshal_int_to_str);
+  global_field_list.add(field, false);
+  field_symbol_hash.emplace("pqssr", field);
+
   field = new LogField("proxy_request_all_header_fields", "pqah", LogField::STRING, &LogAccess::marshal_proxy_req_all_header_fields,
                        &LogUtils::unmarshalMimeHdr);
   global_field_list.add(field, false);
diff --git a/proxy/logging/LogAccess.cc b/proxy/logging/LogAccess.cc
index f14e03c04..7cef1ff19 100644
--- a/proxy/logging/LogAccess.cc
+++ b/proxy/logging/LogAccess.cc
@@ -2475,6 +2475,15 @@ LogAccess::marshal_proxy_req_is_ssl(char *buf)
   return INK_MIN_ALIGN;
 }
 
+int
+LogAccess::marshal_proxy_req_ssl_reused(char *buf)
+{
+  if (buf) {
+    marshal_int(buf, m_http_sm->server_ssl_reused ? 1 : 0);
+  }
+  return INK_MIN_ALIGN;
+}
+
 /*-------------------------------------------------------------------------
   -------------------------------------------------------------------------*/
 
diff --git a/proxy/logging/LogAccess.h b/proxy/logging/LogAccess.h
index 2f2956d6d..db799131c 100644
--- a/proxy/logging/LogAccess.h
+++ b/proxy/logging/LogAccess.h
@@ -189,6 +189,7 @@ public:
   int marshal_proxy_host_name(char *);             // STR
   int marshal_proxy_host_ip(char *);               // STR
   int marshal_proxy_req_is_ssl(char *);            // INT
+  int marshal_proxy_req_ssl_reused(char *);        // INT
   int marshal_proxy_req_all_header_fields(char *); // STR
 
   //