You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficserver.apache.org by su...@apache.org on 2019/06/21 22:50:38 UTC

[trafficserver] 01/03: Add metrics to track SSLv3 and TLS versions

This is an automated email from the ASF dual-hosted git repository.

sudheerv pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficserver.git

commit 59b02bae506e2521894ccd071856317dba9344a6
Author: Sudheer Vinukonda <su...@apache.org>
AuthorDate: Tue Jun 18 10:01:08 2019 -0700

    Add metrics to track SSLv3 and TLS versions
---
 iocore/net/P_SSLNetVConnection.h |  2 ++
 iocore/net/SSLNetVConnection.cc  | 33 ++++++++++++++++++++++++++++++++-
 iocore/net/SSLStats.cc           | 12 ++++++++++++
 iocore/net/SSLStats.h            |  7 +++++++
 4 files changed, 53 insertions(+), 1 deletion(-)

diff --git a/iocore/net/P_SSLNetVConnection.h b/iocore/net/P_SSLNetVConnection.h
index 23733a2..d093e73 100644
--- a/iocore/net/P_SSLNetVConnection.h
+++ b/iocore/net/P_SSLNetVConnection.h
@@ -355,6 +355,8 @@ public:
   int populate_protocol(std::string_view *results, int n) const override;
   const char *protocol_contains(std::string_view tag) const override;
 
+  void increment_ssl_version_metric(const char *version) const;
+
   /**
    * Populate the current object based on the socket information in in the
    * con parameter and the ssl object in the arg parameter
diff --git a/iocore/net/SSLNetVConnection.cc b/iocore/net/SSLNetVConnection.cc
index 16d8e1b..4d9444b 100644
--- a/iocore/net/SSLNetVConnection.cc
+++ b/iocore/net/SSLNetVConnection.cc
@@ -1267,11 +1267,12 @@ SSLNetVConnection::sslServerHandShakeEvent(int &err)
       SSL_INCREMENT_DYN_STAT_EX(ssl_total_handshake_time_stat, ssl_handshake_time);
       SSL_INCREMENT_DYN_STAT(ssl_total_success_handshake_count_in_stat);
     }
-
     {
       const unsigned char *proto = nullptr;
       unsigned len               = 0;
 
+      increment_ssl_version_metric(getSSLProtocol());
+
       // If it's possible to negotiate both NPN and ALPN, then ALPN
       // is preferred since it is the server's preference.  The server
       // preference would not be meaningful if we let the client
@@ -1812,6 +1813,36 @@ SSLNetVConnection::populate(Connection &con, Continuation *c, void *arg)
   return EVENT_DONE;
 }
 
+void
+SSLNetVConnection::increment_ssl_version_metric(const char *version) const
+{
+  if (version) {
+    // openSSL guarantees the case of the protocol string.
+    if (version[0] == 'T' && version[1] == 'L' && version[2] == 'S' && version[3] == 'v' && version[4] == '1') {
+      if (version[5] == 0) {
+        SSL_INCREMENT_DYN_STAT(ssl_total_tlsv1);
+      } else if (version[5] == '.' && version[7] == 0) {
+        switch (version[6]) {
+        case '1':
+          SSL_INCREMENT_DYN_STAT(ssl_total_tlsv11);
+          break;
+        case '2':
+          SSL_INCREMENT_DYN_STAT(ssl_total_tlsv12);
+          break;
+        case '3':
+          SSL_INCREMENT_DYN_STAT(ssl_total_tlsv13);
+          break;
+        default:
+          break;
+        }
+      }
+    }
+  } else if (version[0] == 'S' && version[1] == 'S' && version[2] == 'L' && version[3] == 'v' && version[4] == '3' &&
+             version[5] == 0) {
+    SSL_INCREMENT_DYN_STAT(ssl_total_sslv3);
+  }
+}
+
 std::string_view
 SSLNetVConnection::map_tls_protocol_to_tag(const char *proto_string) const
 {
diff --git a/iocore/net/SSLStats.cc b/iocore/net/SSLStats.cc
index b15f5d6..5b466c5 100644
--- a/iocore/net/SSLStats.cc
+++ b/iocore/net/SSLStats.cc
@@ -205,6 +205,18 @@ SSLInitializeStatistics()
   RecRegisterRawStat(ssl_rsb, RECT_PROCESS, "proxy.process.ssl.ssl_ocsp_refresh_cert_failure", RECD_INT, RECP_PERSISTENT,
                      (int)ssl_ocsp_refresh_cert_failure_stat, RecRawStatSyncCount);
 
+  /* SSL Version stats */
+  RecRegisterRawStat(ssl_rsb, RECT_PROCESS, "proxy.process.ssl.ssl_total_sslv3", RECD_COUNTER, RECP_PERSISTENT,
+                     (int)ssl_total_sslv3, RecRawStatSyncCount);
+  RecRegisterRawStat(ssl_rsb, RECT_PROCESS, "proxy.process.ssl.ssl_total_tlsv1", RECD_COUNTER, RECP_PERSISTENT,
+                     (int)ssl_total_tlsv1, RecRawStatSyncCount);
+  RecRegisterRawStat(ssl_rsb, RECT_PROCESS, "proxy.process.ssl.ssl_total_tlsv11", RECD_COUNTER, RECP_PERSISTENT,
+                     (int)ssl_total_tlsv11, RecRawStatSyncCount);
+  RecRegisterRawStat(ssl_rsb, RECT_PROCESS, "proxy.process.ssl.ssl_total_tlsv12", RECD_COUNTER, RECP_PERSISTENT,
+                     (int)ssl_total_tlsv12, RecRawStatSyncCount);
+  RecRegisterRawStat(ssl_rsb, RECT_PROCESS, "proxy.process.ssl.ssl_total_tlsv13", RECD_COUNTER, RECP_PERSISTENT,
+                     (int)ssl_total_tlsv13, RecRawStatSyncCount);
+
   // Get and register the SSL cipher stats. Note that we are using the default SSL context to obtain
   // the cipher list. This means that the set of ciphers is fixed by the build configuration and not
   // filtered by proxy.config.ssl.server.cipher_suite. This keeps the set of cipher suites stable across
diff --git a/iocore/net/SSLStats.h b/iocore/net/SSLStats.h
index ff38df0..66dbeff 100644
--- a/iocore/net/SSLStats.h
+++ b/iocore/net/SSLStats.h
@@ -102,6 +102,13 @@ enum SSL_Stats {
   ssl_ocsp_refreshed_cert_stat,
   ssl_ocsp_refresh_cert_failure_stat,
 
+  /* SSL/TLS versions */
+  ssl_total_sslv3,
+  ssl_total_tlsv1,
+  ssl_total_tlsv11,
+  ssl_total_tlsv12,
+  ssl_total_tlsv13,
+
   ssl_cipher_stats_start = 100,
   ssl_cipher_stats_end   = 300,