You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficserver.apache.org by su...@apache.org on 2019/06/21 22:50:38 UTC
[trafficserver] 01/03: Add metrics to track SSLv3 and TLS versions
This is an automated email from the ASF dual-hosted git repository.
sudheerv pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficserver.git
commit 59b02bae506e2521894ccd071856317dba9344a6
Author: Sudheer Vinukonda <su...@apache.org>
AuthorDate: Tue Jun 18 10:01:08 2019 -0700
Add metrics to track SSLv3 and TLS versions
---
iocore/net/P_SSLNetVConnection.h | 2 ++
iocore/net/SSLNetVConnection.cc | 33 ++++++++++++++++++++++++++++++++-
iocore/net/SSLStats.cc | 12 ++++++++++++
iocore/net/SSLStats.h | 7 +++++++
4 files changed, 53 insertions(+), 1 deletion(-)
diff --git a/iocore/net/P_SSLNetVConnection.h b/iocore/net/P_SSLNetVConnection.h
index 23733a2..d093e73 100644
--- a/iocore/net/P_SSLNetVConnection.h
+++ b/iocore/net/P_SSLNetVConnection.h
@@ -355,6 +355,8 @@ public:
int populate_protocol(std::string_view *results, int n) const override;
const char *protocol_contains(std::string_view tag) const override;
+ void increment_ssl_version_metric(const char *version) const;
+
/**
* Populate the current object based on the socket information in in the
* con parameter and the ssl object in the arg parameter
diff --git a/iocore/net/SSLNetVConnection.cc b/iocore/net/SSLNetVConnection.cc
index 16d8e1b..4d9444b 100644
--- a/iocore/net/SSLNetVConnection.cc
+++ b/iocore/net/SSLNetVConnection.cc
@@ -1267,11 +1267,12 @@ SSLNetVConnection::sslServerHandShakeEvent(int &err)
SSL_INCREMENT_DYN_STAT_EX(ssl_total_handshake_time_stat, ssl_handshake_time);
SSL_INCREMENT_DYN_STAT(ssl_total_success_handshake_count_in_stat);
}
-
{
const unsigned char *proto = nullptr;
unsigned len = 0;
+ increment_ssl_version_metric(getSSLProtocol());
+
// If it's possible to negotiate both NPN and ALPN, then ALPN
// is preferred since it is the server's preference. The server
// preference would not be meaningful if we let the client
@@ -1812,6 +1813,36 @@ SSLNetVConnection::populate(Connection &con, Continuation *c, void *arg)
return EVENT_DONE;
}
+void
+SSLNetVConnection::increment_ssl_version_metric(const char *version) const
+{
+ if (version) {
+ // openSSL guarantees the case of the protocol string.
+ if (version[0] == 'T' && version[1] == 'L' && version[2] == 'S' && version[3] == 'v' && version[4] == '1') {
+ if (version[5] == 0) {
+ SSL_INCREMENT_DYN_STAT(ssl_total_tlsv1);
+ } else if (version[5] == '.' && version[7] == 0) {
+ switch (version[6]) {
+ case '1':
+ SSL_INCREMENT_DYN_STAT(ssl_total_tlsv11);
+ break;
+ case '2':
+ SSL_INCREMENT_DYN_STAT(ssl_total_tlsv12);
+ break;
+ case '3':
+ SSL_INCREMENT_DYN_STAT(ssl_total_tlsv13);
+ break;
+ default:
+ break;
+ }
+ }
+ }
+ } else if (version[0] == 'S' && version[1] == 'S' && version[2] == 'L' && version[3] == 'v' && version[4] == '3' &&
+ version[5] == 0) {
+ SSL_INCREMENT_DYN_STAT(ssl_total_sslv3);
+ }
+}
+
std::string_view
SSLNetVConnection::map_tls_protocol_to_tag(const char *proto_string) const
{
diff --git a/iocore/net/SSLStats.cc b/iocore/net/SSLStats.cc
index b15f5d6..5b466c5 100644
--- a/iocore/net/SSLStats.cc
+++ b/iocore/net/SSLStats.cc
@@ -205,6 +205,18 @@ SSLInitializeStatistics()
RecRegisterRawStat(ssl_rsb, RECT_PROCESS, "proxy.process.ssl.ssl_ocsp_refresh_cert_failure", RECD_INT, RECP_PERSISTENT,
(int)ssl_ocsp_refresh_cert_failure_stat, RecRawStatSyncCount);
+ /* SSL Version stats */
+ RecRegisterRawStat(ssl_rsb, RECT_PROCESS, "proxy.process.ssl.ssl_total_sslv3", RECD_COUNTER, RECP_PERSISTENT,
+ (int)ssl_total_sslv3, RecRawStatSyncCount);
+ RecRegisterRawStat(ssl_rsb, RECT_PROCESS, "proxy.process.ssl.ssl_total_tlsv1", RECD_COUNTER, RECP_PERSISTENT,
+ (int)ssl_total_tlsv1, RecRawStatSyncCount);
+ RecRegisterRawStat(ssl_rsb, RECT_PROCESS, "proxy.process.ssl.ssl_total_tlsv11", RECD_COUNTER, RECP_PERSISTENT,
+ (int)ssl_total_tlsv11, RecRawStatSyncCount);
+ RecRegisterRawStat(ssl_rsb, RECT_PROCESS, "proxy.process.ssl.ssl_total_tlsv12", RECD_COUNTER, RECP_PERSISTENT,
+ (int)ssl_total_tlsv12, RecRawStatSyncCount);
+ RecRegisterRawStat(ssl_rsb, RECT_PROCESS, "proxy.process.ssl.ssl_total_tlsv13", RECD_COUNTER, RECP_PERSISTENT,
+ (int)ssl_total_tlsv13, RecRawStatSyncCount);
+
// Get and register the SSL cipher stats. Note that we are using the default SSL context to obtain
// the cipher list. This means that the set of ciphers is fixed by the build configuration and not
// filtered by proxy.config.ssl.server.cipher_suite. This keeps the set of cipher suites stable across
diff --git a/iocore/net/SSLStats.h b/iocore/net/SSLStats.h
index ff38df0..66dbeff 100644
--- a/iocore/net/SSLStats.h
+++ b/iocore/net/SSLStats.h
@@ -102,6 +102,13 @@ enum SSL_Stats {
ssl_ocsp_refreshed_cert_stat,
ssl_ocsp_refresh_cert_failure_stat,
+ /* SSL/TLS versions */
+ ssl_total_sslv3,
+ ssl_total_tlsv1,
+ ssl_total_tlsv11,
+ ssl_total_tlsv12,
+ ssl_total_tlsv13,
+
ssl_cipher_stats_start = 100,
ssl_cipher_stats_end = 300,