This is an automated email from the ASF dual-hosted git repository.
shinrich pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficserver.git
The following commit(s) were added to refs/heads/master by this push:
new 6ee5c61 Remove the ssl wire trace feature.
6ee5c61 is described below
commit 6ee5c616d165b969b42a86c4eb2ca0b1be86b881
Author: Susan Hinrichs <[email protected]>
AuthorDate: Mon Dec 3 23:24:38 2018 +0000
Remove the ssl wire trace feature.
---
doc/admin-guide/files/records.config.en.rst | 19 -----
iocore/net/P_SSLConfig.h | 7 --
iocore/net/P_SSLNetVConnection.h | 13 ---
iocore/net/SSLConfig.cc | 31 +-------
iocore/net/SSLNetVConnection.cc | 119 ----------------------------
iocore/net/SSLUtils.cc | 5 --
iocore/net/UnixNetVConnection.cc | 39 +--------
mgmt/RecordsConfig.cc | 8 --
proxy/http/HttpSM.cc | 21 -----
9 files changed, 3 insertions(+), 259 deletions(-)
diff --git a/doc/admin-guide/files/records.config.en.rst
b/doc/admin-guide/files/records.config.en.rst
index c14df88..2936600 100644
--- a/doc/admin-guide/files/records.config.en.rst
+++ b/doc/admin-guide/files/records.config.en.rst
@@ -3450,25 +3450,6 @@ SSL Termination
See :ref:`admin-performance-timeouts` for more discussion on |TS| timeouts.
-.. ts:cv:: CONFIG proxy.config.ssl.wire_trace_enabled INT 0
-
- When enabled this turns on wire tracing of SSL connections that meet
- the conditions specified by wire_trace_percentage, wire_trace_addr
- and wire_trace_server_name.
-
-.. ts:cv:: CONFIG proxy.config.ssl.wire_trace_percentage INT 0
-
- This specifies the percentage of traffic meeting the other wire_trace
- conditions to be traced.
-
-.. ts:cv:: CONFIG proxy.config.ssl.wire_trace_addr STRING NULL
-
- This specifies the client IP for which wire_traces should be printed.
-
-.. ts:cv:: CONFIG proxy.config.ssl.wire_trace_server_name STRING NULL
-
- This specifies the server name for which wire_traces should be printed.
-
Client-Related Configuration
----------------------------
diff --git a/iocore/net/P_SSLConfig.h b/iocore/net/P_SSLConfig.h
index a691e5b..3bccf9f 100644
--- a/iocore/net/P_SSLConfig.h
+++ b/iocore/net/P_SSLConfig.h
@@ -107,13 +107,6 @@ struct SSLConfigParams : public ConfigInfo {
static size_t session_cache_max_bucket_size;
static bool session_cache_skip_on_lock_contention;
- // TS-3435 Wiretracing for SSL Connections
- static int ssl_wire_trace_enabled;
- static char *ssl_wire_trace_addr;
- static IpAddr *ssl_wire_trace_ip;
- static int ssl_wire_trace_percentage;
- static char *ssl_wire_trace_server_name;
-
static init_ssl_ctx_func init_ssl_ctx_cb;
static load_ssl_file_func load_ssl_file_cb;
diff --git a/iocore/net/P_SSLNetVConnection.h b/iocore/net/P_SSLNetVConnection.h
index 144cf37..f2eadb3 100644
--- a/iocore/net/P_SSLNetVConnection.h
+++ b/iocore/net/P_SSLNetVConnection.h
@@ -286,19 +286,6 @@ public:
}
return retval;
}
- bool
- getSSLTrace() const
- {
- return sslTrace || super::origin_trace;
- }
-
- void
- setSSLTrace(bool state)
- {
- sslTrace = state;
- }
-
- bool computeSSLTrace();
const char *
getSSLProtocol(void) const
diff --git a/iocore/net/SSLConfig.cc b/iocore/net/SSLConfig.cc
index 9c1a6d9..a6dbed7 100644
--- a/iocore/net/SSLConfig.cc
+++ b/iocore/net/SSLConfig.cc
@@ -58,14 +58,8 @@ size_t SSLConfigParams::session_cache_max_bucket_size
= 100;
init_ssl_ctx_func SSLConfigParams::init_ssl_ctx_cb = nullptr;
load_ssl_file_func SSLConfigParams::load_ssl_file_cb = nullptr;
-// TS-3534 Wiretracing for SSL Connections
-int SSLConfigParams::ssl_wire_trace_enabled = 0;
-char *SSLConfigParams::ssl_wire_trace_addr = nullptr;
-IpAddr *SSLConfigParams::ssl_wire_trace_ip = nullptr;
-int SSLConfigParams::ssl_wire_trace_percentage = 0;
-char *SSLConfigParams::ssl_wire_trace_server_name = nullptr;
-int SSLConfigParams::async_handshake_enabled = 0;
-char *SSLConfigParams::engine_conf_file = nullptr;
+int SSLConfigParams::async_handshake_enabled = 0;
+char *SSLConfigParams::engine_conf_file = nullptr;
static std::unique_ptr<ConfigUpdateHandler<SSLCertificateConfig>>
sslCertUpdate;
static std::unique_ptr<ConfigUpdateHandler<SSLConfig>> sslConfigUpdate;
@@ -131,7 +125,6 @@ SSLConfigParams::cleanup()
cipherSuite = (char *)ats_free_null(cipherSuite);
client_cipherSuite = (char *)ats_free_null(client_cipherSuite);
dhparamsFile = (char *)ats_free_null(dhparamsFile);
- ssl_wire_trace_ip = (IpAddr *)ats_free_null(ssl_wire_trace_ip);
server_tls13_cipher_suites = (char
*)ats_free_null(server_tls13_cipher_suites);
client_tls13_cipher_suites = (char
*)ats_free_null(client_tls13_cipher_suites);
@@ -438,26 +431,6 @@ SSLConfigParams::initialize()
REC_ReadConfigInt32(ssl_allow_client_renegotiation,
"proxy.config.ssl.allow_client_renegotiation");
- // SSL Wire Trace configurations
- REC_EstablishStaticConfigInt32(ssl_wire_trace_enabled,
"proxy.config.ssl.wire_trace_enabled");
- if (ssl_wire_trace_enabled) {
- // wire trace specific source ip
- REC_EstablishStaticConfigStringAlloc(ssl_wire_trace_addr,
"proxy.config.ssl.wire_trace_addr");
- if (ssl_wire_trace_addr) {
- ssl_wire_trace_ip = new IpAddr();
- ssl_wire_trace_ip->load(ssl_wire_trace_addr);
- } else {
- ssl_wire_trace_ip = nullptr;
- }
- // wire trace percentage of requests
- REC_EstablishStaticConfigInt32(ssl_wire_trace_percentage,
"proxy.config.ssl.wire_trace_percentage");
- REC_EstablishStaticConfigStringAlloc(ssl_wire_trace_server_name,
"proxy.config.ssl.wire_trace_server_name");
- } else {
- ssl_wire_trace_addr = nullptr;
- ssl_wire_trace_ip = nullptr;
- ssl_wire_trace_percentage = 0;
- ssl_wire_trace_server_name = nullptr;
- }
// Enable client regardless of config file settings as remap file
// can cause HTTP layer to connect using SSL. But only if SSL
// initialization hasn't failed already.
diff --git a/iocore/net/SSLNetVConnection.cc b/iocore/net/SSLNetVConnection.cc
index 86e150c..71e1b08 100644
--- a/iocore/net/SSLNetVConnection.cc
+++ b/iocore/net/SSLNetVConnection.cc
@@ -214,7 +214,6 @@ ssl_read_from_net(SSLNetVConnection *sslvc, EThread
*lthread, int64_t &ret)
int64_t bytes_read = 0;
ssl_error_t sslErr = SSL_ERROR_NONE;
- bool trace = sslvc->getSSLTrace();
int64_t toread = buf.writer()->write_avail();
ink_release_assert(toread > 0);
if (toread > s->vio.ntodo()) {
@@ -237,15 +236,6 @@ ssl_read_from_net(SSLNetVConnection *sslvc, EThread
*lthread, int64_t &ret)
sslErr = SSLReadBuffer(sslvc->ssl, current_block, amount_to_read, nread);
Debug("ssl", "[SSL_NetVConnection::ssl_read_from_net] nread=%d",
(int)nread);
- if (!sslvc->origin_trace) {
- TraceIn((0 < nread && trace), sslvc->get_remote_addr(),
sslvc->get_remote_port(), "WIRE TRACE\tbytes=%d\n%.*s", (int)nread,
- (int)nread, current_block);
- } else {
- char origin_trace_ip[INET6_ADDRSTRLEN];
- ats_ip_ntop(sslvc->origin_trace_addr, origin_trace_ip,
sizeof(origin_trace_ip));
- TraceIn((0 < nread && trace), sslvc->get_remote_addr(),
sslvc->get_remote_port(), "CLIENT %s:%d\ttbytes=%d\n%.*s",
- origin_trace_ip, sslvc->origin_trace_port, (int)nread,
(int)nread, current_block);
- }
switch (sslErr) {
case SSL_ERROR_NONE:
@@ -271,29 +261,24 @@ ssl_read_from_net(SSLNetVConnection *sslvc, EThread
*lthread, int64_t &ret)
Debug("ssl.error", "[SSL_NetVConnection::ssl_read_from_net]
SSL_ERROR_WOULD_BLOCK(read)");
break;
case SSL_ERROR_WANT_X509_LOOKUP:
- TraceIn(trace, sslvc->get_remote_addr(), sslvc->get_remote_port(), "Want
X509 lookup");
event = SSL_READ_WOULD_BLOCK;
SSL_INCREMENT_DYN_STAT(ssl_error_want_x509_lookup);
Debug("ssl.error", "[SSL_NetVConnection::ssl_read_from_net]
SSL_ERROR_WOULD_BLOCK(read/x509 lookup)");
break;
case SSL_ERROR_SYSCALL:
- TraceIn(trace, sslvc->get_remote_addr(), sslvc->get_remote_port(),
"Syscall Error: %s", strerror(errno));
SSL_INCREMENT_DYN_STAT(ssl_error_syscall);
if (nread != 0) {
// not EOF
event = SSL_READ_ERROR;
ret = errno;
Debug("ssl.error", "[SSL_NetVConnection::ssl_read_from_net]
SSL_ERROR_SYSCALL, underlying IO error: %s", strerror(errno));
- TraceIn(trace, sslvc->get_remote_addr(), sslvc->get_remote_port(),
"Underlying IO error: %d", errno);
} else {
// then EOF observed, treat it as EOS
// Error("[SSL_NetVConnection::ssl_read_from_net] SSL_ERROR_SYSCALL,
EOF observed violating SSL protocol");
- TraceIn(trace, sslvc->get_remote_addr(), sslvc->get_remote_port(),
"EOF observed violating SSL protocol");
event = SSL_READ_EOS;
}
break;
case SSL_ERROR_ZERO_RETURN:
- TraceIn(trace, sslvc->get_remote_addr(), sslvc->get_remote_port(),
"Connection closed by peer");
event = SSL_READ_EOS;
SSL_INCREMENT_DYN_STAT(ssl_error_zero_return);
Debug("ssl.error", "[SSL_NetVConnection::ssl_read_from_net]
SSL_ERROR_ZERO_RETURN");
@@ -303,8 +288,6 @@ ssl_read_from_net(SSLNetVConnection *sslvc, EThread
*lthread, int64_t &ret)
char buf[512];
unsigned long e = ERR_peek_last_error();
ERR_error_string_n(e, buf, sizeof(buf));
- TraceIn(trace, sslvc->get_remote_addr(), sslvc->get_remote_port(), "SSL
Error: sslErr=%d, ERR_get_error=%ld (%s) errno=%d",
- sslErr, e, buf, errno);
event = SSL_READ_ERROR;
ret = errno;
SSL_CLR_ERR_INCR_DYN_STAT(sslvc, ssl_error_ssl,
"[SSL_NetVConnection::ssl_read_from_net]: errno=%d", errno);
@@ -697,8 +680,6 @@ SSLNetVConnection::load_buffer_and_write(int64_t towrite,
MIOBufferAccessor &buf
return this->super::load_buffer_and_write(towrite, buf, total_written,
needs);
}
- bool trace = getSSLTrace();
-
do {
// What is remaining left in the next block?
l = buf.reader()->block_read_avail();
@@ -747,16 +728,6 @@ SSLNetVConnection::load_buffer_and_write(int64_t towrite,
MIOBufferAccessor &buf
towrite, current_block);
err = SSLWriteBuffer(ssl, current_block, l, num_really_written);
- if (!origin_trace) {
- TraceOut((0 < num_really_written && trace), get_remote_addr(),
get_remote_port(), "WIRE TRACE\tbytes=%d\n%.*s",
- (int)num_really_written, (int)num_really_written,
current_block);
- } else {
- char origin_trace_ip[INET6_ADDRSTRLEN];
- ats_ip_ntop(origin_trace_addr, origin_trace_ip, sizeof(origin_trace_ip));
- TraceOut((0 < num_really_written && trace), get_remote_addr(),
get_remote_port(), "CLIENT %s:%d\ttbytes=%d\n%.*s",
- origin_trace_ip, origin_trace_port, (int)num_really_written,
(int)num_really_written, current_block);
- }
-
// We wrote all that we thought we should
if (num_really_written > 0) {
total_written += num_really_written;
@@ -793,7 +764,6 @@ SSLNetVConnection::load_buffer_and_write(int64_t towrite,
MIOBufferAccessor &buf
redoWriteSize = l;
} else if (SSL_ERROR_WANT_X509_LOOKUP == err) {
SSL_INCREMENT_DYN_STAT(ssl_error_want_x509_lookup);
- TraceOut(trace, get_remote_addr(), get_remote_port(), "Want X509
lookup");
}
needs |= EVENTIO_WRITE;
@@ -802,25 +772,18 @@ SSLNetVConnection::load_buffer_and_write(int64_t towrite,
MIOBufferAccessor &buf
break;
}
case SSL_ERROR_SYSCALL:
- TraceOut(trace, get_remote_addr(), get_remote_port(), "Syscall Error:
%s", strerror(errno));
num_really_written = -errno;
SSL_INCREMENT_DYN_STAT(ssl_error_syscall);
Debug("ssl.error", "SSL_write-SSL_ERROR_SYSCALL");
break;
// end of stream
case SSL_ERROR_ZERO_RETURN:
- TraceOut(trace, get_remote_addr(), get_remote_port(), "SSL Error: zero
return");
num_really_written = -errno;
SSL_INCREMENT_DYN_STAT(ssl_error_zero_return);
Debug("ssl.error", "SSL_write-SSL_ERROR_ZERO_RETURN");
break;
case SSL_ERROR_SSL:
default: {
- char buf[512];
- unsigned long e = ERR_peek_last_error();
- ERR_error_string_n(e, buf, sizeof(buf));
- TraceIn(trace, get_remote_addr(), get_remote_port(), "SSL Error:
sslErr=%d, ERR_get_error=%ld (%s) errno=%d", err, e, buf,
- errno);
// Treat SSL_ERROR_SSL as EPIPE error.
num_really_written = -EPIPE;
SSL_CLR_ERR_INCR_DYN_STAT(this, ssl_error_ssl, "SSL_write-SSL_ERROR_SSL
errno=%d", errno);
@@ -1164,8 +1127,6 @@ SSLNetVConnection::sslServerHandShakeEvent(int &err)
}
}
#endif
- bool trace = getSSLTrace();
-
if (ssl_error != SSL_ERROR_NONE) {
err = errno;
SSLVCDebug(this, "SSL handshake error: %s (%d), errno=%d",
SSLErrorName(ssl_error), ssl_error, err);
@@ -1195,9 +1156,6 @@ SSLNetVConnection::sslServerHandShakeEvent(int &err)
sslHandshakeStatus = SSL_HANDSHAKE_DONE;
- TraceIn(trace, get_remote_addr(), get_remote_port(), "SSL server handshake
completed successfully");
- // do we want to include cert info in trace?
-
if (sslHandshakeBeginTime) {
sslHandshakeEndTime = Thread::get_hrtime();
const ink_hrtime ssl_handshake_time = sslHandshakeEndTime -
sslHandshakeBeginTime;
@@ -1239,38 +1197,30 @@ SSLNetVConnection::sslServerHandShakeEvent(int &err)
}
Debug("ssl", "client selected next protocol '%.*s'", len, proto);
- TraceIn(trace, get_remote_addr(), get_remote_port(), "client selected
next protocol'%.*s'", len, proto);
} else {
Debug("ssl", "client did not select a next protocol");
- TraceIn(trace, get_remote_addr(), get_remote_port(), "client did not
select a next protocol");
}
}
return EVENT_DONE;
case SSL_ERROR_WANT_CONNECT:
- TraceIn(trace, get_remote_addr(), get_remote_port(), "SSL server handshake
ERROR_WANT_CONNECT");
return SSL_HANDSHAKE_WANT_CONNECT;
case SSL_ERROR_WANT_WRITE:
- TraceIn(trace, get_remote_addr(), get_remote_port(), "SSL server handshake
ERROR_WANT_WRITE");
return SSL_HANDSHAKE_WANT_WRITE;
case SSL_ERROR_WANT_READ:
- TraceIn(trace, get_remote_addr(), get_remote_port(), "SSL server handshake
ERROR_WANT_READ");
return SSL_HANDSHAKE_WANT_READ;
// This value is only defined in openssl has been patched to
// enable the sni callback to break out of the SSL_accept processing
#ifdef SSL_ERROR_WANT_SNI_RESOLVE
case SSL_ERROR_WANT_X509_LOOKUP:
- TraceIn(trace, get_remote_addr(), get_remote_port(), "SSL server handshake
ERROR_WANT_X509_LOOKUP");
return EVENT_CONT;
case SSL_ERROR_WANT_SNI_RESOLVE:
- TraceIn(trace, get_remote_addr(), get_remote_port(), "SSL server handshake
ERROR_WANT_SNI_RESOLVE");
#elif SSL_ERROR_WANT_X509_LOOKUP
case SSL_ERROR_WANT_X509_LOOKUP:
- TraceIn(trace, get_remote_addr(), get_remote_port(), "SSL server handshake
ERROR_WANT_X509_LOOKUP");
#endif
#if defined(SSL_ERROR_WANT_SNI_RESOLVE) || defined(SSL_ERROR_WANT_X509_LOOKUP)
if (this->attributes == HttpProxyPort::TRANSPORT_BLIND_TUNNEL ||
SSL_HOOK_OP_TUNNEL == hookOpRequested) {
@@ -1285,32 +1235,22 @@ SSLNetVConnection::sslServerHandShakeEvent(int &err)
#if TS_USE_TLS_ASYNC
case SSL_ERROR_WANT_ASYNC:
- TraceIn(trace, get_remote_addr(), get_remote_port(), "SSL server handshake
ERROR_WANT_ASYNC");
return SSL_WAIT_FOR_ASYNC;
#endif
case SSL_ERROR_WANT_ACCEPT:
- TraceIn(trace, get_remote_addr(), get_remote_port(), "SSL server handshake
ERROR_WANT_ACCEPT");
return EVENT_CONT;
case SSL_ERROR_SSL: {
SSL_CLR_ERR_INCR_DYN_STAT(this, ssl_error_ssl,
"SSLNetVConnection::sslServerHandShakeEvent, SSL_ERROR_SSL errno=%d", errno);
- char buf[512];
- unsigned long e = ERR_peek_last_error();
- ERR_error_string_n(e, buf, sizeof(buf));
- TraceIn(trace, get_remote_addr(), get_remote_port(),
- "SSL server handshake ERROR_SSL: sslErr=%d, ERR_get_error=%ld (%s)
errno=%d", ssl_error, e, buf, errno);
return EVENT_ERROR;
}
case SSL_ERROR_ZERO_RETURN:
- TraceIn(trace, get_remote_addr(), get_remote_port(), "SSL server handshake
ERROR_ZERO_RETURN");
return EVENT_ERROR;
case SSL_ERROR_SYSCALL:
- TraceIn(trace, get_remote_addr(), get_remote_port(), "SSL server handshake
ERROR_SYSCALL");
return EVENT_ERROR;
default:
- TraceIn(trace, get_remote_addr(), get_remote_port(), "SSL server handshake
ERROR_OTHER");
return EVENT_ERROR;
}
}
@@ -1318,7 +1258,6 @@ SSLNetVConnection::sslServerHandShakeEvent(int &err)
int
SSLNetVConnection::sslClientHandShakeEvent(int &err)
{
- bool trace = getSSLTrace();
ssl_error_t ssl_error;
ink_assert(SSLNetVCAccess(ssl) == this);
@@ -1372,49 +1311,39 @@ SSLNetVConnection::sslClientHandShakeEvent(int &err)
SSL_INCREMENT_DYN_STAT(ssl_total_success_handshake_count_out_stat);
- TraceIn(trace, get_remote_addr(), get_remote_port(), "SSL client handshake
completed successfully");
- // do we want to include cert info in trace?
-
sslHandshakeStatus = SSL_HANDSHAKE_DONE;
return EVENT_DONE;
case SSL_ERROR_WANT_WRITE:
Debug("ssl.error", "SSLNetVConnection::sslClientHandShakeEvent,
SSL_ERROR_WANT_WRITE");
SSL_INCREMENT_DYN_STAT(ssl_error_want_write);
- TraceIn(trace, get_remote_addr(), get_remote_port(), "SSL client handshake
ERROR_WANT_WRITE");
return SSL_HANDSHAKE_WANT_WRITE;
case SSL_ERROR_WANT_READ:
SSL_INCREMENT_DYN_STAT(ssl_error_want_read);
Debug("ssl.error", "SSLNetVConnection::sslClientHandShakeEvent,
SSL_ERROR_WANT_READ");
- TraceIn(trace, get_remote_addr(), get_remote_port(), "SSL client handshake
ERROR_WANT_READ");
return SSL_HANDSHAKE_WANT_READ;
case SSL_ERROR_WANT_X509_LOOKUP:
SSL_INCREMENT_DYN_STAT(ssl_error_want_x509_lookup);
Debug("ssl.error", "SSLNetVConnection::sslClientHandShakeEvent,
SSL_ERROR_WANT_X509_LOOKUP");
- TraceIn(trace, get_remote_addr(), get_remote_port(), "SSL client handshake
ERROR_WANT_X509_LOOKUP");
break;
case SSL_ERROR_WANT_ACCEPT:
- TraceIn(trace, get_remote_addr(), get_remote_port(), "SSL client handshake
ERROR_WANT_ACCEPT");
return SSL_HANDSHAKE_WANT_ACCEPT;
case SSL_ERROR_WANT_CONNECT:
- TraceIn(trace, get_remote_addr(), get_remote_port(), "SSL client handshake
ERROR_WANT_CONNECT");
break;
case SSL_ERROR_ZERO_RETURN:
SSL_INCREMENT_DYN_STAT(ssl_error_zero_return);
Debug("ssl.error", "SSLNetVConnection::sslClientHandShakeEvent, EOS");
- TraceIn(trace, get_remote_addr(), get_remote_port(), "SSL client handshake
EOS");
return EVENT_ERROR;
case SSL_ERROR_SYSCALL:
err = errno;
SSL_INCREMENT_DYN_STAT(ssl_error_syscall);
Debug("ssl.error", "SSLNetVConnection::sslClientHandShakeEvent, syscall");
- TraceIn(trace, get_remote_addr(), get_remote_port(), "SSL client handshake
Syscall Error: %s", strerror(errno));
return EVENT_ERROR;
break;
@@ -1427,8 +1356,6 @@ SSLNetVConnection::sslClientHandShakeEvent(int &err)
// FIXME -- This triggers a retry on cases of cert validation errors....
SSL_CLR_ERR_INCR_DYN_STAT(this, ssl_error_ssl,
"SSLNetVConnection::sslClientHandShakeEvent, SSL_ERROR_SSL errno=%d", errno);
Debug("ssl.error", "SSLNetVConnection::sslClientHandShakeEvent,
SSL_ERROR_SSL");
- TraceIn(trace, get_remote_addr(), get_remote_port(),
- "SSL client handshake ERROR_SSL: sslErr=%d, ERR_get_error=%ld (%s)
errno=%d", ssl_error, e, buf, errno);
if (e) {
if (this->options.sni_servername) {
Debug("ssl.error", "SSL connection failed for '%s': %s",
this->options.sni_servername.get(), buf);
@@ -1729,52 +1656,6 @@ SSLNetVConnection::callHooks(TSEvent eventId)
return reenabled;
}
-bool
-SSLNetVConnection::computeSSLTrace()
-{
- // this has to happen before the handshake or else sni_servername will be
nullptr
- bool sni_trace;
- if (ssl) {
- const char *ssl_servername = SSL_get_servername(ssl,
TLSEXT_NAMETYPE_host_name);
- char *wire_trace_server_name = SSLConfigParams::ssl_wire_trace_server_name;
- Debug("ssl", "for wiretrace, ssl_servername=%s,
wire_trace_server_name=%s", ssl_servername, wire_trace_server_name);
- sni_trace = ssl_servername && wire_trace_server_name && (0 ==
strcmp(wire_trace_server_name, ssl_servername));
- } else {
- sni_trace = false;
- }
-
- // count based on ip only if they set an IP value
- const sockaddr *remote_addr = get_remote_addr();
- bool ip_trace = false;
- if (SSLConfigParams::ssl_wire_trace_ip) {
- ip_trace = (*SSLConfigParams::ssl_wire_trace_ip == remote_addr);
- }
-
- // count based on percentage
- int percentage = SSLConfigParams::ssl_wire_trace_percentage;
- int random;
- bool trace;
-
- // we only generate random numbers as needed (to maintain correct percentage)
- if (SSLConfigParams::ssl_wire_trace_server_name &&
SSLConfigParams::ssl_wire_trace_ip) {
- random = this_ethread()->generator.random() % 100; // range [0-99]
- trace = sni_trace && ip_trace && (percentage > random);
- } else if (SSLConfigParams::ssl_wire_trace_server_name) {
- random = this_ethread()->generator.random() % 100; // range [0-99]
- trace = sni_trace && (percentage > random);
- } else if (SSLConfigParams::ssl_wire_trace_ip) {
- random = this_ethread()->generator.random() % 100; // range [0-99]
- trace = ip_trace && (percentage > random);
- } else {
- random = this_ethread()->generator.random() % 100; // range [0-99]
- trace = percentage > random;
- }
-
- Debug("ssl", "ssl_netvc random=%d, trace=%s", random, trace ? "TRUE" :
"FALSE");
-
- return trace;
-}
-
int
SSLNetVConnection::populate(Connection &con, Continuation *c, void *arg)
{
diff --git a/iocore/net/SSLUtils.cc b/iocore/net/SSLUtils.cc
index 2df2374..9965528 100644
--- a/iocore/net/SSLUtils.cc
+++ b/iocore/net/SSLUtils.cc
@@ -330,11 +330,6 @@ set_context_cert(SSL *ssl)
int retval = 1;
Debug("ssl", "set_context_cert ssl=%p server=%s handshake_complete=%d", ssl,
servername, netvc->getSSLHandShakeComplete());
- if (SSLConfigParams::ssl_wire_trace_enabled) {
- bool trace = netvc->computeSSLTrace();
- Debug("ssl", "sslnetvc. setting trace to=%s", trace ? "true" : "false");
- netvc->setSSLTrace(trace);
- }
// catch the client renegotiation early on
if (SSLConfigParams::ssl_allow_client_renegotiation == false &&
netvc->getSSLHandShakeComplete()) {
diff --git a/iocore/net/UnixNetVConnection.cc b/iocore/net/UnixNetVConnection.cc
index e01fc57..ca5e341 100644
--- a/iocore/net/UnixNetVConnection.cc
+++ b/iocore/net/UnixNetVConnection.cc
@@ -253,24 +253,6 @@ read_from_net(NetHandler *nh, UnixNetVConnection *vc,
EThread *thread)
NET_INCREMENT_DYN_STAT(net_calls_to_read_stat);
- if (vc->origin_trace) {
- char origin_trace_ip[INET6_ADDRSTRLEN];
-
- ats_ip_ntop(vc->origin_trace_addr, origin_trace_ip,
sizeof(origin_trace_ip));
-
- if (r > 0) {
- TraceIn((vc->origin_trace), vc->get_remote_addr(),
vc->get_remote_port(), "CLIENT %s:%d\tbytes=%d\n%.*s", origin_trace_ip,
- vc->origin_trace_port, (int)r, (int)r, (char
*)tiovec[0].iov_base);
-
- } else if (r == 0) {
- TraceIn((vc->origin_trace), vc->get_remote_addr(),
vc->get_remote_port(), "CLIENT %s:%d closed connection",
- origin_trace_ip, vc->origin_trace_port);
- } else {
- TraceIn((vc->origin_trace), vc->get_remote_addr(),
vc->get_remote_port(), "CLIENT %s:%d error=%s", origin_trace_ip,
- vc->origin_trace_port, strerror(errno));
- }
- }
-
total_read += rattempted;
} while (rattempted && r == rattempted && total_read < toread);
@@ -896,10 +878,7 @@ UnixNetVConnection::UnixNetVConnection()
submit_time(0),
oob_ptr(nullptr),
from_accept_thread(false),
- accept_object(nullptr),
- origin_trace(false),
- origin_trace_addr(nullptr),
- origin_trace_port(0)
+ accept_object(nullptr)
{
SET_HANDLER((NetVConnHandler)&UnixNetVConnection::startEvent);
}
@@ -998,22 +977,6 @@ UnixNetVConnection::load_buffer_and_write(int64_t towrite,
MIOBufferAccessor &bu
r = socketManager.writev(con.fd, &tiovec[0], niov);
}
- if (origin_trace) {
- char origin_trace_ip[INET6_ADDRSTRLEN];
- ats_ip_ntop(origin_trace_addr, origin_trace_ip, sizeof(origin_trace_ip));
-
- if (r > 0) {
- TraceOut(origin_trace, get_remote_addr(), get_remote_port(), "CLIENT
%s:%d\tbytes=%d\n%.*s", origin_trace_ip,
- origin_trace_port, (int)r, (int)r, (char
*)tiovec[0].iov_base);
-
- } else if (r == 0) {
- TraceOut(origin_trace, get_remote_addr(), get_remote_port(), "CLIENT
%s:%d\tbytes=0", origin_trace_ip, origin_trace_port);
- } else {
- TraceOut(origin_trace, get_remote_addr(), get_remote_port(), "CLIENT
%s:%d error=%s", origin_trace_ip, origin_trace_port,
- strerror(errno));
- }
- }
-
if (r > 0) {
buf.reader()->consume(r);
total_written += r;
diff --git a/mgmt/RecordsConfig.cc b/mgmt/RecordsConfig.cc
index 5799a01..931c6e3 100644
--- a/mgmt/RecordsConfig.cc
+++ b/mgmt/RecordsConfig.cc
@@ -1178,14 +1178,6 @@ static const RecordElement RecordsConfig[] =
,
{RECT_CONFIG, "proxy.config.ssl.handshake_timeout_in", RECD_INT, "0",
RECU_RESTART_TS, RR_NULL, RECC_INT, "[0-65535]", RECA_NULL}
,
- {RECT_CONFIG, "proxy.config.ssl.wire_trace_enabled", RECD_INT, "0",
RECU_DYNAMIC, RR_NULL, RECC_INT, "[0-2]", RECA_NULL}
- ,
- {RECT_CONFIG, "proxy.config.ssl.wire_trace_addr", RECD_STRING, nullptr ,
RECU_DYNAMIC, RR_NULL, RECC_IP, R"([0-255]\.[0-255]\.[0-255]\.[0-255])",
RECA_NULL}
- ,
- {RECT_CONFIG, "proxy.config.ssl.wire_trace_percentage", RECD_INT, "0",
RECU_DYNAMIC, RR_NULL, RECC_INT, "[0-100]", RECA_NULL}
- ,
- {RECT_CONFIG, "proxy.config.ssl.wire_trace_server_name", RECD_STRING,
nullptr , RECU_DYNAMIC, RR_NULL, RECC_STR, ".*", RECA_NULL}
- ,
{RECT_CONFIG, "proxy.config.ssl.cert.load_elevated", RECD_INT, "0",
RECU_RESTART_TS, RR_NULL, RECC_INT, "[0-1]", RECA_READ_ONLY}
,
{RECT_CONFIG, "proxy.config.ssl.server.groups_list", RECD_STRING, nullptr,
RECU_RESTART_TS, RR_NULL, RECC_NULL, nullptr, RECA_NULL}
diff --git a/proxy/http/HttpSM.cc b/proxy/http/HttpSM.cc
index 52d4dde..3d91e55 100644
--- a/proxy/http/HttpSM.cc
+++ b/proxy/http/HttpSM.cc
@@ -5860,30 +5860,9 @@ HttpSM::attach_server_session(HttpServerSession *s)
// Get server and client connections
UnixNetVConnection *server_vc = dynamic_cast<UnixNetVConnection
*>(server_session->get_netvc());
UnixNetVConnection *client_vc = (UnixNetVConnection *)(ua_txn->get_netvc());
- SSLNetVConnection *ssl_vc = dynamic_cast<SSLNetVConnection *>(client_vc);
// Verifying that the user agent and server sessions/transactions are
operating on the same thread.
ink_release_assert(!server_vc || !client_vc || server_vc->thread ==
client_vc->thread);
- bool associated_connection = false;
- if (server_vc) { // if server_vc isn't a PluginVC
- if (ssl_vc) { // if incoming connection is SSL
- bool client_trace = ssl_vc->getSSLTrace();
- if (client_trace) {
- // get remote address and port to mark corresponding traces
- const sockaddr *remote_addr = ssl_vc->get_remote_addr();
- uint16_t remote_port = ssl_vc->get_remote_port();
- server_vc->setOriginTrace(true);
- server_vc->setOriginTraceAddr(remote_addr);
- server_vc->setOriginTracePort(remote_port);
- associated_connection = true;
- }
- }
- }
- if (!associated_connection && server_vc) {
- server_vc->setOriginTrace(false);
- server_vc->setOriginTraceAddr(nullptr);
- server_vc->setOriginTracePort(0);
- }
// set flag for server session is SSL
SSLNetVConnection *server_ssl_vc = dynamic_cast<SSLNetVConnection
*>(server_vc);
