This is an automated email from the ASF dual-hosted git repository.
masaori pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficserver.git
The following commit(s) were added to refs/heads/master by this push:
new d2868a4236 [BoringSSL] Add TLS 1.3 cipher metrics (#11849)
d2868a4236 is described below
commit d2868a423635f47d4a148c9494b1140a96e7d1f0
Author: Masaori Koshiba <[email protected]>
AuthorDate: Fri Nov 15 22:02:25 2024 +0900
[BoringSSL] Add TLS 1.3 cipher metrics (#11849)
---
src/iocore/net/SSLStats.cc | 37 +++++++++++++++++++++++++++----------
1 file changed, 27 insertions(+), 10 deletions(-)
diff --git a/src/iocore/net/SSLStats.cc b/src/iocore/net/SSLStats.cc
index 68fe3e7299..5dd1d6a3b2 100644
--- a/src/iocore/net/SSLStats.cc
+++ b/src/iocore/net/SSLStats.cc
@@ -30,6 +30,8 @@
#include "P_SSLUtils.h"
#include "../../records/P_RecProcess.h"
+#include <string_view>
+
SSLStatsBlock ssl_rsb;
std::unordered_map<std::string, Metrics::Counter::AtomicType *> cipher_map;
@@ -37,6 +39,10 @@ namespace
{
DbgCtl dbg_ctl_ssl{"ssl"};
+#if defined(OPENSSL_IS_BORINGSSL)
+constexpr std::string_view UNKNOWN_CIPHER{"(NONE)"};
+#endif
+
} // end anonymous namespace
// ToDo: This gets called once per global sync, for now at least.
@@ -88,10 +94,6 @@ add_cipher_stat(const char *cipherName, const std::string
&statName)
void
SSLInitializeStatistics()
{
- SSL_CTX *ctx;
- SSL *ssl;
- STACK_OF(SSL_CIPHER) * ciphers;
-
// For now, register with the librecords global sync.
RecRegNewSyncStatSync(SSLPeriodicMetricsUpdate);
@@ -154,14 +156,28 @@ SSLInitializeStatistics()
ssl_rsb.user_agent_unknown_cert =
Metrics::Counter::createPtr("proxy.process.ssl.user_agent_unknown_cert");
ssl_rsb.user_agent_wrong_version =
Metrics::Counter::createPtr("proxy.process.ssl.user_agent_wrong_version");
+#if defined(OPENSSL_IS_BORINGSSL)
+ size_t n = SSL_get_all_cipher_names(nullptr, 0);
+ std::vector<const char *> cipher_list(n);
+ SSL_get_all_cipher_names(cipher_list.data(), cipher_list.size());
+ for (auto cipher_name : cipher_list) {
+ if (UNKNOWN_CIPHER.compare(cipher_name) == 0) {
+ continue;
+ }
+
+ std::string stat_name = "proxy.process.ssl.cipher.user_agent." +
std::string(cipher_name);
+
+ add_cipher_stat(cipher_name, stat_name);
+ }
+#else
// Get and register the SSL cipher stats. Note that we are using the default
SSL context to obtain
// the cipher list. This means that the set of ciphers is fixed by the build
configuration and not
// filtered by proxy.config.ssl.server.cipher_suite. This keeps the set of
cipher suites stable across
// configuration reloads and works for the case where we honor the client
cipher preference.
SSLMultiCertConfigLoader loader(nullptr);
- ctx = loader.default_server_ssl_ctx();
- ssl = SSL_new(ctx);
- ciphers = SSL_get_ciphers(ssl);
+ SSL_CTX *ctx = loader.default_server_ssl_ctx();
+ SSL *ssl = SSL_new(ctx);
+ STACK_OF(SSL_CIPHER) *ciphers = SSL_get_ciphers(ssl);
// BoringSSL has sk_SSL_CIPHER_num() return a size_t (well, sk_num() is)
for (int index = 0; index < static_cast<int>(sk_SSL_CIPHER_num(ciphers));
index++) {
@@ -172,9 +188,10 @@ SSLInitializeStatistics()
add_cipher_stat(cipherName, statName);
}
- // Add "OTHER" for ciphers not on the map
- add_cipher_stat(SSL_CIPHER_STAT_OTHER.c_str(),
"proxy.process.ssl.cipher.user_agent." + SSL_CIPHER_STAT_OTHER);
-
SSL_free(ssl);
SSLReleaseContext(ctx);
+#endif
+
+ // Add "OTHER" for ciphers not on the map
+ add_cipher_stat(SSL_CIPHER_STAT_OTHER.c_str(),
"proxy.process.ssl.cipher.user_agent." + SSL_CIPHER_STAT_OTHER);
}
