This is an automated email from the ASF dual-hosted git repository.
bneradt pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficserver.git
The following commit(s) were added to refs/heads/master by this push:
new 800bbf9a37 Adding more ssl user agent error stats (#11946)
800bbf9a37 is described below
commit 800bbf9a37d025923eda45b4c0da1a8ac75978e3
Author: Brian Neradt <[email protected]>
AuthorDate: Fri Jan 10 18:12:16 2025 -0600
Adding more ssl user agent error stats (#11946)
Half of our production user agent ssl error stats were other_errors
stats. These new stats cover over 80% of the previously other_errors
stats in our production environment, adding more specific visibility
into client-side SSL errors.
---
.../monitoring/statistics/core/ssl.en.rst | 44 ++++++++
src/iocore/net/SSLDiags.cc | 28 +++++
src/iocore/net/SSLStats.cc | 27 +++--
src/iocore/net/SSLStats.h | 122 +++++++++++----------
4 files changed, 153 insertions(+), 68 deletions(-)
diff --git a/doc/admin-guide/monitoring/statistics/core/ssl.en.rst
b/doc/admin-guide/monitoring/statistics/core/ssl.en.rst
index 59eaa918a5..22bed6280c 100644
--- a/doc/admin-guide/monitoring/statistics/core/ssl.en.rst
+++ b/doc/admin-guide/monitoring/statistics/core/ssl.en.rst
@@ -194,6 +194,50 @@ SSL/TLS
Incoming client SSL connections which presented a client certificate that
had
been revoked, since statistics collection began.
+.. ts:stat:: global
proxy.process.ssl.user_agent_decryption_failed_or_bad_record_mac integer
+ :type: counter
+
+ Incoming client SSL connections which failed decryption or had a mismatched
+ MAC, since statistics collection began.
+
+.. ts:stat:: global proxy.process.ssl.user_agent_http_request integer
+ :type: counter
+
+ Incoming client SSL connections which attempted to use plaintext HTTP
without
+ SSL encryption, since statistics collection began.
+
+.. ts:stat:: global proxy.process.ssl.user_agent_inappropriate_fallback integer
+ :type: counter
+
+ Incoming client SSL connections which used a fallback to an older TLS
version
+ that |TS| doesn't support, since statistics collection began.
+
+.. ts:stat:: global proxy.process.ssl.user_agent_no_shared_cipher integer
+ :type: counter
+
+ Incoming client SSL connections which failed due to no match in supported
+ ciphers between the client and |TS|, since statistics collection began.
+
+.. ts:stat:: global proxy.process.ssl.user_agent_version_too_high integer
+ :type: counter
+
+ Incoming client SSL connections which failed due to the client only
+ supporting TLS versions that are too high for |TS| to support, since
+ statistics collection began.
+
+ This stat is only incremented when |TS| is built against an SSL library,
such
+ as OpenSSL, that supports the ``SSL_R_VERSION_TOO_HIGH`` error.
+
+.. ts:stat:: global proxy.process.ssl.user_agent_version_too_low integer
+ :type: counter
+
+ Incoming client SSL connections which failed due to the client only
+ supporting TLS versions that are too low for |TS| to accept, since
statistics
+ collection began.
+
+ This stat is only incremented when |TS| is built against an SSL library,
such
+ as OpenSSL, that supports the ``SSL_R_VERSION_TOO_LOW`` error.
+
.. ts:stat:: global proxy.process.ssl.user_agent_session_hit integer
:type: counter
diff --git a/src/iocore/net/SSLDiags.cc b/src/iocore/net/SSLDiags.cc
index a7d5bffa45..7883fe6b42 100644
--- a/src/iocore/net/SSLDiags.cc
+++ b/src/iocore/net/SSLDiags.cc
@@ -30,6 +30,7 @@
#include "P_SSLNetVConnection.h"
static DbgCtl ssl_diags_dbg_ctl{"ssl-diag"};
+static DbgCtl ssl_error_dbg_ctl{"ssl-error"};
// return true if we have a stat for the error
static bool
@@ -37,6 +38,7 @@ increment_ssl_client_error(unsigned long err)
{
// we only look for LIB_SSL errors atm
if (ERR_LIB_SSL != ERR_GET_LIB(err)) {
+ Dbg(ssl_error_dbg_ctl, "User agent SSL error not ERR_LIB_SSL: %lu", err);
Metrics::Counter::increment(ssl_rsb.user_agent_other_errors);
return false;
}
@@ -69,7 +71,31 @@ increment_ssl_client_error(unsigned long err)
case SSL_R_TLSV1_ALERT_UNKNOWN_CA:
Metrics::Counter::increment(ssl_rsb.user_agent_unknown_ca);
break;
+ case SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC:
+
Metrics::Counter::increment(ssl_rsb.user_agent_decryption_failed_or_bad_record_mac);
+ break;
+ case SSL_R_HTTP_REQUEST:
+ Metrics::Counter::increment(ssl_rsb.user_agent_http_request);
+ break;
+ case SSL_R_INAPPROPRIATE_FALLBACK:
+ Metrics::Counter::increment(ssl_rsb.user_agent_inappropriate_fallback);
+ break;
+ case SSL_R_NO_SHARED_CIPHER:
+ Metrics::Counter::increment(ssl_rsb.user_agent_no_shared_cipher);
+ break;
+#ifdef SSL_R_VERSION_TOO_HIGH
+ case SSL_R_VERSION_TOO_HIGH:
+ Metrics::Counter::increment(ssl_rsb.user_agent_version_too_high);
+ break;
+#endif /* SSL_R_VERSION_TOO_HIGH */
+#ifdef SSL_R_VERSION_TOO_LOW
+ case SSL_R_VERSION_TOO_LOW:
+ Metrics::Counter::increment(ssl_rsb.user_agent_version_too_low);
+ break;
+#endif /* SSL_R_VERSION_TOO_LOW */
+
default:
+ Dbg(ssl_error_dbg_ctl, "Unknown user agent SSL error: %d",
ERR_GET_REASON(err));
Metrics::Counter::increment(ssl_rsb.user_agent_other_errors);
return false;
}
@@ -84,6 +110,7 @@ increment_ssl_server_error(unsigned long err)
{
// we only look for LIB_SSL errors atm
if (ERR_LIB_SSL != ERR_GET_LIB(err)) {
+ Dbg(ssl_error_dbg_ctl, "Origin server SSL error not ERR_LIB_SSL: %lu",
err);
Metrics::Counter::increment(ssl_rsb.origin_server_other_errors);
return false;
}
@@ -117,6 +144,7 @@ increment_ssl_server_error(unsigned long err)
Metrics::Counter::increment(ssl_rsb.origin_server_unknown_ca);
break;
default:
+ Dbg(ssl_error_dbg_ctl, "Unknown origin server SSL error: %d",
ERR_GET_REASON(err));
Metrics::Counter::increment(ssl_rsb.origin_server_other_errors);
return false;
}
diff --git a/src/iocore/net/SSLStats.cc b/src/iocore/net/SSLStats.cc
index 4caa5c4cad..c0b19f65d6 100644
--- a/src/iocore/net/SSLStats.cc
+++ b/src/iocore/net/SSLStats.cc
@@ -209,16 +209,23 @@ SSLInitializeStatistics()
ssl_rsb.user_agent_bad_cert =
Metrics::Counter::createPtr("proxy.process.ssl.user_agent_bad_cert");
ssl_rsb.user_agent_cert_verify_failed =
Metrics::Counter::createPtr("proxy.process.ssl.user_agent_cert_verify_failed");
ssl_rsb.user_agent_decryption_failed =
Metrics::Counter::createPtr("proxy.process.ssl.user_agent_decryption_failed");
- ssl_rsb.user_agent_expired_cert =
Metrics::Counter::createPtr("proxy.process.ssl.user_agent_expired_cert");
- ssl_rsb.user_agent_other_errors =
Metrics::Counter::createPtr("proxy.process.ssl.user_agent_other_errors");
- ssl_rsb.user_agent_revoked_cert =
Metrics::Counter::createPtr("proxy.process.ssl.user_agent_revoked_cert");
- ssl_rsb.user_agent_session_hit =
Metrics::Gauge::createPtr("proxy.process.ssl.user_agent_session_hit");
- ssl_rsb.user_agent_session_miss =
Metrics::Gauge::createPtr("proxy.process.ssl.user_agent_session_miss");
- ssl_rsb.user_agent_session_timeout =
Metrics::Gauge::createPtr("proxy.process.ssl.user_agent_session_timeout");
- ssl_rsb.user_agent_sessions =
Metrics::Gauge::createPtr("proxy.process.ssl.user_agent_sessions");
- ssl_rsb.user_agent_unknown_ca =
Metrics::Counter::createPtr("proxy.process.ssl.user_agent_unknown_ca");
- ssl_rsb.user_agent_unknown_cert =
Metrics::Counter::createPtr("proxy.process.ssl.user_agent_unknown_cert");
- ssl_rsb.user_agent_wrong_version =
Metrics::Counter::createPtr("proxy.process.ssl.user_agent_wrong_version");
+ ssl_rsb.user_agent_decryption_failed_or_bad_record_mac =
+
Metrics::Counter::createPtr("proxy.process.ssl.user_agent_decryption_failed_or_bad_record_mac");
+ ssl_rsb.user_agent_expired_cert =
Metrics::Counter::createPtr("proxy.process.ssl.user_agent_expired_cert");
+ ssl_rsb.user_agent_http_request =
Metrics::Counter::createPtr("proxy.process.ssl.user_agent_http_request");
+ ssl_rsb.user_agent_inappropriate_fallback =
Metrics::Counter::createPtr("proxy.process.ssl.user_agent_inappropriate_fallback");
+ ssl_rsb.user_agent_no_shared_cipher =
Metrics::Counter::createPtr("proxy.process.ssl.user_agent_no_shared_cipher");
+ ssl_rsb.user_agent_other_errors =
Metrics::Counter::createPtr("proxy.process.ssl.user_agent_other_errors");
+ ssl_rsb.user_agent_revoked_cert =
Metrics::Counter::createPtr("proxy.process.ssl.user_agent_revoked_cert");
+ ssl_rsb.user_agent_session_hit =
Metrics::Gauge::createPtr("proxy.process.ssl.user_agent_session_hit");
+ ssl_rsb.user_agent_session_miss =
Metrics::Gauge::createPtr("proxy.process.ssl.user_agent_session_miss");
+ ssl_rsb.user_agent_session_timeout =
Metrics::Gauge::createPtr("proxy.process.ssl.user_agent_session_timeout");
+ ssl_rsb.user_agent_sessions =
Metrics::Gauge::createPtr("proxy.process.ssl.user_agent_sessions");
+ ssl_rsb.user_agent_unknown_ca =
Metrics::Counter::createPtr("proxy.process.ssl.user_agent_unknown_ca");
+ ssl_rsb.user_agent_unknown_cert =
Metrics::Counter::createPtr("proxy.process.ssl.user_agent_unknown_cert");
+ ssl_rsb.user_agent_version_too_high =
Metrics::Counter::createPtr("proxy.process.ssl.user_agent_version_too_high");
+ ssl_rsb.user_agent_version_too_low =
Metrics::Counter::createPtr("proxy.process.ssl.user_agent_version_too_low");
+ ssl_rsb.user_agent_wrong_version =
Metrics::Counter::createPtr("proxy.process.ssl.user_agent_wrong_version");
#if defined(OPENSSL_IS_BORINGSSL)
size_t n = SSL_get_all_cipher_names(nullptr, 0);
diff --git a/src/iocore/net/SSLStats.h b/src/iocore/net/SSLStats.h
index 1630036a30..c0112ddaac 100644
--- a/src/iocore/net/SSLStats.h
+++ b/src/iocore/net/SSLStats.h
@@ -39,64 +39,70 @@ using ts::Metrics;
// for ssl_rsb.total_ticket_keys_renewed needs this initialization, but lets be
// consistent at least.
struct SSLStatsBlock {
- Metrics::Counter::AtomicType *early_data_received_count = nullptr;
- Metrics::Counter::AtomicType *error_async = nullptr;
- Metrics::Counter::AtomicType *error_ssl = nullptr;
- Metrics::Counter::AtomicType *error_syscall = nullptr;
- Metrics::Counter::AtomicType *ocsp_refresh_cert_failure = nullptr;
- Metrics::Counter::AtomicType *ocsp_refreshed_cert = nullptr;
- Metrics::Counter::AtomicType *ocsp_revoked_cert = nullptr;
- Metrics::Counter::AtomicType *ocsp_unknown_cert = nullptr;
- Metrics::Counter::AtomicType *origin_server_bad_cert = nullptr;
- Metrics::Counter::AtomicType *origin_server_cert_verify_failed = nullptr;
- Metrics::Counter::AtomicType *origin_server_decryption_failed = nullptr;
- Metrics::Counter::AtomicType *origin_server_expired_cert = nullptr;
- Metrics::Counter::AtomicType *origin_server_other_errors = nullptr;
- Metrics::Counter::AtomicType *origin_server_revoked_cert = nullptr;
- Metrics::Counter::AtomicType *origin_server_unknown_ca = nullptr;
- Metrics::Counter::AtomicType *origin_server_unknown_cert = nullptr;
- Metrics::Counter::AtomicType *origin_server_wrong_version = nullptr;
- Metrics::Counter::AtomicType *origin_session_cache_hit = nullptr;
- Metrics::Counter::AtomicType *origin_session_cache_miss = nullptr;
- Metrics::Counter::AtomicType *origin_session_reused_count = nullptr;
- Metrics::Counter::AtomicType *session_cache_eviction = nullptr;
- Metrics::Counter::AtomicType *session_cache_hit = nullptr;
- Metrics::Counter::AtomicType *session_cache_lock_contention = nullptr;
- Metrics::Counter::AtomicType *session_cache_miss = nullptr;
- Metrics::Counter::AtomicType *session_cache_new_session = nullptr;
- Metrics::Counter::AtomicType *sni_name_set_failure = nullptr;
- Metrics::Counter::AtomicType *total_attempts_handshake_count_in = nullptr;
- Metrics::Counter::AtomicType *total_attempts_handshake_count_out = nullptr;
- Metrics::Counter::AtomicType *total_dyn_def_tls_record_count = nullptr;
- Metrics::Counter::AtomicType *total_dyn_max_tls_record_count = nullptr;
- Metrics::Counter::AtomicType *total_dyn_redo_tls_record_count = nullptr;
- Metrics::Counter::AtomicType *total_handshake_time = nullptr;
- Metrics::Counter::AtomicType *total_sslv3 = nullptr;
- Metrics::Counter::AtomicType *total_success_handshake_count_in = nullptr;
- Metrics::Counter::AtomicType *total_success_handshake_count_out = nullptr;
- Metrics::Counter::AtomicType *total_ticket_keys_renewed = nullptr;
- Metrics::Counter::AtomicType *total_tickets_created = nullptr;
- Metrics::Counter::AtomicType *total_tickets_not_found = nullptr;
- Metrics::Counter::AtomicType *total_tickets_renewed = nullptr;
- Metrics::Counter::AtomicType *total_tickets_verified_old_key = nullptr;
- Metrics::Counter::AtomicType *total_tickets_verified = nullptr;
- Metrics::Counter::AtomicType *total_tlsv1 = nullptr;
- Metrics::Counter::AtomicType *total_tlsv11 = nullptr;
- Metrics::Counter::AtomicType *total_tlsv12 = nullptr;
- Metrics::Counter::AtomicType *total_tlsv13 = nullptr;
- Metrics::Counter::AtomicType *user_agent_bad_cert = nullptr;
- Metrics::Counter::AtomicType *user_agent_cert_verify_failed = nullptr;
- Metrics::Counter::AtomicType *user_agent_decryption_failed = nullptr;
- Metrics::Counter::AtomicType *user_agent_expired_cert = nullptr;
- Metrics::Counter::AtomicType *user_agent_other_errors = nullptr;
- Metrics::Counter::AtomicType *user_agent_revoked_cert = nullptr;
- Metrics::Gauge::AtomicType *user_agent_session_hit = nullptr;
- Metrics::Gauge::AtomicType *user_agent_session_miss = nullptr;
- Metrics::Gauge::AtomicType *user_agent_session_timeout = nullptr;
- Metrics::Gauge::AtomicType *user_agent_sessions = nullptr;
- Metrics::Counter::AtomicType *user_agent_unknown_ca = nullptr;
- Metrics::Counter::AtomicType *user_agent_unknown_cert = nullptr;
- Metrics::Counter::AtomicType *user_agent_wrong_version = nullptr;
+ Metrics::Counter::AtomicType *early_data_received_count
= nullptr;
+ Metrics::Counter::AtomicType *error_async
= nullptr;
+ Metrics::Counter::AtomicType *error_ssl
= nullptr;
+ Metrics::Counter::AtomicType *error_syscall
= nullptr;
+ Metrics::Counter::AtomicType *ocsp_refresh_cert_failure
= nullptr;
+ Metrics::Counter::AtomicType *ocsp_refreshed_cert
= nullptr;
+ Metrics::Counter::AtomicType *ocsp_revoked_cert
= nullptr;
+ Metrics::Counter::AtomicType *ocsp_unknown_cert
= nullptr;
+ Metrics::Counter::AtomicType *origin_server_bad_cert
= nullptr;
+ Metrics::Counter::AtomicType *origin_server_cert_verify_failed
= nullptr;
+ Metrics::Counter::AtomicType *origin_server_decryption_failed
= nullptr;
+ Metrics::Counter::AtomicType *origin_server_expired_cert
= nullptr;
+ Metrics::Counter::AtomicType *origin_server_other_errors
= nullptr;
+ Metrics::Counter::AtomicType *origin_server_revoked_cert
= nullptr;
+ Metrics::Counter::AtomicType *origin_server_unknown_ca
= nullptr;
+ Metrics::Counter::AtomicType *origin_server_unknown_cert
= nullptr;
+ Metrics::Counter::AtomicType *origin_server_wrong_version
= nullptr;
+ Metrics::Counter::AtomicType *origin_session_cache_hit
= nullptr;
+ Metrics::Counter::AtomicType *origin_session_cache_miss
= nullptr;
+ Metrics::Counter::AtomicType *origin_session_reused_count
= nullptr;
+ Metrics::Counter::AtomicType *session_cache_eviction
= nullptr;
+ Metrics::Counter::AtomicType *session_cache_hit
= nullptr;
+ Metrics::Counter::AtomicType *session_cache_lock_contention
= nullptr;
+ Metrics::Counter::AtomicType *session_cache_miss
= nullptr;
+ Metrics::Counter::AtomicType *session_cache_new_session
= nullptr;
+ Metrics::Counter::AtomicType *sni_name_set_failure
= nullptr;
+ Metrics::Counter::AtomicType *total_attempts_handshake_count_in
= nullptr;
+ Metrics::Counter::AtomicType *total_attempts_handshake_count_out
= nullptr;
+ Metrics::Counter::AtomicType *total_dyn_def_tls_record_count
= nullptr;
+ Metrics::Counter::AtomicType *total_dyn_max_tls_record_count
= nullptr;
+ Metrics::Counter::AtomicType *total_dyn_redo_tls_record_count
= nullptr;
+ Metrics::Counter::AtomicType *total_handshake_time
= nullptr;
+ Metrics::Counter::AtomicType *total_sslv3
= nullptr;
+ Metrics::Counter::AtomicType *total_success_handshake_count_in
= nullptr;
+ Metrics::Counter::AtomicType *total_success_handshake_count_out
= nullptr;
+ Metrics::Counter::AtomicType *total_ticket_keys_renewed
= nullptr;
+ Metrics::Counter::AtomicType *total_tickets_created
= nullptr;
+ Metrics::Counter::AtomicType *total_tickets_not_found
= nullptr;
+ Metrics::Counter::AtomicType *total_tickets_renewed
= nullptr;
+ Metrics::Counter::AtomicType *total_tickets_verified_old_key
= nullptr;
+ Metrics::Counter::AtomicType *total_tickets_verified
= nullptr;
+ Metrics::Counter::AtomicType *total_tlsv1
= nullptr;
+ Metrics::Counter::AtomicType *total_tlsv11
= nullptr;
+ Metrics::Counter::AtomicType *total_tlsv12
= nullptr;
+ Metrics::Counter::AtomicType *total_tlsv13
= nullptr;
+ Metrics::Counter::AtomicType *user_agent_bad_cert
= nullptr;
+ Metrics::Counter::AtomicType *user_agent_cert_verify_failed
= nullptr;
+ Metrics::Counter::AtomicType *user_agent_decryption_failed
= nullptr;
+ Metrics::Counter::AtomicType *user_agent_decryption_failed_or_bad_record_mac
= nullptr;
+ Metrics::Counter::AtomicType *user_agent_expired_cert
= nullptr;
+ Metrics::Counter::AtomicType *user_agent_http_request
= nullptr;
+ Metrics::Counter::AtomicType *user_agent_inappropriate_fallback
= nullptr;
+ Metrics::Counter::AtomicType *user_agent_no_shared_cipher
= nullptr;
+ Metrics::Counter::AtomicType *user_agent_other_errors
= nullptr;
+ Metrics::Counter::AtomicType *user_agent_revoked_cert
= nullptr;
+ Metrics::Counter::AtomicType *user_agent_unknown_ca
= nullptr;
+ Metrics::Counter::AtomicType *user_agent_unknown_cert
= nullptr;
+ Metrics::Counter::AtomicType *user_agent_version_too_high
= nullptr;
+ Metrics::Counter::AtomicType *user_agent_version_too_low
= nullptr;
+ Metrics::Counter::AtomicType *user_agent_wrong_version
= nullptr;
+ Metrics::Gauge::AtomicType *user_agent_session_hit
= nullptr;
+ Metrics::Gauge::AtomicType *user_agent_session_miss
= nullptr;
+ Metrics::Gauge::AtomicType *user_agent_session_timeout
= nullptr;
+ Metrics::Gauge::AtomicType *user_agent_sessions
= nullptr;
};
extern SSLStatsBlock ssl_rsb;
