This is an automated email from the ASF dual-hosted git repository.
bneradt pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficserver.git
The following commit(s) were added to refs/heads/master by this push:
new 67b029b95b cqssrt log field for TLS resumption type (#12404)
67b029b95b is described below
commit 67b029b95bd9b99c1daf6796b66b6e3b747a8e0d
Author: Brian Neradt <[email protected]>
AuthorDate: Wed Sep 24 14:58:53 2025 -0500
cqssrt log field for TLS resumption type (#12404)
This adds the cqssrt log field that indicates the TLS resumption type:
0: no resumption
1: server session cache resumption
2: TLS ticket resumption
---
doc/admin-guide/logging/formatting.en.rst | 13 ++++++++++---
include/proxy/http/HttpUserAgent.h | 24 ++++++++++++++++++++++++
include/proxy/logging/LogAccess.h | 1 +
src/proxy/logging/Log.cc | 5 +++++
src/proxy/logging/LogAccess.cc | 9 +++++++++
5 files changed, 49 insertions(+), 3 deletions(-)
diff --git a/doc/admin-guide/logging/formatting.en.rst
b/doc/admin-guide/logging/formatting.en.rst
index ab5f54583c..5a8039c66c 100644
--- a/doc/admin-guide/logging/formatting.en.rst
+++ b/doc/admin-guide/logging/formatting.en.rst
@@ -618,6 +618,7 @@ SSL / Encryption
.. _cscert:
.. _cqssl:
.. _cqssr:
+.. _cqssrt:
.. _cqssv:
.. _cqssc:
.. _cqssu:
@@ -639,9 +640,15 @@ cscert Client Request 1 if |TS| requested certificate from
client during TLS
handshake. 0 otherwise.
cqssl Client Request SSL client request status indicates if this client
connection is over SSL.
-cqssr Client Request SSL session ticket reused status; indicates if the
current
- request hit the SSL session ticket and avoided a full SSL
- handshake.
+cqssr Client Request SSL session resumption status; indicates whether the
+ current request was resumed from a previous SSL session
+ and avoided a full TLS handshake. Resumption may have
+ been via a server side session cache or via a TLS session
+ ticket, see cqssrt_ for the resumption type.
+cqssrt Client Request SSL resumption type; indicates the type of TLS session
+ resumption used for this request. 0 for no resumption,
+ 1 for server session cache resumption, 2 for TLS session
+ ticket resumption.
cqssv Client Request SSL version used to communicate with the client.
cqssc Client Request SSL Cipher used by |TS| to communicate with the client.
cqssu Client Request SSL Elliptic Curve used by |TS| to communicate with the
diff --git a/include/proxy/http/HttpUserAgent.h
b/include/proxy/http/HttpUserAgent.h
index 1dacea0587..14520ff5b9 100644
--- a/include/proxy/http/HttpUserAgent.h
+++ b/include/proxy/http/HttpUserAgent.h
@@ -32,6 +32,7 @@
#include "records/RecHttp.h"
#include "iocore/net/TLSBasicSupport.h"
#include "iocore/net/TLSSessionResumptionSupport.h"
+#include "tscore/ink_assert.h"
#include <string>
@@ -45,6 +46,7 @@ struct ClientConnectionInfo {
bool tcp_reused{false};
bool ssl_reused{false};
bool connection_is_ssl{false};
+ int ssl_resumption_type{0}; // 0=no resumption, 1=session cache, 2=session
ticket
char const *protocol{"-"};
char const *sec_protocol{"-"};
@@ -79,6 +81,8 @@ public:
bool get_client_ssl_reused() const;
+ int get_client_ssl_resumption_type() const;
+
bool get_client_connection_is_ssl() const;
char const *get_client_protocol() const;
@@ -190,6 +194,20 @@ HttpUserAgent::set_txn(ProxyTransaction *txn,
TransactionMilestones &milestones)
if (auto tsrs = netvc->get_service<TLSSessionResumptionSupport>()) {
m_conn_info.ssl_reused = tsrs->getIsResumedSSLSession();
+
+ if (m_conn_info.ssl_reused) {
+ if (tsrs->getIsResumedFromSessionCache()) {
+ m_conn_info.ssl_resumption_type = 1;
+ } else if (tsrs->getIsResumedFromSessionTicket()) {
+ m_conn_info.ssl_resumption_type = 2;
+ } else {
+ // This should not happen if ssl_reused is true.
+ ink_assert(!"ssl_resumption_type should be set for an SSL reused
session");
+ m_conn_info.ssl_resumption_type = 0;
+ }
+ } else {
+ m_conn_info.ssl_resumption_type = 0;
+ }
}
if (auto protocol_str{txn->get_protocol_string()}; protocol_str) {
@@ -235,6 +253,12 @@ HttpUserAgent::get_client_ssl_reused() const
return m_conn_info.ssl_reused;
}
+inline int
+HttpUserAgent::get_client_ssl_resumption_type() const
+{
+ return m_conn_info.ssl_resumption_type;
+}
+
inline bool
HttpUserAgent::get_client_connection_is_ssl() const
{
diff --git a/include/proxy/logging/LogAccess.h
b/include/proxy/logging/LogAccess.h
index e8ae85dad9..757c9d4a5b 100644
--- a/include/proxy/logging/LogAccess.h
+++ b/include/proxy/logging/LogAccess.h
@@ -147,6 +147,7 @@ public:
int marshal_client_req_tcp_reused(char *); // INT
int marshal_client_req_is_ssl(char *); // INT
int marshal_client_req_ssl_reused(char *); // INT
+ int marshal_client_ssl_resumption_type(char *); // INT
int marshal_client_req_is_internal(char *); // INT
int marshal_client_req_mptcp_state(char *); // INT
int marshal_client_security_protocol(char *); // STR
diff --git a/src/proxy/logging/Log.cc b/src/proxy/logging/Log.cc
index 704fbf721c..5178883b5d 100644
--- a/src/proxy/logging/Log.cc
+++ b/src/proxy/logging/Log.cc
@@ -535,6 +535,11 @@ Log::init_fields()
global_field_list.add(field, false);
field_symbol_hash.emplace("cqssr", field);
+ field = new LogField("client_req_ssl_resumption_type", "cqssrt",
LogField::dINT, &LogAccess::marshal_client_ssl_resumption_type,
+ &LogAccess::unmarshal_int_to_str);
+ global_field_list.add(field, false);
+ field_symbol_hash.emplace("cqssrt", field);
+
field = new LogField("client_req_is_internal", "cqint", LogField::sINT,
&LogAccess::marshal_client_req_is_internal,
&LogAccess::unmarshal_int_to_str);
global_field_list.add(field, false);
diff --git a/src/proxy/logging/LogAccess.cc b/src/proxy/logging/LogAccess.cc
index 42b77ef178..41ed00ae77 100644
--- a/src/proxy/logging/LogAccess.cc
+++ b/src/proxy/logging/LogAccess.cc
@@ -2126,6 +2126,15 @@ LogAccess::marshal_client_req_ssl_reused(char *buf)
return INK_MIN_ALIGN;
}
+int
+LogAccess::marshal_client_ssl_resumption_type(char *buf)
+{
+ if (buf) {
+ marshal_int(buf,
m_http_sm->get_user_agent().get_client_ssl_resumption_type());
+ }
+ return INK_MIN_ALIGN;
+}
+
int
LogAccess::marshal_client_req_is_internal(char *buf)
{
