(trafficserver) branch master updated: Add support for PP2_SUBTYPE_SSL_GROUP (#12921)

Tue, 03 Mar 2026 15:22:58 -0800 

This is an automated email from the ASF dual-hosted git repository.

maskit pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficserver.git


The following commit(s) were added to refs/heads/master by this push:
     new 37a801a03e Add support for PP2_SUBTYPE_SSL_GROUP (#12921)
37a801a03e is described below

commit 37a801a03e4994bc0400a7664dee20b8d23b71df
Author: Masakazu Kitajo <[email protected]>
AuthorDate: Tue Mar 3 16:22:42 2026 -0700

    Add support for PP2_SUBTYPE_SSL_GROUP (#12921)
---
 doc/admin-guide/logging/formatting.en.rst       |  2 ++
 include/iocore/net/ProxyProtocol.h              |  2 ++
 include/proxy/logging/LogAccess.h               |  1 +
 src/iocore/net/ProxyProtocol.cc                 |  6 ++++++
 src/iocore/net/unit_tests/test_ProxyProtocol.cc |  6 ++++--
 src/proxy/logging/Log.cc                        |  5 +++++
 src/proxy/logging/LogAccess.cc                  | 21 +++++++++++++++++++++
 7 files changed, 41 insertions(+), 2 deletions(-)

diff --git a/doc/admin-guide/logging/formatting.en.rst 
b/doc/admin-guide/logging/formatting.en.rst
index ba74dcb8f3..92d56bdbb0 100644
--- a/doc/admin-guide/logging/formatting.en.rst
+++ b/doc/admin-guide/logging/formatting.en.rst
@@ -536,6 +536,8 @@ pptc  Proxy Protocol The TLS cipher from Proxy Protocol 
context from the LB
       TLS Cipher     to the |TS|
 pptv  Proxy Protocol The TLS version from Proxy Protocol context from the LB
       TLS version    to the |TS|
+pptg  Proxy Protocol The TLS group from Proxy Protocol context from the LB
+      TLS group      to the |TS|
 ===== ============== ==========================================================
 
 .. note::
diff --git a/include/iocore/net/ProxyProtocol.h 
b/include/iocore/net/ProxyProtocol.h
index 5c73019144..5513ad4fcd 100644
--- a/include/iocore/net/ProxyProtocol.h
+++ b/include/iocore/net/ProxyProtocol.h
@@ -54,6 +54,7 @@ constexpr uint8_t PP2_SUBTYPE_SSL_CN      = 0x22;
 constexpr uint8_t PP2_SUBTYPE_SSL_CIPHER  = 0x23;
 constexpr uint8_t PP2_SUBTYPE_SSL_SIG_ALG = 0x24;
 constexpr uint8_t PP2_SUBTYPE_SSL_KEY_ALG = 0x25;
+constexpr uint8_t PP2_SUBTYPE_SSL_GROUP   = 0x26;
 constexpr uint8_t PP2_TYPE_NETNS          = 0x30;
 
 class ProxyProtocol
@@ -88,6 +89,7 @@ public:
   std::optional<std::string_view> get_tlv(const uint8_t tlvCode) const;
   std::optional<std::string_view> get_tlv_ssl_version() const;
   std::optional<std::string_view> get_tlv_ssl_cipher() const;
+  std::optional<std::string_view> get_tlv_ssl_group() const;
 
   ProxyProtocolVersion                          version   = 
ProxyProtocolVersion::UNDEFINED;
   uint16_t                                      ip_family = AF_UNSPEC;
diff --git a/include/proxy/logging/LogAccess.h 
b/include/proxy/logging/LogAccess.h
index 1a799ca3b0..8ff9cfe83b 100644
--- a/include/proxy/logging/LogAccess.h
+++ b/include/proxy/logging/LogAccess.h
@@ -272,6 +272,7 @@ public:
   int marshal_proxy_protocol_authority(char *);                    // STR
   int marshal_proxy_protocol_tls_cipher(char *);                   // STR
   int marshal_proxy_protocol_tls_version(char *);                  // STR
+  int marshal_proxy_protocol_tls_group(char *);                    // STR
 
   // named fields from within a http header
   //
diff --git a/src/iocore/net/ProxyProtocol.cc b/src/iocore/net/ProxyProtocol.cc
index 96939412c8..472f544354 100644
--- a/src/iocore/net/ProxyProtocol.cc
+++ b/src/iocore/net/ProxyProtocol.cc
@@ -625,6 +625,12 @@ ProxyProtocol::get_tlv_ssl_cipher() const
   return this->_get_tlv_ssl_subtype(PP2_SUBTYPE_SSL_CIPHER);
 }
 
+std::optional<std::string_view>
+ProxyProtocol::get_tlv_ssl_group() const
+{
+  return this->_get_tlv_ssl_subtype(PP2_SUBTYPE_SSL_GROUP);
+}
+
 int
 ProxyProtocol::set_additional_data(std::string_view data)
 {
diff --git a/src/iocore/net/unit_tests/test_ProxyProtocol.cc 
b/src/iocore/net/unit_tests/test_ProxyProtocol.cc
index 53958b30b2..ada8605f08 100644
--- a/src/iocore/net/unit_tests/test_ProxyProtocol.cc
+++ b/src/iocore/net/unit_tests/test_ProxyProtocol.cc
@@ -303,15 +303,16 @@ TEST_CASE("PROXY Protocol v2 Parser", 
"[ProxyProtocol][ProxyProtocolv2]")
       0x55, 0x49, 0x54, 0x0A,                         ///<
       0x21,                                           ///< version & command
       0x11,                                           ///< protocol & family
-      0x00, 0x2B,                                     ///< len
+      0x00, 0x32,                                     ///< len
       0xC0, 0x00, 0x02, 0x01,                         ///< src_addr
       0xC6, 0x33, 0x64, 0x01,                         ///< dst_addr
       0xC3, 0x50,                                     ///< src_port
       0x01, 0xBB,                                     ///< dst_port
       0x01, 0x00, 0x02, 0x68, 0x32,                   /// PP2_TYPE_ALPN (h2)
       0x02, 0x00, 0x03, 0x61, 0x62, 0x63,             /// PP2_TYPE_AUTHORITY 
(abc)
-      0x20, 0x00, 0x11, 0x01, 0x00, 0x00, 0x00, 0x00, /// PP2_TYPE_SSL 
(client=0x01, verify=0)
+      0x20, 0x00, 0x18, 0x01, 0x00, 0x00, 0x00, 0x00, /// PP2_TYPE_SSL 
(client=0x01, verify=0)
       0x23, 0x00, 0x03, 0x58, 0x59, 0x5A,             /// 
PP2_SUBTYPE_SSL_CIPHER (XYZ)
+      0x26, 0x00, 0x04, 0x58, 0x31, 0x32, 0x33,       /// 
PP2_SUBTYPE_SSL_GROUP(X123)
       0x21, 0x00, 0x03, 0x54, 0x4C, 0x53,             /// 
PP2_SUBTYPE_SSL_VERSION (TLS)
     };
 
@@ -332,6 +333,7 @@ TEST_CASE("PROXY Protocol v2 Parser", 
"[ProxyProtocol][ProxyProtocolv2]")
     CHECK(pp_info.tlv[PP2_TYPE_AUTHORITY] == "abc");
 
     CHECK(pp_info.get_tlv_ssl_cipher() == "XYZ");
+    CHECK(pp_info.get_tlv_ssl_group() == "X123");
     CHECK(pp_info.get_tlv_ssl_version() == "TLS");
   }
 
diff --git a/src/proxy/logging/Log.cc b/src/proxy/logging/Log.cc
index 29b0949698..22a6f1b7d1 100644
--- a/src/proxy/logging/Log.cc
+++ b/src/proxy/logging/Log.cc
@@ -1048,6 +1048,11 @@ Log::init_fields()
   global_field_list.add(field, false);
   field_symbol_hash.emplace("pptv", field);
 
+  field = new LogField("proxy_protocol_tls_group", "pptg", LogField::STRING, 
&LogAccess::marshal_proxy_protocol_tls_group,
+                       &LogAccess::unmarshal_str);
+  global_field_list.add(field, false);
+  field_symbol_hash.emplace("pptg", field);
+
   field = new LogField("version_build_number", "vbn", LogField::STRING, 
&LogAccess::marshal_version_build_number,
                        &LogAccess::unmarshal_str);
   global_field_list.add(field, false);
diff --git a/src/proxy/logging/LogAccess.cc b/src/proxy/logging/LogAccess.cc
index 7d2bcb54da..a0a8e17afd 100644
--- a/src/proxy/logging/LogAccess.cc
+++ b/src/proxy/logging/LogAccess.cc
@@ -1751,6 +1751,27 @@ LogAccess::marshal_proxy_protocol_tls_version(char *buf)
   return len;
 }
 
+int
+LogAccess::marshal_proxy_protocol_tls_group(char *buf)
+{
+  int len = INK_MIN_ALIGN;
+
+  if (m_http_sm) {
+    if (auto group = m_http_sm->t_state.pp_info.get_tlv_ssl_group(); group) {
+      len = padded_length(group->size() + 1);
+      if (buf) {
+        marshal_mem(buf, group->data(), group->size(), len);
+      }
+    } else {
+      if (buf) {
+        // This prints the default value ("-")
+        marshal_mem(buf, nullptr, 0, len);
+      }
+    }
+  }
+  return len;
+}
+
 /*-------------------------------------------------------------------------
   -------------------------------------------------------------------------*/
 int

Reply via email to