Re: [PR] Add boringssl support to the ja4_fingerprint plugin [trafficserver]

Fri, 23 Jan 2026 16:03:11 -0800 


bneradt commented on code in PR #12790:
URL: https://github.com/apache/trafficserver/pull/12790#discussion_r2723219183


##########
include/ts/apidefs.h.in:
##########
@@ -1081,6 +1081,19 @@ using TSAIOCallback      = struct tsapi_aiocallback *;
 using TSAcceptor         = struct tsapi_net_accept *;
 using TSRemapPluginInfo  = struct tsapi_remap_plugin_info *;
 
+struct tsapi_ssl_client_hello {
+  uint16_t       version;
+  const uint8_t *cipher_suites;
+  size_t         cipher_suites_len;
+  const uint8_t *extensions;
+  size_t         extensions_len;
+  int           *extension_ids;
+  size_t         extension_ids_len;
+  void          *ssl_ptr;
+};

Review Comment:
   Let's initialize these here (nullptr, 0).
   
   Also: as a tweak on this, what do you think of making these private and 
adding public getters for these such that we can lazily load them as they are 
requested? Subsequent requests can then return the populated (cached) values if 
the same value is asked for twice. Currently, the caller has to pay for the 
population of all of these even though they might not need them all. 



##########
plugins/experimental/ja4_fingerprint/plugin.cc:
##########
@@ -163,13 +163,21 @@ handle_client_hello(TSCont /* cont ATS_UNUSED */, TSEvent 
event, void *edata)
     // We ignore the event, but we don't want to reject the connection.
     return TS_SUCCESS;
   }
-  TSVConn const         ssl_vc{static_cast<TSVConn>(edata)};
-  TSSslConnection const ssl{TSVConnSslConnectionGet(ssl_vc)};
-  if (nullptr == ssl) {
-    Dbg(dbg_ctl, "Could not get SSL object.");
+
+  TSVConn const ssl_vc{static_cast<TSVConn>(edata)};
+
+#ifdef OPENSSL_IS_BORINGSSL
+  TSClientHello ch = TSVConnClientHelloGet(ssl_vc);
+#else
+  TSSslConnection const ssl_conn{TSVConnSslConnectionGet(ssl_vc)};
+  TSClientHello         ch = reinterpret_cast<TSClientHello>(ssl_conn);
+#endif

Review Comment:
   Can't we use the same interface for both boringssl and openssl?



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to