[jira] [Updated] (TS-3007) Stats for all TLS alerts defined in RFC 5246

Wed, 13 Aug 2014 02:28:27 -0700 

     [ 
https://issues.apache.org/jira/browse/TS-3007?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Alexey Ivanov updated TS-3007:
------------------------------

    Description: 
Currently we collect following TLS alerts stats:
{code}
proxy.process.ssl.user_agent_other_errors=0
proxy.process.ssl.user_agent_expired_cert=0
proxy.process.ssl.user_agent_revoked_cert=0
proxy.process.ssl.user_agent_unknown_cert=0
proxy.process.ssl.user_agent_cert_verify_failed=0
proxy.process.ssl.user_agent_bad_cert=0
proxy.process.ssl.user_agent_decryption_failed=0
proxy.process.ssl.user_agent_wrong_version=0
proxy.process.ssl.user_agent_unknown_ca=0
/* + same set for origin_server */
{code}

Though [RFC 5246] defines following set:
{code}
      enum {
          close_notify(0),
          unexpected_message(10),
          bad_record_mac(20),
          decryption_failed_RESERVED(21),
          record_overflow(22),
          decompression_failure(30),
          handshake_failure(40),
          no_certificate_RESERVED(41),
          bad_certificate(42),
          unsupported_certificate(43),
          certificate_revoked(44),
          certificate_expired(45),
          certificate_unknown(46),
          illegal_parameter(47),
          unknown_ca(48),
          access_denied(49),
          decode_error(50),
          decrypt_error(51),
          export_restriction_RESERVED(60),
          protocol_version(70),
          insufficient_security(71),
          internal_error(80),
          user_canceled(90),
          no_renegotiation(100),
          unsupported_extension(110),
          (255)
      } AlertDescription;
{code}

Probably we want to adjust ATS naming and number of collected stats to match 
RFC.

Also maybe it's good idea to put them under {{proxy.process.ssl.alerts}}

[RFC 5246] http://tools.ietf.org/html/rfc5246#section-7.2

[~briang] Can you take a look into it?

  was:
Currently we collect following TLS alerts stats:
{code}
proxy.process.ssl.user_agent_other_errors=0
proxy.process.ssl.user_agent_expired_cert=0
proxy.process.ssl.user_agent_revoked_cert=0
proxy.process.ssl.user_agent_unknown_cert=0
proxy.process.ssl.user_agent_cert_verify_failed=0
proxy.process.ssl.user_agent_bad_cert=0
proxy.process.ssl.user_agent_decryption_failed=0
proxy.process.ssl.user_agent_wrong_version=0
proxy.process.ssl.user_agent_unknown_ca=0
/* + same set for origin_server */
{code}

Though [RFC 5246] defines following set:
{code}
      enum {
          close_notify(0),
          unexpected_message(10),
          bad_record_mac(20),
          decryption_failed_RESERVED(21),
          record_overflow(22),
          decompression_failure(30),
          handshake_failure(40),
          no_certificate_RESERVED(41),
          bad_certificate(42),
          unsupported_certificate(43),
          certificate_revoked(44),
          certificate_expired(45),
          certificate_unknown(46),
          illegal_parameter(47),
          unknown_ca(48),
          access_denied(49),
          decode_error(50),
          decrypt_error(51),
          export_restriction_RESERVED(60),
          protocol_version(70),
          insufficient_security(71),
          internal_error(80),
          user_canceled(90),
          no_renegotiation(100),
          unsupported_extension(110),
          (255)
      } AlertDescription;
{code}

Probably we want to adjust ATS naming and number of collected stats to match 
RFC.

Also maybe it's good idea to put them under {{proxy.process.ssl.alerts}}

[RFC 5246] http://tools.ietf.org/html/rfc5246#section-7.2


> Stats for all TLS alerts defined in RFC 5246  
> ----------------------------------------------
>
>                 Key: TS-3007
>                 URL: https://issues.apache.org/jira/browse/TS-3007
>             Project: Traffic Server
>          Issue Type: Improvement
>            Reporter: Alexey Ivanov
>
> Currently we collect following TLS alerts stats:
> {code}
> proxy.process.ssl.user_agent_other_errors=0
> proxy.process.ssl.user_agent_expired_cert=0
> proxy.process.ssl.user_agent_revoked_cert=0
> proxy.process.ssl.user_agent_unknown_cert=0
> proxy.process.ssl.user_agent_cert_verify_failed=0
> proxy.process.ssl.user_agent_bad_cert=0
> proxy.process.ssl.user_agent_decryption_failed=0
> proxy.process.ssl.user_agent_wrong_version=0
> proxy.process.ssl.user_agent_unknown_ca=0
> /* + same set for origin_server */
> {code}
> Though [RFC 5246] defines following set:
> {code}
>       enum {
>           close_notify(0),
>           unexpected_message(10),
>           bad_record_mac(20),
>           decryption_failed_RESERVED(21),
>           record_overflow(22),
>           decompression_failure(30),
>           handshake_failure(40),
>           no_certificate_RESERVED(41),
>           bad_certificate(42),
>           unsupported_certificate(43),
>           certificate_revoked(44),
>           certificate_expired(45),
>           certificate_unknown(46),
>           illegal_parameter(47),
>           unknown_ca(48),
>           access_denied(49),
>           decode_error(50),
>           decrypt_error(51),
>           export_restriction_RESERVED(60),
>           protocol_version(70),
>           insufficient_security(71),
>           internal_error(80),
>           user_canceled(90),
>           no_renegotiation(100),
>           unsupported_extension(110),
>           (255)
>       } AlertDescription;
> {code}
> Probably we want to adjust ATS naming and number of collected stats to match 
> RFC.
> Also maybe it's good idea to put them under {{proxy.process.ssl.alerts}}
> [RFC 5246] http://tools.ietf.org/html/rfc5246#section-7.2
> [~briang] Can you take a look into it?



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Reply via email to