Repository: trafficserver Updated Branches: refs/heads/master e985569ae -> b597f9cfa
TS-3648 Desire support for client TLS cipher in custom log format. This closes #252. Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/b597f9cf Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/b597f9cf Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/b597f9cf Branch: refs/heads/master Commit: b597f9cfa8148df6eb787b8f872a8bd20d0f9492 Parents: e985569 Author: AcaÌcio Centeno <acaciocent...@gmail.com> Authored: Thu Sep 25 16:23:31 2014 +0000 Committer: shinrich <shinr...@yahoo-inc.com> Committed: Mon Aug 10 15:51:32 2015 -0500 ---------------------------------------------------------------------- doc/admin/event-logging-formats.en.rst | 10 ++++++++++ iocore/net/P_SSLNetVConnection.h | 16 ++++++++++++++++ proxy/http/HttpSM.cc | 8 +++++--- proxy/http/HttpSM.h | 4 ++++ proxy/logging/Log.cc | 10 ++++++++++ proxy/logging/LogAccess.cc | 14 ++++++++++++++ proxy/logging/LogAccess.h | 2 ++ proxy/logging/LogAccessHttp.cc | 26 ++++++++++++++++++++++++++ proxy/logging/LogAccessHttp.h | 2 ++ 9 files changed, 89 insertions(+), 3 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/trafficserver/blob/b597f9cf/doc/admin/event-logging-formats.en.rst ---------------------------------------------------------------------- diff --git a/doc/admin/event-logging-formats.en.rst b/doc/admin/event-logging-formats.en.rst index 1bb1382..fee875e 100644 --- a/doc/admin/event-logging-formats.en.rst +++ b/doc/admin/event-logging-formats.en.rst @@ -203,6 +203,16 @@ The following list describes Traffic Server custom logging fields. The SSL session/ticket reused status; indicates if this request hit the SSL session/ticket and avoided a full SSL handshake. +.. _cqssv: + +``cqssv`` + The SSL/TLS version used to communicate with the client. + +.. _cqssc: + +``cqssc`` + The cipher used by ATS to communicate with the client over SSL. + .. _cqtx: ``cqtx`` http://git-wip-us.apache.org/repos/asf/trafficserver/blob/b597f9cf/iocore/net/P_SSLNetVConnection.h ---------------------------------------------------------------------- diff --git a/iocore/net/P_SSLNetVConnection.h b/iocore/net/P_SSLNetVConnection.h index 57c9a6b..853f097 100644 --- a/iocore/net/P_SSLNetVConnection.h +++ b/iocore/net/P_SSLNetVConnection.h @@ -267,6 +267,22 @@ public: bool computeSSLTrace(); + const char * + getSSLProtocol(void) const + { + if (ssl == NULL) + return NULL; + return SSL_get_version(ssl); + }; + + const char * + getSSLCipherSuite(void) const + { + if (ssl == NULL) + return NULL; + return SSL_get_cipher_name(ssl); + } + private: SSLNetVConnection(const SSLNetVConnection &); SSLNetVConnection &operator=(const SSLNetVConnection &); http://git-wip-us.apache.org/repos/asf/trafficserver/blob/b597f9cf/proxy/http/HttpSM.cc ---------------------------------------------------------------------- diff --git a/proxy/http/HttpSM.cc b/proxy/http/HttpSM.cc index 8ba5eaa..156e696 100644 --- a/proxy/http/HttpSM.cc +++ b/proxy/http/HttpSM.cc @@ -277,9 +277,9 @@ HttpSM::HttpSM() client_request_hdr_bytes(0), client_request_body_bytes(0), server_request_hdr_bytes(0), server_request_body_bytes(0), server_response_hdr_bytes(0), server_response_body_bytes(0), client_response_hdr_bytes(0), client_response_body_bytes(0), cache_response_hdr_bytes(0), cache_response_body_bytes(0), pushed_response_hdr_bytes(0), pushed_response_body_bytes(0), - client_tcp_reused(false), client_ssl_reused(false), client_connection_is_ssl(false), plugin_tag(0), plugin_id(0), - hooks_set(false), cur_hook_id(TS_HTTP_LAST_HOOK), cur_hook(NULL), cur_hooks(0), callout_state(HTTP_API_NO_CALLOUT), - terminate_sm(false), kill_this_async_done(false), parse_range_done(false) + client_tcp_reused(false), client_ssl_reused(false), client_connection_is_ssl(false), client_sec_protocol("-"), + client_cipher_suite("-"), plugin_tag(0), plugin_id(0), hooks_set(false), cur_hook_id(TS_HTTP_LAST_HOOK), cur_hook(NULL), + cur_hooks(0), callout_state(HTTP_API_NO_CALLOUT), terminate_sm(false), kill_this_async_done(false), parse_range_done(false) { memset(&history, 0, sizeof(history)); memset(&vc_table, 0, sizeof(vc_table)); @@ -481,6 +481,8 @@ HttpSM::attach_client_session(HttpClientSession *client_vc, IOBufferReader *buff if (ssl_vc != NULL) { client_connection_is_ssl = true; client_ssl_reused = ssl_vc->getSSLSessionCacheHit(); + client_sec_protocol = ssl_vc->getSSLProtocol(); + client_cipher_suite = ssl_vc->getSSLCipherSuite(); } ink_release_assert(ua_session->get_half_close_flag() == false); http://git-wip-us.apache.org/repos/asf/trafficserver/blob/b597f9cf/proxy/http/HttpSM.h ---------------------------------------------------------------------- diff --git a/proxy/http/HttpSM.h b/proxy/http/HttpSM.h index 38e7bac..605341d 100644 --- a/proxy/http/HttpSM.h +++ b/proxy/http/HttpSM.h @@ -494,8 +494,12 @@ public: int pushed_response_hdr_bytes; int64_t pushed_response_body_bytes; bool client_tcp_reused; + // Info about client's SSL connection. bool client_ssl_reused; bool client_connection_is_ssl; + const char *client_sec_protocol; + const char *client_cipher_suite; + TransactionMilestones milestones; ink_hrtime api_timer; // The next two enable plugins to tag the state machine for http://git-wip-us.apache.org/repos/asf/trafficserver/blob/b597f9cf/proxy/logging/Log.cc ---------------------------------------------------------------------- diff --git a/proxy/logging/Log.cc b/proxy/logging/Log.cc index 4f919e7..598ec6b 100644 --- a/proxy/logging/Log.cc +++ b/proxy/logging/Log.cc @@ -488,6 +488,16 @@ Log::init_fields() global_field_list.add(field, false); ink_hash_table_insert(field_symbol_hash, "cqssr", field); + field = new LogField("client_sec_protocol", "cqssv", LogField::STRING, &LogAccess::marshal_client_security_protocol, + (LogField::UnmarshalFunc) & LogAccess::unmarshal_str); + global_field_list.add(field, false); + ink_hash_table_insert(field_symbol_hash, "cqssv", field); + + field = new LogField("client_cipher_suite", "cqssc", LogField::STRING, &LogAccess::marshal_client_security_cipher_suite, + (LogField::UnmarshalFunc) & LogAccess::unmarshal_str); + global_field_list.add(field, false); + ink_hash_table_insert(field_symbol_hash, "cqssc", field); + Ptr<LogFieldAliasTable> finish_status_map = make_ptr(new LogFieldAliasTable); finish_status_map->init(N_LOG_FINISH_CODE_TYPES, LOG_FINISH_FIN, "FIN", LOG_FINISH_INTR, "INTR", LOG_FINISH_TIMEOUT, "TIMEOUT"); http://git-wip-us.apache.org/repos/asf/trafficserver/blob/b597f9cf/proxy/logging/LogAccess.cc ---------------------------------------------------------------------- diff --git a/proxy/logging/LogAccess.cc b/proxy/logging/LogAccess.cc index 56b42bd..8264c47 100644 --- a/proxy/logging/LogAccess.cc +++ b/proxy/logging/LogAccess.cc @@ -274,6 +274,20 @@ LogAccess::marshal_client_req_ssl_reused(char *buf) } /*------------------------------------------------------------------------- +-------------------------------------------------------------------------*/ +int +LogAccess::marshal_client_security_protocol(char *buf) +{ + DEFAULT_STR_FIELD; +} + +int +LogAccess::marshal_client_security_cipher_suite(char *buf) +{ + DEFAULT_STR_FIELD; +} + +/*------------------------------------------------------------------------- -------------------------------------------------------------------------*/ int http://git-wip-us.apache.org/repos/asf/trafficserver/blob/b597f9cf/proxy/logging/LogAccess.h ---------------------------------------------------------------------- diff --git a/proxy/logging/LogAccess.h b/proxy/logging/LogAccess.h index 03a91bc..45459c6 100644 --- a/proxy/logging/LogAccess.h +++ b/proxy/logging/LogAccess.h @@ -193,6 +193,8 @@ public: inkcoreapi virtual int marshal_client_req_is_ssl(char *); // INT inkcoreapi virtual int marshal_client_req_ssl_reused(char *); // INT inkcoreapi virtual int marshal_client_finish_status_code(char *); // INT + inkcoreapi virtual int marshal_client_security_protocol(char *); // STR + inkcoreapi virtual int marshal_client_security_cipher_suite(char *); // STR // // proxy -> client fields http://git-wip-us.apache.org/repos/asf/trafficserver/blob/b597f9cf/proxy/logging/LogAccessHttp.cc ---------------------------------------------------------------------- diff --git a/proxy/logging/LogAccessHttp.cc b/proxy/logging/LogAccessHttp.cc index ec0cc7f..ba8b7de 100644 --- a/proxy/logging/LogAccessHttp.cc +++ b/proxy/logging/LogAccessHttp.cc @@ -707,6 +707,32 @@ LogAccessHttp::marshal_client_finish_status_code(char *buf) } /*------------------------------------------------------------------------- +-------------------------------------------------------------------------*/ +int +LogAccessHttp::marshal_client_security_protocol(char *buf) +{ + int round_len = INK_MIN_ALIGN; + if (buf) { + const char *proto = m_http_sm->client_sec_protocol; + round_len = LogAccess::strlen(proto); + marshal_str(buf, proto, round_len); + } + return round_len; +} + +int +LogAccessHttp::marshal_client_security_cipher_suite(char *buf) +{ + int round_len = INK_MIN_ALIGN; + if (buf) { + const char *cipher = m_http_sm->client_cipher_suite; + round_len = LogAccess::strlen(cipher); + marshal_str(buf, cipher, round_len); + } + return round_len; +} + +/*------------------------------------------------------------------------- -------------------------------------------------------------------------*/ int http://git-wip-us.apache.org/repos/asf/trafficserver/blob/b597f9cf/proxy/logging/LogAccessHttp.h ---------------------------------------------------------------------- diff --git a/proxy/logging/LogAccessHttp.h b/proxy/logging/LogAccessHttp.h index 7e7927d..20a4ea6 100644 --- a/proxy/logging/LogAccessHttp.h +++ b/proxy/logging/LogAccessHttp.h @@ -76,6 +76,8 @@ public: virtual int marshal_client_req_is_ssl(char *); // INT virtual int marshal_client_req_ssl_reused(char *); // INT virtual int marshal_client_finish_status_code(char *); // INT + virtual int marshal_client_security_protocol(char *); // STR + virtual int marshal_client_security_cipher_suite(char *); // STR // // proxy -> client fields