From 40bd7d3a17751dae927671569deb6139ba91903a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aca=CC=81cio=20Centeno?= Date: Thu, 25 Sep 2014 16:23:31 +0000 Subject: [PATCH] [TS-3648] Desire support for client TLS cipher in custom log format --- doc/admin/event-logging-formats.en.rst | 10 ++++++++++ iocore/net/P_SSLNetVConnection.h | 14 ++++++++++++++ proxy/http/HttpSM.cc | 8 +++++--- proxy/http/HttpSM.h | 4 ++++ proxy/logging/Log.cc | 14 ++++++++++++++ proxy/logging/LogAccess.cc | 14 ++++++++++++++ proxy/logging/LogAccess.h | 2 ++ proxy/logging/LogAccessHttp.cc | 26 ++++++++++++++++++++++++++ proxy/logging/LogAccessHttp.h | 2 ++ 9 files changed, 91 insertions(+), 3 deletions(-) diff --git a/doc/admin/event-logging-formats.en.rst b/doc/admin/event-logging-formats.en.rst index cdd7923c95c..d24c0f8a1d5 100644 --- a/doc/admin/event-logging-formats.en.rst +++ b/doc/admin/event-logging-formats.en.rst @@ -188,6 +188,16 @@ The following list describes Traffic Server custom logging fields. The SSL session/ticket reused status; indicates if this request hit the SSL session/ticket and avoided a full SSL handshake. +.. _cqssv: + +``cqssv`` + The SSL/TLS version used to communicate with the client. + +.. _cqssc: + +``cqssc`` + The cipher used by ATS to communicate with the client over SSL. + .. _cqtx: ``cqtx`` diff --git a/iocore/net/P_SSLNetVConnection.h b/iocore/net/P_SSLNetVConnection.h index 3b29e7bea4f..918110736db 100644 --- a/iocore/net/P_SSLNetVConnection.h +++ b/iocore/net/P_SSLNetVConnection.h @@ -267,6 +267,20 @@ class SSLNetVConnection : public UnixNetVConnection bool computeSSLTrace(); + const char * getSSLProtocol(void) const + { + if ( ssl == NULL ) + return NULL; + return SSL_get_version(ssl); + }; + + const char * getSSLCipherSuite(void) const + { + if ( ssl == NULL ) + return NULL; + return SSL_get_cipher_name(ssl); + } + private: SSLNetVConnection(const SSLNetVConnection &); SSLNetVConnection &operator=(const SSLNetVConnection &); diff --git a/proxy/http/HttpSM.cc b/proxy/http/HttpSM.cc index 8fd7304485d..4010f467799 100644 --- a/proxy/http/HttpSM.cc +++ b/proxy/http/HttpSM.cc @@ -277,9 +277,9 @@ HttpSM::HttpSM() client_request_hdr_bytes(0), client_request_body_bytes(0), server_request_hdr_bytes(0), server_request_body_bytes(0), server_response_hdr_bytes(0), server_response_body_bytes(0), client_response_hdr_bytes(0), client_response_body_bytes(0), cache_response_hdr_bytes(0), cache_response_body_bytes(0), pushed_response_hdr_bytes(0), pushed_response_body_bytes(0), - client_tcp_reused(false), client_ssl_reused(false), client_connection_is_ssl(false), plugin_tag(0), plugin_id(0), - hooks_set(false), cur_hook_id(TS_HTTP_LAST_HOOK), cur_hook(NULL), cur_hooks(0), callout_state(HTTP_API_NO_CALLOUT), - terminate_sm(false), kill_this_async_done(false), parse_range_done(false) + client_tcp_reused(false), client_ssl_reused(false), client_connection_is_ssl(false), client_sec_protocol("-"), + client_cipher_suite("-"), plugin_tag(0), plugin_id(0), hooks_set(false), cur_hook_id(TS_HTTP_LAST_HOOK), cur_hook(NULL), + cur_hooks(0), callout_state(HTTP_API_NO_CALLOUT), terminate_sm(false), kill_this_async_done(false), parse_range_done(false) { memset(&history, 0, sizeof(history)); memset(&vc_table, 0, sizeof(vc_table)); @@ -481,6 +481,8 @@ HttpSM::attach_client_session(HttpClientSession *client_vc, IOBufferReader *buff if (ssl_vc != NULL) { client_connection_is_ssl = true; client_ssl_reused = ssl_vc->getSSLSessionCacheHit(); + client_sec_protocol = ssl_vc->getSSLProtocol(); + client_cipher_suite = ssl_vc->getSSLCipherSuite(); } ink_release_assert(ua_session->get_half_close_flag() == false); diff --git a/proxy/http/HttpSM.h b/proxy/http/HttpSM.h index 9508bbcf109..031d7468642 100644 --- a/proxy/http/HttpSM.h +++ b/proxy/http/HttpSM.h @@ -494,8 +494,12 @@ class HttpSM : public Continuation int pushed_response_hdr_bytes; int64_t pushed_response_body_bytes; bool client_tcp_reused; + // Info about client's SSL connection. bool client_ssl_reused; bool client_connection_is_ssl; + const char * client_sec_protocol; + const char * client_cipher_suite; + TransactionMilestones milestones; ink_hrtime api_timer; // The next two enable plugins to tag the state machine for diff --git a/proxy/logging/Log.cc b/proxy/logging/Log.cc index 512ca9c07be..7b69547b700 100644 --- a/proxy/logging/Log.cc +++ b/proxy/logging/Log.cc @@ -476,6 +476,20 @@ Log::init_fields() global_field_list.add(field, false); ink_hash_table_insert(field_symbol_hash, "cqssr", field); + field = new LogField("client_sec_protocol", "cqssv", + LogField::STRING, + &LogAccess::marshal_client_security_protocol, + (LogField::UnmarshalFunc)&LogAccess::unmarshal_str); + global_field_list.add(field, false); + ink_hash_table_insert(field_symbol_hash, "cqssv", field); + + field = new LogField("client_cipher_suite", "cqssc", + LogField::STRING, + &LogAccess::marshal_client_security_cipher_suite, + (LogField::UnmarshalFunc)&LogAccess::unmarshal_str); + global_field_list.add(field, false); + ink_hash_table_insert(field_symbol_hash, "cqssc", field); + Ptr finish_status_map = make_ptr(new LogFieldAliasTable); finish_status_map->init(N_LOG_FINISH_CODE_TYPES, LOG_FINISH_FIN, "FIN", LOG_FINISH_INTR, "INTR", LOG_FINISH_TIMEOUT, "TIMEOUT"); diff --git a/proxy/logging/LogAccess.cc b/proxy/logging/LogAccess.cc index 65c71f8788e..5f1fc053383 100644 --- a/proxy/logging/LogAccess.cc +++ b/proxy/logging/LogAccess.cc @@ -277,6 +277,20 @@ LogAccess::marshal_client_finish_status_code(char *buf) DEFAULT_INT_FIELD; } +/*------------------------------------------------------------------------- +-------------------------------------------------------------------------*/ +int +LogAccess::marshal_client_security_protocol(char *buf) +{ + DEFAULT_STR_FIELD; +} + +int +LogAccess::marshal_client_security_cipher_suite(char *buf) +{ + DEFAULT_STR_FIELD; +} + /*------------------------------------------------------------------------- -------------------------------------------------------------------------*/ diff --git a/proxy/logging/LogAccess.h b/proxy/logging/LogAccess.h index 16d5f33cd19..9b151dd47dd 100644 --- a/proxy/logging/LogAccess.h +++ b/proxy/logging/LogAccess.h @@ -190,6 +190,8 @@ class LogAccess inkcoreapi virtual int marshal_client_req_is_ssl(char *); // INT inkcoreapi virtual int marshal_client_req_ssl_reused(char *); // INT inkcoreapi virtual int marshal_client_finish_status_code(char *); // INT + inkcoreapi virtual int marshal_client_security_protocol(char *); // STR + inkcoreapi virtual int marshal_client_security_cipher_suite(char *); // STR // // proxy -> client fields diff --git a/proxy/logging/LogAccessHttp.cc b/proxy/logging/LogAccessHttp.cc index d34d4493c7a..9e847779bca 100644 --- a/proxy/logging/LogAccessHttp.cc +++ b/proxy/logging/LogAccessHttp.cc @@ -700,6 +700,32 @@ LogAccessHttp::marshal_client_finish_status_code(char *buf) return INK_MIN_ALIGN; } +/*------------------------------------------------------------------------- +-------------------------------------------------------------------------*/ +int +LogAccessHttp::marshal_client_security_protocol(char *buf) +{ + int round_len = INK_MIN_ALIGN; + if (buf) { + const char * proto = m_http_sm->client_sec_protocol; + round_len = LogAccess::strlen(proto); + marshal_str(buf, proto, round_len); + } + return round_len; +} + +int +LogAccessHttp::marshal_client_security_cipher_suite(char *buf) +{ + int round_len = INK_MIN_ALIGN; + if (buf) { + const char * cipher = m_http_sm->client_cipher_suite; + round_len = LogAccess::strlen(cipher); + marshal_str(buf, cipher, round_len); + } + return round_len; +} + /*------------------------------------------------------------------------- -------------------------------------------------------------------------*/ diff --git a/proxy/logging/LogAccessHttp.h b/proxy/logging/LogAccessHttp.h index f7daf4a60cd..057e0faf8fa 100644 --- a/proxy/logging/LogAccessHttp.h +++ b/proxy/logging/LogAccessHttp.h @@ -75,6 +75,8 @@ class LogAccessHttp : public LogAccess virtual int marshal_client_req_is_ssl(char *); // INT virtual int marshal_client_req_ssl_reused(char *); // INT virtual int marshal_client_finish_status_code(char *); // INT + virtual int marshal_client_security_protocol(char *); // STR + virtual int marshal_client_security_cipher_suite(char *); // STR // // proxy -> client fields