From 736080a3827cac667003109e0f3f47e8033b6738 Mon Sep 17 00:00:00 2001 From: Susan Hinrichs Date: Mon, 3 Dec 2018 23:24:38 +0000 Subject: [PATCH] Remove the ssl wire trace feature. --- doc/admin-guide/files/records.config.en.rst | 19 ---- iocore/net/P_SSLConfig.h | 7 -- iocore/net/P_SSLNetVConnection.h | 13 --- iocore/net/SSLConfig.cc | 31 +---- iocore/net/SSLNetVConnection.cc | 119 -------------------- iocore/net/SSLUtils.cc | 5 - iocore/net/UnixNetVConnection.cc | 39 +------ mgmt/RecordsConfig.cc | 8 -- proxy/http/HttpSM.cc | 21 ---- 9 files changed, 3 insertions(+), 259 deletions(-) diff --git a/doc/admin-guide/files/records.config.en.rst b/doc/admin-guide/files/records.config.en.rst index c14df8842a7..2936600caf9 100644 --- a/doc/admin-guide/files/records.config.en.rst +++ b/doc/admin-guide/files/records.config.en.rst @@ -3450,25 +3450,6 @@ SSL Termination See :ref:`admin-performance-timeouts` for more discussion on |TS| timeouts. -.. ts:cv:: CONFIG proxy.config.ssl.wire_trace_enabled INT 0 - - When enabled this turns on wire tracing of SSL connections that meet - the conditions specified by wire_trace_percentage, wire_trace_addr - and wire_trace_server_name. - -.. ts:cv:: CONFIG proxy.config.ssl.wire_trace_percentage INT 0 - - This specifies the percentage of traffic meeting the other wire_trace - conditions to be traced. - -.. ts:cv:: CONFIG proxy.config.ssl.wire_trace_addr STRING NULL - - This specifies the client IP for which wire_traces should be printed. - -.. ts:cv:: CONFIG proxy.config.ssl.wire_trace_server_name STRING NULL - - This specifies the server name for which wire_traces should be printed. - Client-Related Configuration ---------------------------- diff --git a/iocore/net/P_SSLConfig.h b/iocore/net/P_SSLConfig.h index a691e5ba990..3bccf9f1516 100644 --- a/iocore/net/P_SSLConfig.h +++ b/iocore/net/P_SSLConfig.h @@ -107,13 +107,6 @@ struct SSLConfigParams : public ConfigInfo { static size_t session_cache_max_bucket_size; static bool session_cache_skip_on_lock_contention; - // TS-3435 Wiretracing for SSL Connections - static int ssl_wire_trace_enabled; - static char *ssl_wire_trace_addr; - static IpAddr *ssl_wire_trace_ip; - static int ssl_wire_trace_percentage; - static char *ssl_wire_trace_server_name; - static init_ssl_ctx_func init_ssl_ctx_cb; static load_ssl_file_func load_ssl_file_cb; diff --git a/iocore/net/P_SSLNetVConnection.h b/iocore/net/P_SSLNetVConnection.h index e2b7fdc72a4..cc731419e83 100644 --- a/iocore/net/P_SSLNetVConnection.h +++ b/iocore/net/P_SSLNetVConnection.h @@ -286,19 +286,6 @@ class SSLNetVConnection : public UnixNetVConnection } return retval; } - bool - getSSLTrace() const - { - return sslTrace || super::origin_trace; - } - - void - setSSLTrace(bool state) - { - sslTrace = state; - } - - bool computeSSLTrace(); const char * getSSLProtocol(void) const diff --git a/iocore/net/SSLConfig.cc b/iocore/net/SSLConfig.cc index 9c1a6d9c5ba..a6dbed7eebb 100644 --- a/iocore/net/SSLConfig.cc +++ b/iocore/net/SSLConfig.cc @@ -58,14 +58,8 @@ size_t SSLConfigParams::session_cache_max_bucket_size = 100; init_ssl_ctx_func SSLConfigParams::init_ssl_ctx_cb = nullptr; load_ssl_file_func SSLConfigParams::load_ssl_file_cb = nullptr; -// TS-3534 Wiretracing for SSL Connections -int SSLConfigParams::ssl_wire_trace_enabled = 0; -char *SSLConfigParams::ssl_wire_trace_addr = nullptr; -IpAddr *SSLConfigParams::ssl_wire_trace_ip = nullptr; -int SSLConfigParams::ssl_wire_trace_percentage = 0; -char *SSLConfigParams::ssl_wire_trace_server_name = nullptr; -int SSLConfigParams::async_handshake_enabled = 0; -char *SSLConfigParams::engine_conf_file = nullptr; +int SSLConfigParams::async_handshake_enabled = 0; +char *SSLConfigParams::engine_conf_file = nullptr; static std::unique_ptr> sslCertUpdate; static std::unique_ptr> sslConfigUpdate; @@ -131,7 +125,6 @@ SSLConfigParams::cleanup() cipherSuite = (char *)ats_free_null(cipherSuite); client_cipherSuite = (char *)ats_free_null(client_cipherSuite); dhparamsFile = (char *)ats_free_null(dhparamsFile); - ssl_wire_trace_ip = (IpAddr *)ats_free_null(ssl_wire_trace_ip); server_tls13_cipher_suites = (char *)ats_free_null(server_tls13_cipher_suites); client_tls13_cipher_suites = (char *)ats_free_null(client_tls13_cipher_suites); @@ -438,26 +431,6 @@ SSLConfigParams::initialize() REC_ReadConfigInt32(ssl_allow_client_renegotiation, "proxy.config.ssl.allow_client_renegotiation"); - // SSL Wire Trace configurations - REC_EstablishStaticConfigInt32(ssl_wire_trace_enabled, "proxy.config.ssl.wire_trace_enabled"); - if (ssl_wire_trace_enabled) { - // wire trace specific source ip - REC_EstablishStaticConfigStringAlloc(ssl_wire_trace_addr, "proxy.config.ssl.wire_trace_addr"); - if (ssl_wire_trace_addr) { - ssl_wire_trace_ip = new IpAddr(); - ssl_wire_trace_ip->load(ssl_wire_trace_addr); - } else { - ssl_wire_trace_ip = nullptr; - } - // wire trace percentage of requests - REC_EstablishStaticConfigInt32(ssl_wire_trace_percentage, "proxy.config.ssl.wire_trace_percentage"); - REC_EstablishStaticConfigStringAlloc(ssl_wire_trace_server_name, "proxy.config.ssl.wire_trace_server_name"); - } else { - ssl_wire_trace_addr = nullptr; - ssl_wire_trace_ip = nullptr; - ssl_wire_trace_percentage = 0; - ssl_wire_trace_server_name = nullptr; - } // Enable client regardless of config file settings as remap file // can cause HTTP layer to connect using SSL. But only if SSL // initialization hasn't failed already. diff --git a/iocore/net/SSLNetVConnection.cc b/iocore/net/SSLNetVConnection.cc index 86e150ce608..71e1b085162 100644 --- a/iocore/net/SSLNetVConnection.cc +++ b/iocore/net/SSLNetVConnection.cc @@ -214,7 +214,6 @@ ssl_read_from_net(SSLNetVConnection *sslvc, EThread *lthread, int64_t &ret) int64_t bytes_read = 0; ssl_error_t sslErr = SSL_ERROR_NONE; - bool trace = sslvc->getSSLTrace(); int64_t toread = buf.writer()->write_avail(); ink_release_assert(toread > 0); if (toread > s->vio.ntodo()) { @@ -237,15 +236,6 @@ ssl_read_from_net(SSLNetVConnection *sslvc, EThread *lthread, int64_t &ret) sslErr = SSLReadBuffer(sslvc->ssl, current_block, amount_to_read, nread); Debug("ssl", "[SSL_NetVConnection::ssl_read_from_net] nread=%d", (int)nread); - if (!sslvc->origin_trace) { - TraceIn((0 < nread && trace), sslvc->get_remote_addr(), sslvc->get_remote_port(), "WIRE TRACE\tbytes=%d\n%.*s", (int)nread, - (int)nread, current_block); - } else { - char origin_trace_ip[INET6_ADDRSTRLEN]; - ats_ip_ntop(sslvc->origin_trace_addr, origin_trace_ip, sizeof(origin_trace_ip)); - TraceIn((0 < nread && trace), sslvc->get_remote_addr(), sslvc->get_remote_port(), "CLIENT %s:%d\ttbytes=%d\n%.*s", - origin_trace_ip, sslvc->origin_trace_port, (int)nread, (int)nread, current_block); - } switch (sslErr) { case SSL_ERROR_NONE: @@ -271,29 +261,24 @@ ssl_read_from_net(SSLNetVConnection *sslvc, EThread *lthread, int64_t &ret) Debug("ssl.error", "[SSL_NetVConnection::ssl_read_from_net] SSL_ERROR_WOULD_BLOCK(read)"); break; case SSL_ERROR_WANT_X509_LOOKUP: - TraceIn(trace, sslvc->get_remote_addr(), sslvc->get_remote_port(), "Want X509 lookup"); event = SSL_READ_WOULD_BLOCK; SSL_INCREMENT_DYN_STAT(ssl_error_want_x509_lookup); Debug("ssl.error", "[SSL_NetVConnection::ssl_read_from_net] SSL_ERROR_WOULD_BLOCK(read/x509 lookup)"); break; case SSL_ERROR_SYSCALL: - TraceIn(trace, sslvc->get_remote_addr(), sslvc->get_remote_port(), "Syscall Error: %s", strerror(errno)); SSL_INCREMENT_DYN_STAT(ssl_error_syscall); if (nread != 0) { // not EOF event = SSL_READ_ERROR; ret = errno; Debug("ssl.error", "[SSL_NetVConnection::ssl_read_from_net] SSL_ERROR_SYSCALL, underlying IO error: %s", strerror(errno)); - TraceIn(trace, sslvc->get_remote_addr(), sslvc->get_remote_port(), "Underlying IO error: %d", errno); } else { // then EOF observed, treat it as EOS // Error("[SSL_NetVConnection::ssl_read_from_net] SSL_ERROR_SYSCALL, EOF observed violating SSL protocol"); - TraceIn(trace, sslvc->get_remote_addr(), sslvc->get_remote_port(), "EOF observed violating SSL protocol"); event = SSL_READ_EOS; } break; case SSL_ERROR_ZERO_RETURN: - TraceIn(trace, sslvc->get_remote_addr(), sslvc->get_remote_port(), "Connection closed by peer"); event = SSL_READ_EOS; SSL_INCREMENT_DYN_STAT(ssl_error_zero_return); Debug("ssl.error", "[SSL_NetVConnection::ssl_read_from_net] SSL_ERROR_ZERO_RETURN"); @@ -303,8 +288,6 @@ ssl_read_from_net(SSLNetVConnection *sslvc, EThread *lthread, int64_t &ret) char buf[512]; unsigned long e = ERR_peek_last_error(); ERR_error_string_n(e, buf, sizeof(buf)); - TraceIn(trace, sslvc->get_remote_addr(), sslvc->get_remote_port(), "SSL Error: sslErr=%d, ERR_get_error=%ld (%s) errno=%d", - sslErr, e, buf, errno); event = SSL_READ_ERROR; ret = errno; SSL_CLR_ERR_INCR_DYN_STAT(sslvc, ssl_error_ssl, "[SSL_NetVConnection::ssl_read_from_net]: errno=%d", errno); @@ -697,8 +680,6 @@ SSLNetVConnection::load_buffer_and_write(int64_t towrite, MIOBufferAccessor &buf return this->super::load_buffer_and_write(towrite, buf, total_written, needs); } - bool trace = getSSLTrace(); - do { // What is remaining left in the next block? l = buf.reader()->block_read_avail(); @@ -747,16 +728,6 @@ SSLNetVConnection::load_buffer_and_write(int64_t towrite, MIOBufferAccessor &buf towrite, current_block); err = SSLWriteBuffer(ssl, current_block, l, num_really_written); - if (!origin_trace) { - TraceOut((0 < num_really_written && trace), get_remote_addr(), get_remote_port(), "WIRE TRACE\tbytes=%d\n%.*s", - (int)num_really_written, (int)num_really_written, current_block); - } else { - char origin_trace_ip[INET6_ADDRSTRLEN]; - ats_ip_ntop(origin_trace_addr, origin_trace_ip, sizeof(origin_trace_ip)); - TraceOut((0 < num_really_written && trace), get_remote_addr(), get_remote_port(), "CLIENT %s:%d\ttbytes=%d\n%.*s", - origin_trace_ip, origin_trace_port, (int)num_really_written, (int)num_really_written, current_block); - } - // We wrote all that we thought we should if (num_really_written > 0) { total_written += num_really_written; @@ -793,7 +764,6 @@ SSLNetVConnection::load_buffer_and_write(int64_t towrite, MIOBufferAccessor &buf redoWriteSize = l; } else if (SSL_ERROR_WANT_X509_LOOKUP == err) { SSL_INCREMENT_DYN_STAT(ssl_error_want_x509_lookup); - TraceOut(trace, get_remote_addr(), get_remote_port(), "Want X509 lookup"); } needs |= EVENTIO_WRITE; @@ -802,25 +772,18 @@ SSLNetVConnection::load_buffer_and_write(int64_t towrite, MIOBufferAccessor &buf break; } case SSL_ERROR_SYSCALL: - TraceOut(trace, get_remote_addr(), get_remote_port(), "Syscall Error: %s", strerror(errno)); num_really_written = -errno; SSL_INCREMENT_DYN_STAT(ssl_error_syscall); Debug("ssl.error", "SSL_write-SSL_ERROR_SYSCALL"); break; // end of stream case SSL_ERROR_ZERO_RETURN: - TraceOut(trace, get_remote_addr(), get_remote_port(), "SSL Error: zero return"); num_really_written = -errno; SSL_INCREMENT_DYN_STAT(ssl_error_zero_return); Debug("ssl.error", "SSL_write-SSL_ERROR_ZERO_RETURN"); break; case SSL_ERROR_SSL: default: { - char buf[512]; - unsigned long e = ERR_peek_last_error(); - ERR_error_string_n(e, buf, sizeof(buf)); - TraceIn(trace, get_remote_addr(), get_remote_port(), "SSL Error: sslErr=%d, ERR_get_error=%ld (%s) errno=%d", err, e, buf, - errno); // Treat SSL_ERROR_SSL as EPIPE error. num_really_written = -EPIPE; SSL_CLR_ERR_INCR_DYN_STAT(this, ssl_error_ssl, "SSL_write-SSL_ERROR_SSL errno=%d", errno); @@ -1164,8 +1127,6 @@ SSLNetVConnection::sslServerHandShakeEvent(int &err) } } #endif - bool trace = getSSLTrace(); - if (ssl_error != SSL_ERROR_NONE) { err = errno; SSLVCDebug(this, "SSL handshake error: %s (%d), errno=%d", SSLErrorName(ssl_error), ssl_error, err); @@ -1195,9 +1156,6 @@ SSLNetVConnection::sslServerHandShakeEvent(int &err) sslHandshakeStatus = SSL_HANDSHAKE_DONE; - TraceIn(trace, get_remote_addr(), get_remote_port(), "SSL server handshake completed successfully"); - // do we want to include cert info in trace? - if (sslHandshakeBeginTime) { sslHandshakeEndTime = Thread::get_hrtime(); const ink_hrtime ssl_handshake_time = sslHandshakeEndTime - sslHandshakeBeginTime; @@ -1239,38 +1197,30 @@ SSLNetVConnection::sslServerHandShakeEvent(int &err) } Debug("ssl", "client selected next protocol '%.*s'", len, proto); - TraceIn(trace, get_remote_addr(), get_remote_port(), "client selected next protocol'%.*s'", len, proto); } else { Debug("ssl", "client did not select a next protocol"); - TraceIn(trace, get_remote_addr(), get_remote_port(), "client did not select a next protocol"); } } return EVENT_DONE; case SSL_ERROR_WANT_CONNECT: - TraceIn(trace, get_remote_addr(), get_remote_port(), "SSL server handshake ERROR_WANT_CONNECT"); return SSL_HANDSHAKE_WANT_CONNECT; case SSL_ERROR_WANT_WRITE: - TraceIn(trace, get_remote_addr(), get_remote_port(), "SSL server handshake ERROR_WANT_WRITE"); return SSL_HANDSHAKE_WANT_WRITE; case SSL_ERROR_WANT_READ: - TraceIn(trace, get_remote_addr(), get_remote_port(), "SSL server handshake ERROR_WANT_READ"); return SSL_HANDSHAKE_WANT_READ; // This value is only defined in openssl has been patched to // enable the sni callback to break out of the SSL_accept processing #ifdef SSL_ERROR_WANT_SNI_RESOLVE case SSL_ERROR_WANT_X509_LOOKUP: - TraceIn(trace, get_remote_addr(), get_remote_port(), "SSL server handshake ERROR_WANT_X509_LOOKUP"); return EVENT_CONT; case SSL_ERROR_WANT_SNI_RESOLVE: - TraceIn(trace, get_remote_addr(), get_remote_port(), "SSL server handshake ERROR_WANT_SNI_RESOLVE"); #elif SSL_ERROR_WANT_X509_LOOKUP case SSL_ERROR_WANT_X509_LOOKUP: - TraceIn(trace, get_remote_addr(), get_remote_port(), "SSL server handshake ERROR_WANT_X509_LOOKUP"); #endif #if defined(SSL_ERROR_WANT_SNI_RESOLVE) || defined(SSL_ERROR_WANT_X509_LOOKUP) if (this->attributes == HttpProxyPort::TRANSPORT_BLIND_TUNNEL || SSL_HOOK_OP_TUNNEL == hookOpRequested) { @@ -1285,32 +1235,22 @@ SSLNetVConnection::sslServerHandShakeEvent(int &err) #if TS_USE_TLS_ASYNC case SSL_ERROR_WANT_ASYNC: - TraceIn(trace, get_remote_addr(), get_remote_port(), "SSL server handshake ERROR_WANT_ASYNC"); return SSL_WAIT_FOR_ASYNC; #endif case SSL_ERROR_WANT_ACCEPT: - TraceIn(trace, get_remote_addr(), get_remote_port(), "SSL server handshake ERROR_WANT_ACCEPT"); return EVENT_CONT; case SSL_ERROR_SSL: { SSL_CLR_ERR_INCR_DYN_STAT(this, ssl_error_ssl, "SSLNetVConnection::sslServerHandShakeEvent, SSL_ERROR_SSL errno=%d", errno); - char buf[512]; - unsigned long e = ERR_peek_last_error(); - ERR_error_string_n(e, buf, sizeof(buf)); - TraceIn(trace, get_remote_addr(), get_remote_port(), - "SSL server handshake ERROR_SSL: sslErr=%d, ERR_get_error=%ld (%s) errno=%d", ssl_error, e, buf, errno); return EVENT_ERROR; } case SSL_ERROR_ZERO_RETURN: - TraceIn(trace, get_remote_addr(), get_remote_port(), "SSL server handshake ERROR_ZERO_RETURN"); return EVENT_ERROR; case SSL_ERROR_SYSCALL: - TraceIn(trace, get_remote_addr(), get_remote_port(), "SSL server handshake ERROR_SYSCALL"); return EVENT_ERROR; default: - TraceIn(trace, get_remote_addr(), get_remote_port(), "SSL server handshake ERROR_OTHER"); return EVENT_ERROR; } } @@ -1318,7 +1258,6 @@ SSLNetVConnection::sslServerHandShakeEvent(int &err) int SSLNetVConnection::sslClientHandShakeEvent(int &err) { - bool trace = getSSLTrace(); ssl_error_t ssl_error; ink_assert(SSLNetVCAccess(ssl) == this); @@ -1372,49 +1311,39 @@ SSLNetVConnection::sslClientHandShakeEvent(int &err) SSL_INCREMENT_DYN_STAT(ssl_total_success_handshake_count_out_stat); - TraceIn(trace, get_remote_addr(), get_remote_port(), "SSL client handshake completed successfully"); - // do we want to include cert info in trace? - sslHandshakeStatus = SSL_HANDSHAKE_DONE; return EVENT_DONE; case SSL_ERROR_WANT_WRITE: Debug("ssl.error", "SSLNetVConnection::sslClientHandShakeEvent, SSL_ERROR_WANT_WRITE"); SSL_INCREMENT_DYN_STAT(ssl_error_want_write); - TraceIn(trace, get_remote_addr(), get_remote_port(), "SSL client handshake ERROR_WANT_WRITE"); return SSL_HANDSHAKE_WANT_WRITE; case SSL_ERROR_WANT_READ: SSL_INCREMENT_DYN_STAT(ssl_error_want_read); Debug("ssl.error", "SSLNetVConnection::sslClientHandShakeEvent, SSL_ERROR_WANT_READ"); - TraceIn(trace, get_remote_addr(), get_remote_port(), "SSL client handshake ERROR_WANT_READ"); return SSL_HANDSHAKE_WANT_READ; case SSL_ERROR_WANT_X509_LOOKUP: SSL_INCREMENT_DYN_STAT(ssl_error_want_x509_lookup); Debug("ssl.error", "SSLNetVConnection::sslClientHandShakeEvent, SSL_ERROR_WANT_X509_LOOKUP"); - TraceIn(trace, get_remote_addr(), get_remote_port(), "SSL client handshake ERROR_WANT_X509_LOOKUP"); break; case SSL_ERROR_WANT_ACCEPT: - TraceIn(trace, get_remote_addr(), get_remote_port(), "SSL client handshake ERROR_WANT_ACCEPT"); return SSL_HANDSHAKE_WANT_ACCEPT; case SSL_ERROR_WANT_CONNECT: - TraceIn(trace, get_remote_addr(), get_remote_port(), "SSL client handshake ERROR_WANT_CONNECT"); break; case SSL_ERROR_ZERO_RETURN: SSL_INCREMENT_DYN_STAT(ssl_error_zero_return); Debug("ssl.error", "SSLNetVConnection::sslClientHandShakeEvent, EOS"); - TraceIn(trace, get_remote_addr(), get_remote_port(), "SSL client handshake EOS"); return EVENT_ERROR; case SSL_ERROR_SYSCALL: err = errno; SSL_INCREMENT_DYN_STAT(ssl_error_syscall); Debug("ssl.error", "SSLNetVConnection::sslClientHandShakeEvent, syscall"); - TraceIn(trace, get_remote_addr(), get_remote_port(), "SSL client handshake Syscall Error: %s", strerror(errno)); return EVENT_ERROR; break; @@ -1427,8 +1356,6 @@ SSLNetVConnection::sslClientHandShakeEvent(int &err) // FIXME -- This triggers a retry on cases of cert validation errors.... SSL_CLR_ERR_INCR_DYN_STAT(this, ssl_error_ssl, "SSLNetVConnection::sslClientHandShakeEvent, SSL_ERROR_SSL errno=%d", errno); Debug("ssl.error", "SSLNetVConnection::sslClientHandShakeEvent, SSL_ERROR_SSL"); - TraceIn(trace, get_remote_addr(), get_remote_port(), - "SSL client handshake ERROR_SSL: sslErr=%d, ERR_get_error=%ld (%s) errno=%d", ssl_error, e, buf, errno); if (e) { if (this->options.sni_servername) { Debug("ssl.error", "SSL connection failed for '%s': %s", this->options.sni_servername.get(), buf); @@ -1729,52 +1656,6 @@ SSLNetVConnection::callHooks(TSEvent eventId) return reenabled; } -bool -SSLNetVConnection::computeSSLTrace() -{ - // this has to happen before the handshake or else sni_servername will be nullptr - bool sni_trace; - if (ssl) { - const char *ssl_servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name); - char *wire_trace_server_name = SSLConfigParams::ssl_wire_trace_server_name; - Debug("ssl", "for wiretrace, ssl_servername=%s, wire_trace_server_name=%s", ssl_servername, wire_trace_server_name); - sni_trace = ssl_servername && wire_trace_server_name && (0 == strcmp(wire_trace_server_name, ssl_servername)); - } else { - sni_trace = false; - } - - // count based on ip only if they set an IP value - const sockaddr *remote_addr = get_remote_addr(); - bool ip_trace = false; - if (SSLConfigParams::ssl_wire_trace_ip) { - ip_trace = (*SSLConfigParams::ssl_wire_trace_ip == remote_addr); - } - - // count based on percentage - int percentage = SSLConfigParams::ssl_wire_trace_percentage; - int random; - bool trace; - - // we only generate random numbers as needed (to maintain correct percentage) - if (SSLConfigParams::ssl_wire_trace_server_name && SSLConfigParams::ssl_wire_trace_ip) { - random = this_ethread()->generator.random() % 100; // range [0-99] - trace = sni_trace && ip_trace && (percentage > random); - } else if (SSLConfigParams::ssl_wire_trace_server_name) { - random = this_ethread()->generator.random() % 100; // range [0-99] - trace = sni_trace && (percentage > random); - } else if (SSLConfigParams::ssl_wire_trace_ip) { - random = this_ethread()->generator.random() % 100; // range [0-99] - trace = ip_trace && (percentage > random); - } else { - random = this_ethread()->generator.random() % 100; // range [0-99] - trace = percentage > random; - } - - Debug("ssl", "ssl_netvc random=%d, trace=%s", random, trace ? "TRUE" : "FALSE"); - - return trace; -} - int SSLNetVConnection::populate(Connection &con, Continuation *c, void *arg) { diff --git a/iocore/net/SSLUtils.cc b/iocore/net/SSLUtils.cc index f68c522b936..31e5d7c1c6a 100644 --- a/iocore/net/SSLUtils.cc +++ b/iocore/net/SSLUtils.cc @@ -330,11 +330,6 @@ set_context_cert(SSL *ssl) int retval = 1; Debug("ssl", "set_context_cert ssl=%p server=%s handshake_complete=%d", ssl, servername, netvc->getSSLHandShakeComplete()); - if (SSLConfigParams::ssl_wire_trace_enabled) { - bool trace = netvc->computeSSLTrace(); - Debug("ssl", "sslnetvc. setting trace to=%s", trace ? "true" : "false"); - netvc->setSSLTrace(trace); - } // catch the client renegotiation early on if (SSLConfigParams::ssl_allow_client_renegotiation == false && netvc->getSSLHandShakeComplete()) { diff --git a/iocore/net/UnixNetVConnection.cc b/iocore/net/UnixNetVConnection.cc index e01fc57f31a..ca5e3417794 100644 --- a/iocore/net/UnixNetVConnection.cc +++ b/iocore/net/UnixNetVConnection.cc @@ -253,24 +253,6 @@ read_from_net(NetHandler *nh, UnixNetVConnection *vc, EThread *thread) NET_INCREMENT_DYN_STAT(net_calls_to_read_stat); - if (vc->origin_trace) { - char origin_trace_ip[INET6_ADDRSTRLEN]; - - ats_ip_ntop(vc->origin_trace_addr, origin_trace_ip, sizeof(origin_trace_ip)); - - if (r > 0) { - TraceIn((vc->origin_trace), vc->get_remote_addr(), vc->get_remote_port(), "CLIENT %s:%d\tbytes=%d\n%.*s", origin_trace_ip, - vc->origin_trace_port, (int)r, (int)r, (char *)tiovec[0].iov_base); - - } else if (r == 0) { - TraceIn((vc->origin_trace), vc->get_remote_addr(), vc->get_remote_port(), "CLIENT %s:%d closed connection", - origin_trace_ip, vc->origin_trace_port); - } else { - TraceIn((vc->origin_trace), vc->get_remote_addr(), vc->get_remote_port(), "CLIENT %s:%d error=%s", origin_trace_ip, - vc->origin_trace_port, strerror(errno)); - } - } - total_read += rattempted; } while (rattempted && r == rattempted && total_read < toread); @@ -896,10 +878,7 @@ UnixNetVConnection::UnixNetVConnection() submit_time(0), oob_ptr(nullptr), from_accept_thread(false), - accept_object(nullptr), - origin_trace(false), - origin_trace_addr(nullptr), - origin_trace_port(0) + accept_object(nullptr) { SET_HANDLER((NetVConnHandler)&UnixNetVConnection::startEvent); } @@ -998,22 +977,6 @@ UnixNetVConnection::load_buffer_and_write(int64_t towrite, MIOBufferAccessor &bu r = socketManager.writev(con.fd, &tiovec[0], niov); } - if (origin_trace) { - char origin_trace_ip[INET6_ADDRSTRLEN]; - ats_ip_ntop(origin_trace_addr, origin_trace_ip, sizeof(origin_trace_ip)); - - if (r > 0) { - TraceOut(origin_trace, get_remote_addr(), get_remote_port(), "CLIENT %s:%d\tbytes=%d\n%.*s", origin_trace_ip, - origin_trace_port, (int)r, (int)r, (char *)tiovec[0].iov_base); - - } else if (r == 0) { - TraceOut(origin_trace, get_remote_addr(), get_remote_port(), "CLIENT %s:%d\tbytes=0", origin_trace_ip, origin_trace_port); - } else { - TraceOut(origin_trace, get_remote_addr(), get_remote_port(), "CLIENT %s:%d error=%s", origin_trace_ip, origin_trace_port, - strerror(errno)); - } - } - if (r > 0) { buf.reader()->consume(r); total_written += r; diff --git a/mgmt/RecordsConfig.cc b/mgmt/RecordsConfig.cc index 5799a0152c7..931c6e3d009 100644 --- a/mgmt/RecordsConfig.cc +++ b/mgmt/RecordsConfig.cc @@ -1178,14 +1178,6 @@ static const RecordElement RecordsConfig[] = , {RECT_CONFIG, "proxy.config.ssl.handshake_timeout_in", RECD_INT, "0", RECU_RESTART_TS, RR_NULL, RECC_INT, "[0-65535]", RECA_NULL} , - {RECT_CONFIG, "proxy.config.ssl.wire_trace_enabled", RECD_INT, "0", RECU_DYNAMIC, RR_NULL, RECC_INT, "[0-2]", RECA_NULL} - , - {RECT_CONFIG, "proxy.config.ssl.wire_trace_addr", RECD_STRING, nullptr , RECU_DYNAMIC, RR_NULL, RECC_IP, R"([0-255]\.[0-255]\.[0-255]\.[0-255])", RECA_NULL} - , - {RECT_CONFIG, "proxy.config.ssl.wire_trace_percentage", RECD_INT, "0", RECU_DYNAMIC, RR_NULL, RECC_INT, "[0-100]", RECA_NULL} - , - {RECT_CONFIG, "proxy.config.ssl.wire_trace_server_name", RECD_STRING, nullptr , RECU_DYNAMIC, RR_NULL, RECC_STR, ".*", RECA_NULL} - , {RECT_CONFIG, "proxy.config.ssl.cert.load_elevated", RECD_INT, "0", RECU_RESTART_TS, RR_NULL, RECC_INT, "[0-1]", RECA_READ_ONLY} , {RECT_CONFIG, "proxy.config.ssl.server.groups_list", RECD_STRING, nullptr, RECU_RESTART_TS, RR_NULL, RECC_NULL, nullptr, RECA_NULL} diff --git a/proxy/http/HttpSM.cc b/proxy/http/HttpSM.cc index b5289323f4f..67db2095e63 100644 --- a/proxy/http/HttpSM.cc +++ b/proxy/http/HttpSM.cc @@ -5860,30 +5860,9 @@ HttpSM::attach_server_session(HttpServerSession *s) // Get server and client connections UnixNetVConnection *server_vc = dynamic_cast(server_session->get_netvc()); UnixNetVConnection *client_vc = (UnixNetVConnection *)(ua_txn->get_netvc()); - SSLNetVConnection *ssl_vc = dynamic_cast(client_vc); // Verifying that the user agent and server sessions/transactions are operating on the same thread. ink_release_assert(!server_vc || !client_vc || server_vc->thread == client_vc->thread); - bool associated_connection = false; - if (server_vc) { // if server_vc isn't a PluginVC - if (ssl_vc) { // if incoming connection is SSL - bool client_trace = ssl_vc->getSSLTrace(); - if (client_trace) { - // get remote address and port to mark corresponding traces - const sockaddr *remote_addr = ssl_vc->get_remote_addr(); - uint16_t remote_port = ssl_vc->get_remote_port(); - server_vc->setOriginTrace(true); - server_vc->setOriginTraceAddr(remote_addr); - server_vc->setOriginTracePort(remote_port); - associated_connection = true; - } - } - } - if (!associated_connection && server_vc) { - server_vc->setOriginTrace(false); - server_vc->setOriginTraceAddr(nullptr); - server_vc->setOriginTracePort(0); - } // set flag for server session is SSL SSLNetVConnection *server_ssl_vc = dynamic_cast(server_vc);