RepoMirrors/haproxy
1
0
Fork 0
mirror of http://git.haproxy.org/git/haproxy.git/ synced 2025-04-01 22:48:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

MINOR: ssl: Add new ssl_bc_hsk_err sample fetch

Browse Source 
This new sample fetch along the ssl_bc_hsk_err_str fetch contain the
last SSL error of the error stack that occurred during the SSL
handshake (from the backend's perspective).
This commit is contained in:
Remi Tricot-Le Breton 2021-09-01 15:52:14 +02:00 committed by William Lallemand
parent abc6b31ab8
commit 163cdeba37
2 changed files with 28 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
doc/configuration.txt
View File

@ -18646,6 +18646,20 @@ ssl_bc_client_random : binary
sent using ephemeral ciphers. This requires OpenSSL >= 1.1.0, or BoringSSL.
It can be used in a tcp-check or an http-check ruleset.
ssl_bc_hsk_err : integer
When the outgoing connection was made over an SSL/TLS transport layer,
returns the ID of the latest error that happened during the handshake on the
backend side, or 0 if no error was encountered. In order to get a text
description of this error code, you can either use the "ssl_bc_hsk_err_str"
sample fetch or use the "openssl errstr" command (which takes an error code
in hexadecimal representation as parameter). Please refer to your SSL
library's documentation to find the exhaustive list of error codes.
ssl_bc_hsk_err_str : string
When the outgoing connection was made over an SSL/TLS transport layer,
returns a string representation of the latest error that happened during the
handshake on the backend side. See also "ssl_fc_hsk_err".
ssl_bc_is_resumed : boolean
Returns true when the back connection was made over an SSL/TLS transport
layer and the newly created SSL session was resumed using a cached

16
src/ssl_sample.c
View File

@ -1212,7 +1212,12 @@ smp_fetch_ssl_fc_hsk_err(const struct arg *args, struct sample *smp, const char
struct connection *conn;
struct ssl_sock_ctx *ctx;
conn = objt_conn(smp->sess->origin);
if (obj_type(smp->sess->origin) == OBJ_TYPE_CHECK)
conn = (kw[4] == 'b') ? cs_conn(__objt_check(smp->sess->origin)->cs) : NULL;
else
conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) :
smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL;
if (!conn || conn->xprt != &ssl_sock)
return 0;
ctx = conn->xprt_ctx;
@ -1260,7 +1265,12 @@ smp_fetch_ssl_fc_hsk_err_str(const struct arg *args, struct sample *smp, const c
struct ssl_sock_ctx *ctx;
const char *err_code_str;
conn = objt_conn(smp->sess->origin);
if (obj_type(smp->sess->origin) == OBJ_TYPE_CHECK)
conn = (kw[4] == 'b') ? cs_conn(__objt_check(smp->sess->origin)->cs) : NULL;
else
conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) :
smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL;
if (!conn || conn->xprt != &ssl_sock)
return 0;
ctx = conn->xprt_ctx;
@ -1669,6 +1679,8 @@ static struct sample_fetch_kw_list sample_fetch_keywords = {ILH, {
{ "ssl_bc_server_random", smp_fetch_ssl_fc_random, 0, NULL, SMP_T_BIN, SMP_USE_L5SRV },
{ "ssl_bc_session_key", smp_fetch_ssl_fc_session_key, 0, NULL, SMP_T_BIN, SMP_USE_L5SRV },
#endif
{ "ssl_bc_hsk_err", smp_fetch_ssl_fc_hsk_err, 0, NULL, SMP_T_SINT, SMP_USE_L5SRV },
{ "ssl_bc_hsk_err_str", smp_fetch_ssl_fc_hsk_err_str, 0, NULL, SMP_T_STR, SMP_USE_L5SRV },
{ "ssl_c_ca_err", smp_fetch_ssl_c_ca_err, 0, NULL, SMP_T_SINT, SMP_USE_L5CLI },
{ "ssl_c_ca_err_depth", smp_fetch_ssl_c_ca_err_depth, 0, NULL, SMP_T_SINT, SMP_USE_L5CLI },
{ "ssl_c_der", smp_fetch_ssl_x_der, 0, NULL, SMP_T_BIN, SMP_USE_L5CLI },