diff --git a/doc/configuration.txt b/doc/configuration.txt index 30ba032995..6570a44ea5 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -14956,6 +14956,17 @@ ssl_bc_alg_keysize : integer Returns the symmetric cipher key size supported in bits when the outgoing connection was made over an SSL/TLS transport layer. +ssl_bc_alpn : string + This extracts the Application Layer Protocol Negotiation field from an + outgoing connection made via a TLS transport layer. + The result is a string containing the protocol name negociated with the + server. The SSL library must have been built with support for TLS + extensions enabled (check haproxy -vv). Note that the TLS ALPN extension is + not advertised unless the "alpn" keyword on the "server" line specifies a + protocol list. Also, nothing forces the server to pick a protocol from this + list, any other one may be requested. The TLS ALPN extension is meant to + replace the TLS NPN extension. See also "ssl_bc_npn". + ssl_bc_cipher : string Returns the name of the used cipher when the outgoing connection was made over an SSL/TLS transport layer. @@ -14965,6 +14976,16 @@ ssl_bc_is_resumed : boolean layer and the newly created SSL session was resumed using a cached session or a TLS ticket. +ssl_bc_npn : string + This extracts the Next Protocol Negotiation field from an outgoing connection + made via a TLS transport layer. The result is a string containing the + protocol name negociated with the server . The SSL library must have been + built with support for TLS extensions enabled (check haproxy -vv). Note that + the TLS NPN extension is not advertised unless the "npn" keyword on the + "server" line specifies a protocol list. Also, nothing forces the server to + pick a protocol from this list, any other one may be used. Please note that + the TLS NPN extension was replaced with ALPN. + ssl_bc_protocol : string Returns the name of the used protocol when the outgoing connection was made over an SSL/TLS transport layer. diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 583899043a..c1e2e7b605 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -6875,7 +6875,8 @@ smp_fetch_ssl_fc_npn(const struct arg *args, struct sample *smp, const char *kw, smp->flags = SMP_F_CONST; smp->data.type = SMP_T_STR; - conn = objt_conn(smp->sess->origin); + conn = (kw[4] != 'b' ) ? objt_conn(smp->sess->origin) : + smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL; if (!conn || !conn->xprt_ctx || conn->xprt != &ssl_sock) return 0; @@ -6900,7 +6901,9 @@ smp_fetch_ssl_fc_alpn(const struct arg *args, struct sample *smp, const char *kw smp->flags = SMP_F_CONST; smp->data.type = SMP_T_STR; - conn = objt_conn(smp->sess->origin); + conn = (kw[4] != 'b' ) ? objt_conn(smp->sess->origin) : + smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL; + if (!conn || !conn->xprt_ctx || conn->xprt != &ssl_sock) return 0; @@ -8931,7 +8934,13 @@ static struct cli_kw_list cli_kws = {{ },{ static struct sample_fetch_kw_list sample_fetch_keywords = {ILH, { { "ssl_bc", smp_fetch_ssl_fc, 0, NULL, SMP_T_BOOL, SMP_USE_L5SRV }, { "ssl_bc_alg_keysize", smp_fetch_ssl_fc_alg_keysize, 0, NULL, SMP_T_SINT, SMP_USE_L5SRV }, +#ifdef TLSEXT_TYPE_application_layer_protocol_negotiation + { "ssl_fc_alpn", smp_fetch_ssl_fc_alpn, 0, NULL, SMP_T_STR, SMP_USE_L5SRV }, +#endif { "ssl_bc_cipher", smp_fetch_ssl_fc_cipher, 0, NULL, SMP_T_STR, SMP_USE_L5SRV }, +#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG) + { "ssl_bc_npn", smp_fetch_ssl_fc_npn, 0, NULL, SMP_T_STR, SMP_USE_L5SRV }, +#endif { "ssl_bc_is_resumed", smp_fetch_ssl_fc_is_resumed, 0, NULL, SMP_T_BOOL, SMP_USE_L5SRV }, { "ssl_bc_protocol", smp_fetch_ssl_fc_protocol, 0, NULL, SMP_T_STR, SMP_USE_L5SRV }, { "ssl_bc_unique_id", smp_fetch_ssl_fc_unique_id, 0, NULL, SMP_T_BIN, SMP_USE_L5SRV },