RepoMirrors
/
haproxy
mirror of http://git.haproxy.org/git/haproxy.git/
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

MEDIUM: ssl: Add ssl_bc_alpn and ssl_bc_npn sample fetches. 

Add 2 new sample fetches, ssl_bc_alpn and ssl_bc_npn, that provides the
ALPN and the NPN for an outgoing connection.
This commit is contained in:
Olivier Houchard 2018-11-22 18:18:29 +01:00 committed by Willy Tarreau
parent 201b9f4eb5
commit 6b77f49e78
2 changed files with 32 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
doc/configuration.txt
View File

@ -14956,6 +14956,17 @@ ssl_bc_alg_keysize : integer
Returns the symmetric cipher key size supported in bits when the outgoing Returns the symmetric cipher key size supported in bits when the outgoing
connection was made over an SSL/TLS transport layer. connection was made over an SSL/TLS transport layer.
ssl_bc_alpn : string
This extracts the Application Layer Protocol Negotiation field from an
outgoing connection made via a TLS transport layer.
The result is a string containing the protocol name negociated with the
server. The SSL library must have been built with support for TLS
extensions enabled (check haproxy -vv). Note that the TLS ALPN extension is
not advertised unless the "alpn" keyword on the "server" line specifies a
protocol list. Also, nothing forces the server to pick a protocol from this
list, any other one may be requested. The TLS ALPN extension is meant to
replace the TLS NPN extension. See also "ssl_bc_npn".
ssl_bc_cipher : string ssl_bc_cipher : string
Returns the name of the used cipher when the outgoing connection was made Returns the name of the used cipher when the outgoing connection was made
over an SSL/TLS transport layer. over an SSL/TLS transport layer.
@ -14965,6 +14976,16 @@ ssl_bc_is_resumed : boolean
layer and the newly created SSL session was resumed using a cached layer and the newly created SSL session was resumed using a cached
session or a TLS ticket. session or a TLS ticket.
ssl_bc_npn : string
This extracts the Next Protocol Negotiation field from an outgoing connection
made via a TLS transport layer. The result is a string containing the
protocol name negociated with the server . The SSL library must have been
built with support for TLS extensions enabled (check haproxy -vv). Note that
the TLS NPN extension is not advertised unless the "npn" keyword on the
"server" line specifies a protocol list. Also, nothing forces the server to
pick a protocol from this list, any other one may be used. Please note that
the TLS NPN extension was replaced with ALPN.
ssl_bc_protocol : string ssl_bc_protocol : string
Returns the name of the used protocol when the outgoing connection was made Returns the name of the used protocol when the outgoing connection was made
over an SSL/TLS transport layer. over an SSL/TLS transport layer.

13
src/ssl_sock.c
View File

@ -6875,7 +6875,8 @@ smp_fetch_ssl_fc_npn(const struct arg *args, struct sample *smp, const char *kw,
smp->flags = SMP_F_CONST; smp->flags = SMP_F_CONST;
smp->data.type = SMP_T_STR; smp->data.type = SMP_T_STR;
conn = objt_conn(smp->sess->origin); conn = (kw[4] != 'b' ) ? objt_conn(smp->sess->origin) :
smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL;
if (!conn || !conn->xprt_ctx || conn->xprt != &ssl_sock) if (!conn || !conn->xprt_ctx || conn->xprt != &ssl_sock)
return 0; return 0;
@ -6900,7 +6901,9 @@ smp_fetch_ssl_fc_alpn(const struct arg *args, struct sample *smp, const char *kw
smp->flags = SMP_F_CONST; smp->flags = SMP_F_CONST;
smp->data.type = SMP_T_STR; smp->data.type = SMP_T_STR;
conn = objt_conn(smp->sess->origin); conn = (kw[4] != 'b' ) ? objt_conn(smp->sess->origin) :
smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL;
if (!conn || !conn->xprt_ctx || conn->xprt != &ssl_sock) if (!conn || !conn->xprt_ctx || conn->xprt != &ssl_sock)
return 0; return 0;
@ -8931,7 +8934,13 @@ static struct cli_kw_list cli_kws = {{ },{
static struct sample_fetch_kw_list sample_fetch_keywords = {ILH, { static struct sample_fetch_kw_list sample_fetch_keywords = {ILH, {
{ "ssl_bc", smp_fetch_ssl_fc, 0, NULL, SMP_T_BOOL, SMP_USE_L5SRV }, { "ssl_bc", smp_fetch_ssl_fc, 0, NULL, SMP_T_BOOL, SMP_USE_L5SRV },
{ "ssl_bc_alg_keysize", smp_fetch_ssl_fc_alg_keysize, 0, NULL, SMP_T_SINT, SMP_USE_L5SRV }, { "ssl_bc_alg_keysize", smp_fetch_ssl_fc_alg_keysize, 0, NULL, SMP_T_SINT, SMP_USE_L5SRV },
#ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
{ "ssl_fc_alpn", smp_fetch_ssl_fc_alpn, 0, NULL, SMP_T_STR, SMP_USE_L5SRV },
#endif
{ "ssl_bc_cipher", smp_fetch_ssl_fc_cipher, 0, NULL, SMP_T_STR, SMP_USE_L5SRV }, { "ssl_bc_cipher", smp_fetch_ssl_fc_cipher, 0, NULL, SMP_T_STR, SMP_USE_L5SRV },
#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG)
{ "ssl_bc_npn", smp_fetch_ssl_fc_npn, 0, NULL, SMP_T_STR, SMP_USE_L5SRV },
#endif
{ "ssl_bc_is_resumed", smp_fetch_ssl_fc_is_resumed, 0, NULL, SMP_T_BOOL, SMP_USE_L5SRV }, { "ssl_bc_is_resumed", smp_fetch_ssl_fc_is_resumed, 0, NULL, SMP_T_BOOL, SMP_USE_L5SRV },
{ "ssl_bc_protocol", smp_fetch_ssl_fc_protocol, 0, NULL, SMP_T_STR, SMP_USE_L5SRV }, { "ssl_bc_protocol", smp_fetch_ssl_fc_protocol, 0, NULL, SMP_T_STR, SMP_USE_L5SRV },
{ "ssl_bc_unique_id", smp_fetch_ssl_fc_unique_id, 0, NULL, SMP_T_BIN, SMP_USE_L5SRV }, { "ssl_bc_unique_id", smp_fetch_ssl_fc_unique_id, 0, NULL, SMP_T_BIN, SMP_USE_L5SRV },