MINOR: checks: Add support of server side ssl sample fetches
SSL sample fetches acting on the server connection can now be called from any sample expression or log-format string in a tcp-check based ruleset. ssl_bc and ssl_bc_* sample fetches are concerned.
This commit is contained in:
parent
d1b4464b69
commit
d92ea7f5e7
|
@ -16281,11 +16281,13 @@ future information. Those generally include the results of SSL negotiations.
|
|||
ssl_bc : boolean
|
||||
Returns true when the back connection was made via an SSL/TLS transport
|
||||
layer and is locally deciphered. This means the outgoing connection was made
|
||||
other a server with the "ssl" option.
|
||||
other a server with the "ssl" option. It can be used in a tcp-check or an
|
||||
http-check ruleset.
|
||||
|
||||
ssl_bc_alg_keysize : integer
|
||||
Returns the symmetric cipher key size supported in bits when the outgoing
|
||||
connection was made over an SSL/TLS transport layer.
|
||||
connection was made over an SSL/TLS transport layer. It can be used in a
|
||||
tcp-check or an http-check ruleset.
|
||||
|
||||
ssl_bc_alpn : string
|
||||
This extracts the Application Layer Protocol Negotiation field from an
|
||||
|
@ -16296,21 +16298,25 @@ ssl_bc_alpn : string
|
|||
not advertised unless the "alpn" keyword on the "server" line specifies a
|
||||
protocol list. Also, nothing forces the server to pick a protocol from this
|
||||
list, any other one may be requested. The TLS ALPN extension is meant to
|
||||
replace the TLS NPN extension. See also "ssl_bc_npn".
|
||||
replace the TLS NPN extension. See also "ssl_bc_npn". It can be used in a
|
||||
tcp-check or an http-check ruleset.
|
||||
|
||||
ssl_bc_cipher : string
|
||||
Returns the name of the used cipher when the outgoing connection was made
|
||||
over an SSL/TLS transport layer.
|
||||
over an SSL/TLS transport layer. It can be used in a tcp-check or an
|
||||
http-check ruleset.
|
||||
|
||||
ssl_bc_client_random : binary
|
||||
Returns the client random of the back connection when the incoming connection
|
||||
was made over an SSL/TLS transport layer. It is useful to to decrypt traffic
|
||||
sent using ephemeral ciphers. This requires OpenSSL >= 1.1.0, or BoringSSL.
|
||||
It can be used in a tcp-check or an http-check ruleset.
|
||||
|
||||
ssl_bc_is_resumed : boolean
|
||||
Returns true when the back connection was made over an SSL/TLS transport
|
||||
layer and the newly created SSL session was resumed using a cached
|
||||
session or a TLS ticket.
|
||||
session or a TLS ticket. It can be used in a tcp-check or an http-check
|
||||
ruleset.
|
||||
|
||||
ssl_bc_npn : string
|
||||
This extracts the Next Protocol Negotiation field from an outgoing connection
|
||||
|
@ -16320,36 +16326,42 @@ ssl_bc_npn : string
|
|||
the TLS NPN extension is not advertised unless the "npn" keyword on the
|
||||
"server" line specifies a protocol list. Also, nothing forces the server to
|
||||
pick a protocol from this list, any other one may be used. Please note that
|
||||
the TLS NPN extension was replaced with ALPN.
|
||||
the TLS NPN extension was replaced with ALPN. It can be used in a tcp-check
|
||||
or an http-check ruleset.
|
||||
|
||||
ssl_bc_protocol : string
|
||||
Returns the name of the used protocol when the outgoing connection was made
|
||||
over an SSL/TLS transport layer.
|
||||
over an SSL/TLS transport layer. It can be used in a tcp-check or an
|
||||
http-check ruleset.
|
||||
|
||||
ssl_bc_unique_id : binary
|
||||
When the outgoing connection was made over an SSL/TLS transport layer,
|
||||
returns the TLS unique ID as defined in RFC5929 section 3. The unique id
|
||||
can be encoded to base64 using the converter: "ssl_bc_unique_id,base64".
|
||||
can be encoded to base64 using the converter: "ssl_bc_unique_id,base64". It
|
||||
can be used in a tcp-check or an http-check ruleset.
|
||||
|
||||
ssl_bc_server_random : binary
|
||||
Returns the server random of the back connection when the incoming connection
|
||||
was made over an SSL/TLS transport layer. It is useful to to decrypt traffic
|
||||
sent using ephemeral ciphers. This requires OpenSSL >= 1.1.0, or BoringSSL.
|
||||
It can be used in a tcp-check or an http-check ruleset.
|
||||
|
||||
ssl_bc_session_id : binary
|
||||
Returns the SSL ID of the back connection when the outgoing connection was
|
||||
made over an SSL/TLS transport layer. It is useful to log if we want to know
|
||||
if session was reused or not.
|
||||
if session was reused or not. It can be used in a tcp-check or an http-check
|
||||
ruleset.
|
||||
|
||||
ssl_bc_session_key : binary
|
||||
Returns the SSL session master key of the back connection when the outgoing
|
||||
connection was made over an SSL/TLS transport layer. It is useful to decrypt
|
||||
traffic sent using ephemeral ciphers. This requires OpenSSL >= 1.1.0, or
|
||||
BoringSSL.
|
||||
BoringSSL. It can be used in a tcp-check or an http-check ruleset.
|
||||
|
||||
ssl_bc_use_keysize : integer
|
||||
Returns the symmetric cipher key size used in bits when the outgoing
|
||||
connection was made over an SSL/TLS transport layer.
|
||||
connection was made over an SSL/TLS transport layer. It can be used in a
|
||||
tcp-check or an http-check ruleset.
|
||||
|
||||
ssl_c_ca_err : integer
|
||||
When the incoming connection was made over an SSL/TLS transport layer,
|
||||
|
|
108
src/ssl_sock.c
108
src/ssl_sock.c
|
@ -8468,8 +8468,13 @@ smp_fetch_ssl_x_key_alg(const struct arg *args, struct sample *smp, const char *
|
|||
static int
|
||||
smp_fetch_ssl_fc(const struct arg *args, struct sample *smp, const char *kw, void *private)
|
||||
{
|
||||
struct connection *conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) :
|
||||
smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL;
|
||||
struct connection *conn;
|
||||
|
||||
if (smp->sess && obj_type(smp->sess->origin) == OBJ_TYPE_CHECK)
|
||||
conn = (kw[4] != 'b') ? cs_conn(__objt_check(smp->sess->origin)->cs) : NULL;
|
||||
else
|
||||
conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) :
|
||||
smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL;
|
||||
|
||||
smp->data.type = SMP_T_BOOL;
|
||||
smp->data.u.sint = (conn && conn->xprt == &ssl_sock);
|
||||
|
@ -8501,10 +8506,16 @@ smp_fetch_ssl_fc_has_sni(const struct arg *args, struct sample *smp, const char
|
|||
static int
|
||||
smp_fetch_ssl_fc_is_resumed(const struct arg *args, struct sample *smp, const char *kw, void *private)
|
||||
{
|
||||
struct connection *conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) :
|
||||
smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL;
|
||||
struct ssl_sock_ctx *ctx = conn ? conn->xprt_ctx : NULL;
|
||||
struct connection *conn;
|
||||
struct ssl_sock_ctx *ctx;
|
||||
|
||||
if (smp->sess && obj_type(smp->sess->origin) == OBJ_TYPE_CHECK)
|
||||
conn = (kw[4] != 'b') ? cs_conn(__objt_check(smp->sess->origin)->cs) : NULL;
|
||||
else
|
||||
conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) :
|
||||
smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL;
|
||||
|
||||
ctx = conn ? conn->xprt_ctx : NULL;
|
||||
|
||||
smp->data.type = SMP_T_BOOL;
|
||||
smp->data.u.sint = (conn && conn->xprt == &ssl_sock) &&
|
||||
|
@ -8520,10 +8531,15 @@ smp_fetch_ssl_fc_is_resumed(const struct arg *args, struct sample *smp, const ch
|
|||
static int
|
||||
smp_fetch_ssl_fc_cipher(const struct arg *args, struct sample *smp, const char *kw, void *private)
|
||||
{
|
||||
struct connection *conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) :
|
||||
smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL;
|
||||
struct connection *conn;
|
||||
struct ssl_sock_ctx *ctx;
|
||||
|
||||
if (smp->sess && obj_type(smp->sess->origin) == OBJ_TYPE_CHECK)
|
||||
conn = (kw[4] != 'b') ? cs_conn(__objt_check(smp->sess->origin)->cs) : NULL;
|
||||
else
|
||||
conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) :
|
||||
smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL;
|
||||
|
||||
smp->flags = 0;
|
||||
if (!conn || !conn->xprt_ctx || conn->xprt != &ssl_sock)
|
||||
return 0;
|
||||
|
@ -8548,11 +8564,16 @@ smp_fetch_ssl_fc_cipher(const struct arg *args, struct sample *smp, const char *
|
|||
static int
|
||||
smp_fetch_ssl_fc_alg_keysize(const struct arg *args, struct sample *smp, const char *kw, void *private)
|
||||
{
|
||||
struct connection *conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) :
|
||||
smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL;
|
||||
struct connection *conn;
|
||||
struct ssl_sock_ctx *ctx;
|
||||
int sint;
|
||||
|
||||
if (smp->sess && obj_type(smp->sess->origin) == OBJ_TYPE_CHECK)
|
||||
conn = (kw[4] != 'b') ? cs_conn(__objt_check(smp->sess->origin)->cs) : NULL;
|
||||
else
|
||||
conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) :
|
||||
smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL;
|
||||
|
||||
smp->flags = 0;
|
||||
if (!conn || !conn->xprt_ctx || conn->xprt != &ssl_sock)
|
||||
return 0;
|
||||
|
@ -8574,10 +8595,15 @@ smp_fetch_ssl_fc_alg_keysize(const struct arg *args, struct sample *smp, const c
|
|||
static int
|
||||
smp_fetch_ssl_fc_use_keysize(const struct arg *args, struct sample *smp, const char *kw, void *private)
|
||||
{
|
||||
struct connection *conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) :
|
||||
smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL;
|
||||
struct connection *conn;
|
||||
struct ssl_sock_ctx *ctx;
|
||||
|
||||
if (smp->sess && obj_type(smp->sess->origin) == OBJ_TYPE_CHECK)
|
||||
conn = (kw[4] != 'b') ? cs_conn(__objt_check(smp->sess->origin)->cs) : NULL;
|
||||
else
|
||||
conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) :
|
||||
smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL;
|
||||
|
||||
smp->flags = 0;
|
||||
if (!conn || !conn->xprt_ctx || conn->xprt != &ssl_sock)
|
||||
return 0;
|
||||
|
@ -8603,8 +8629,12 @@ smp_fetch_ssl_fc_npn(const struct arg *args, struct sample *smp, const char *kw,
|
|||
smp->flags = SMP_F_CONST;
|
||||
smp->data.type = SMP_T_STR;
|
||||
|
||||
conn = (kw[4] != 'b' ) ? objt_conn(smp->sess->origin) :
|
||||
smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL;
|
||||
if (smp->sess && obj_type(smp->sess->origin) == OBJ_TYPE_CHECK)
|
||||
conn = (kw[4] != 'b') ? cs_conn(__objt_check(smp->sess->origin)->cs) : NULL;
|
||||
else
|
||||
conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) :
|
||||
smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL;
|
||||
|
||||
if (!conn || !conn->xprt_ctx || conn->xprt != &ssl_sock)
|
||||
return 0;
|
||||
ctx = conn->xprt_ctx;
|
||||
|
@ -8633,8 +8663,11 @@ smp_fetch_ssl_fc_alpn(const struct arg *args, struct sample *smp, const char *kw
|
|||
smp->flags = SMP_F_CONST;
|
||||
smp->data.type = SMP_T_STR;
|
||||
|
||||
conn = (kw[4] != 'b' ) ? objt_conn(smp->sess->origin) :
|
||||
smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL;
|
||||
if (smp->sess && obj_type(smp->sess->origin) == OBJ_TYPE_CHECK)
|
||||
conn = (kw[4] != 'b') ? cs_conn(__objt_check(smp->sess->origin)->cs) : NULL;
|
||||
else
|
||||
conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) :
|
||||
smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL;
|
||||
|
||||
if (!conn || !conn->xprt_ctx || conn->xprt != &ssl_sock)
|
||||
return 0;
|
||||
|
@ -8660,10 +8693,15 @@ smp_fetch_ssl_fc_alpn(const struct arg *args, struct sample *smp, const char *kw
|
|||
static int
|
||||
smp_fetch_ssl_fc_protocol(const struct arg *args, struct sample *smp, const char *kw, void *private)
|
||||
{
|
||||
struct connection *conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) :
|
||||
smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL;
|
||||
struct connection *conn;
|
||||
struct ssl_sock_ctx *ctx;
|
||||
|
||||
if (smp->sess && obj_type(smp->sess->origin) == OBJ_TYPE_CHECK)
|
||||
conn = (kw[4] != 'b') ? cs_conn(__objt_check(smp->sess->origin)->cs) : NULL;
|
||||
else
|
||||
conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) :
|
||||
smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL;
|
||||
|
||||
smp->flags = 0;
|
||||
if (!conn || !conn->xprt_ctx || conn->xprt != &ssl_sock)
|
||||
return 0;
|
||||
|
@ -8688,8 +8726,7 @@ smp_fetch_ssl_fc_protocol(const struct arg *args, struct sample *smp, const char
|
|||
static int
|
||||
smp_fetch_ssl_fc_session_id(const struct arg *args, struct sample *smp, const char *kw, void *private)
|
||||
{
|
||||
struct connection *conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) :
|
||||
smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL;
|
||||
struct connection *conn;
|
||||
SSL_SESSION *ssl_sess;
|
||||
struct ssl_sock_ctx *ctx;
|
||||
unsigned int len = 0;
|
||||
|
@ -8697,6 +8734,12 @@ smp_fetch_ssl_fc_session_id(const struct arg *args, struct sample *smp, const ch
|
|||
smp->flags = SMP_F_CONST;
|
||||
smp->data.type = SMP_T_BIN;
|
||||
|
||||
if (smp->sess && obj_type(smp->sess->origin) == OBJ_TYPE_CHECK)
|
||||
conn = (kw[4] != 'b') ? cs_conn(__objt_check(smp->sess->origin)->cs) : NULL;
|
||||
else
|
||||
conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) :
|
||||
smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL;
|
||||
|
||||
if (!conn || !conn->xprt_ctx || conn->xprt != &ssl_sock)
|
||||
return 0;
|
||||
ctx = conn->xprt_ctx;
|
||||
|
@ -8719,11 +8762,16 @@ smp_fetch_ssl_fc_session_id(const struct arg *args, struct sample *smp, const ch
|
|||
static int
|
||||
smp_fetch_ssl_fc_random(const struct arg *args, struct sample *smp, const char *kw, void *private)
|
||||
{
|
||||
struct connection *conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) :
|
||||
smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL;
|
||||
struct connection *conn;
|
||||
struct buffer *data;
|
||||
struct ssl_sock_ctx *ctx;
|
||||
|
||||
if (smp->sess && obj_type(smp->sess->origin) == OBJ_TYPE_CHECK)
|
||||
conn = (kw[4] != 'b') ? cs_conn(__objt_check(smp->sess->origin)->cs) : NULL;
|
||||
else
|
||||
conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) :
|
||||
smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL;
|
||||
|
||||
if (!conn || !conn->xprt_ctx || conn->xprt != &ssl_sock)
|
||||
return 0;
|
||||
ctx = conn->xprt_ctx;
|
||||
|
@ -8750,12 +8798,17 @@ smp_fetch_ssl_fc_random(const struct arg *args, struct sample *smp, const char *
|
|||
static int
|
||||
smp_fetch_ssl_fc_session_key(const struct arg *args, struct sample *smp, const char *kw, void *private)
|
||||
{
|
||||
struct connection *conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) :
|
||||
smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL;
|
||||
struct connection *conn;
|
||||
SSL_SESSION *ssl_sess;
|
||||
struct buffer *data;
|
||||
struct ssl_sock_ctx *ctx;
|
||||
|
||||
if (smp->sess && obj_type(smp->sess->origin) == OBJ_TYPE_CHECK)
|
||||
conn = (kw[4] != 'b') ? cs_conn(__objt_check(smp->sess->origin)->cs) : NULL;
|
||||
else
|
||||
conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) :
|
||||
smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL;
|
||||
|
||||
if (!conn || !conn->xprt_ctx || conn->xprt != &ssl_sock)
|
||||
return 0;
|
||||
ctx = conn->xprt_ctx;
|
||||
|
@ -8903,12 +8956,17 @@ smp_fetch_ssl_fc_cl_str(const struct arg *args, struct sample *smp, const char *
|
|||
static int
|
||||
smp_fetch_ssl_fc_unique_id(const struct arg *args, struct sample *smp, const char *kw, void *private)
|
||||
{
|
||||
struct connection *conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) :
|
||||
smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL;
|
||||
struct connection *conn;
|
||||
int finished_len;
|
||||
struct buffer *finished_trash;
|
||||
struct ssl_sock_ctx *ctx;
|
||||
|
||||
if (smp->sess && obj_type(smp->sess->origin) == OBJ_TYPE_CHECK)
|
||||
conn = (kw[4] != 'b') ? cs_conn(__objt_check(smp->sess->origin)->cs) : NULL;
|
||||
else
|
||||
conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) :
|
||||
smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL;
|
||||
|
||||
smp->flags = 0;
|
||||
if (!conn || !conn->xprt_ctx || conn->xprt != &ssl_sock)
|
||||
return 0;
|
||||
|
|
Loading…
Reference in New Issue