MEDIUM: ssl/ocsp: counters for OCSP stapling

Add 2 counters in the SSL stats module for OCSP stapling. - ssl_ocsp_staple is the number of OCSP response successfully stapled with the handshake - ssl_failed_ocsp_stapled is the number of OCSP response that we couldn't staple, it could be because of an error or because the response is expired. These counters are incremented in the OCSP stapling callback, so if no OCSP was configured they won't never increase. Also they are only working in frontends. This was discussed in github issue #2822.
2025-08-06 15:17:01 +02:00 · 2024-12-23 11:06:17 +01:00 · 2024-12-23 11:06:17 +01:00 · 056ec51c26
commit 056ec51c26
parent 6e4dd4c64c
3 changed files with 37 additions and 0 deletions
--- a/include/haproxy/ssl_sock-t.h
+++ b/include/haproxy/ssl_sock-t.h
@ -331,6 +331,8 @@ struct ssl_counters {
 	long long sess;
 	long long reused_sess;
 	long long failed_handshake;
+	long long ocsp_staple;
+	long long failed_ocsp_staple;
 };

 #endif /* USE_OPENSSL */
--- a/src/ssl_ocsp.c
+++ b/src/ssl_ocsp.c
@ -99,6 +99,10 @@ int ssl_sock_get_ocsp_arg_kt_index(int evp_keytype)
 */
 int ssl_sock_ocsp_stapling_cbk(SSL *ssl, void *arg)
 {
+	struct connection *conn = SSL_get_ex_data(ssl, ssl_app_data_index);
+	struct listener *li;
+	struct ssl_counters *counters = NULL;
+	struct ssl_counters *counters_px = NULL;
 	struct certificate_ocsp *ocsp;
 	struct ocsp_cbk_arg *ocsp_arg;
 	char *ssl_buf;
@ -111,6 +115,12 @@ int ssl_sock_ocsp_stapling_cbk(SSL *ssl, void *arg)
 	if (!ctx)
 		goto error;

+	if (obj_type(conn->target) == OBJ_TYPE_LISTENER) {
+		li = __objt_listener(conn->target);
+		counters = EXTRA_COUNTERS_GET(li->extra_counters, &ssl_stats_module);
+		counters_px = EXTRA_COUNTERS_GET(li->bind_conf->frontend->extra_counters_fe, &ssl_stats_module);
+	}
+
 	ocsp_arg = SSL_CTX_get_ex_data(ctx, ocsp_ex_index);
 	if (!ocsp_arg)
 		goto error;
@ -150,9 +160,21 @@ int ssl_sock_ocsp_stapling_cbk(SSL *ssl, void *arg)
 	memcpy(ssl_buf, ocsp->response.area, ocsp->response.data);
 	SSL_set_tlsext_status_ocsp_resp(ssl, (unsigned char*)ssl_buf, ocsp->response.data);

+	if (counters) {
+		HA_ATOMIC_INC(&counters->ocsp_staple);
+		HA_ATOMIC_INC(&counters_px->ocsp_staple);
+	}
+
 	return SSL_TLSEXT_ERR_OK;

+
 error:
+
+	if (counters) {
+		HA_ATOMIC_INC(&counters->failed_ocsp_staple);
+		HA_ATOMIC_INC(&counters_px->failed_ocsp_staple);
+	}
+
 	return SSL_TLSEXT_ERR_NOACK;
 }

--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@ -156,6 +156,8 @@ enum {
 	SSL_ST_SESS,
 	SSL_ST_REUSED_SESS,
 	SSL_ST_FAILED_HANDSHAKE,
+	SSL_ST_OCSP_STAPLE,
+	SSL_ST_FAILED_OCSP_STAPLE,

 	SSL_ST_STATS_COUNT /* must be the last member of the enum */
 };
@ -167,6 +169,10 @@ static struct stat_col ssl_stats[] = {
 	                              .desc = "Total number of ssl sessions reused" },
 	[SSL_ST_FAILED_HANDSHAKE] = { .name = "ssl_failed_handshake",
 	                              .desc = "Total number of failed handshake" },
+	[SSL_ST_OCSP_STAPLE]      = { .name = "ssl_ocsp_staple",
+	                              .desc = "Total number of stapled OCSP responses" },
+	[SSL_ST_FAILED_OCSP_STAPLE] = { .name = "ssl_failed_ocsp_staple",
+	                              .desc = "Total number of failed OCSP stapling (expired or error)" },
 };

 static struct ssl_counters ssl_counters;
@ -189,6 +195,13 @@ static int ssl_fill_stats(void *data, struct field *stats, unsigned int *selecte
 		case SSL_ST_FAILED_HANDSHAKE:
 			metric = mkf_u64(FN_COUNTER, counters->failed_handshake);
 			break;
+		case SSL_ST_OCSP_STAPLE:
+			metric = mkf_u64(FN_COUNTER, counters->ocsp_staple);
+			break;
+		case SSL_ST_FAILED_OCSP_STAPLE:
+			metric = mkf_u64(FN_COUNTER, counters->failed_ocsp_staple);
+			break;
+
 		default:
 			/* not used for frontends. If a specific metric
 			 * is requested, return an error. Otherwise continue.