From 163cdeba3726f132a264e996be554243ff80ec9d Mon Sep 17 00:00:00 2001 From: Remi Tricot-Le Breton Date: Wed, 1 Sep 2021 15:52:14 +0200 Subject: [PATCH] MINOR: ssl: Add new ssl_bc_hsk_err sample fetch This new sample fetch along the ssl_bc_hsk_err_str fetch contain the last SSL error of the error stack that occurred during the SSL handshake (from the backend's perspective). --- doc/configuration.txt | 14 ++++++++++++++ src/ssl_sample.c | 16 ++++++++++++++-- 2 files changed, 28 insertions(+), 2 deletions(-) diff --git a/doc/configuration.txt b/doc/configuration.txt index 182ecc644..dbbf19ea1 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -18646,6 +18646,20 @@ ssl_bc_client_random : binary sent using ephemeral ciphers. This requires OpenSSL >= 1.1.0, or BoringSSL. It can be used in a tcp-check or an http-check ruleset. +ssl_bc_hsk_err : integer + When the outgoing connection was made over an SSL/TLS transport layer, + returns the ID of the latest error that happened during the handshake on the + backend side, or 0 if no error was encountered. In order to get a text + description of this error code, you can either use the "ssl_bc_hsk_err_str" + sample fetch or use the "openssl errstr" command (which takes an error code + in hexadecimal representation as parameter). Please refer to your SSL + library's documentation to find the exhaustive list of error codes. + +ssl_bc_hsk_err_str : string + When the outgoing connection was made over an SSL/TLS transport layer, + returns a string representation of the latest error that happened during the + handshake on the backend side. See also "ssl_fc_hsk_err". + ssl_bc_is_resumed : boolean Returns true when the back connection was made over an SSL/TLS transport layer and the newly created SSL session was resumed using a cached diff --git a/src/ssl_sample.c b/src/ssl_sample.c index aa9a547e4..f93ae0a8f 100644 --- a/src/ssl_sample.c +++ b/src/ssl_sample.c @@ -1212,7 +1212,12 @@ smp_fetch_ssl_fc_hsk_err(const struct arg *args, struct sample *smp, const char struct connection *conn; struct ssl_sock_ctx *ctx; - conn = objt_conn(smp->sess->origin); + if (obj_type(smp->sess->origin) == OBJ_TYPE_CHECK) + conn = (kw[4] == 'b') ? cs_conn(__objt_check(smp->sess->origin)->cs) : NULL; + else + conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) : + smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL; + if (!conn || conn->xprt != &ssl_sock) return 0; ctx = conn->xprt_ctx; @@ -1260,7 +1265,12 @@ smp_fetch_ssl_fc_hsk_err_str(const struct arg *args, struct sample *smp, const c struct ssl_sock_ctx *ctx; const char *err_code_str; - conn = objt_conn(smp->sess->origin); + if (obj_type(smp->sess->origin) == OBJ_TYPE_CHECK) + conn = (kw[4] == 'b') ? cs_conn(__objt_check(smp->sess->origin)->cs) : NULL; + else + conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) : + smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL; + if (!conn || conn->xprt != &ssl_sock) return 0; ctx = conn->xprt_ctx; @@ -1669,6 +1679,8 @@ static struct sample_fetch_kw_list sample_fetch_keywords = {ILH, { { "ssl_bc_server_random", smp_fetch_ssl_fc_random, 0, NULL, SMP_T_BIN, SMP_USE_L5SRV }, { "ssl_bc_session_key", smp_fetch_ssl_fc_session_key, 0, NULL, SMP_T_BIN, SMP_USE_L5SRV }, #endif + { "ssl_bc_hsk_err", smp_fetch_ssl_fc_hsk_err, 0, NULL, SMP_T_SINT, SMP_USE_L5SRV }, + { "ssl_bc_hsk_err_str", smp_fetch_ssl_fc_hsk_err_str, 0, NULL, SMP_T_STR, SMP_USE_L5SRV }, { "ssl_c_ca_err", smp_fetch_ssl_c_ca_err, 0, NULL, SMP_T_SINT, SMP_USE_L5CLI }, { "ssl_c_ca_err_depth", smp_fetch_ssl_c_ca_err_depth, 0, NULL, SMP_T_SINT, SMP_USE_L5CLI }, { "ssl_c_der", smp_fetch_ssl_x_der, 0, NULL, SMP_T_BIN, SMP_USE_L5CLI },