MINOR: ssl: add ssl_fc_is_resumed to "option httpslog"

In order to trace which session were TLS resumed, add the ssl_fc_is_resumed in the httpslog option.
2025-08-06 07:07:04 +02:00 · 2021-10-14 14:27:48 +02:00 · 2021-10-14 14:27:48 +02:00 · 1d58b01316
commit 1d58b01316
parent e5dfd405b3
3 changed files with 15 additions and 10 deletions
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@ -21145,7 +21145,7 @@ HTTP ones, refer to the HTTP section.
    >>> Feb  6 12:14:14 localhost \
          haproxy[14389]: 10.0.1.2:33317 [06/Feb/2009:12:14:14.655] https-in \
          static/srv1 10/0/30/69/109 200 2750 - - ---- 1/1/1/1/0 0/0 {1wt.eu} \
-          {} "GET /index.html HTTP/1.1" 0/0/0/0 TLSv1.3/TLS_AES_256_GCM_SHA384
+          {} "GET /index.html HTTP/1.1" 0/0/0/0/0 TLSv1.3/TLS_AES_256_GCM_SHA384

  Field   Format                                  Extract from the example above
      1   process_name '[' pid ']:'                              haproxy[14389]:
@ -21164,7 +21164,8 @@ HTTP ones, refer to the HTTP section.
     14   '{' captured_request_headers* '}'                     {haproxy.1wt.eu}
     15   '{' captured_response_headers* '}'                                  {}
     16   '"' http_request '"'                        "GET /index.html HTTP/1.1"
-     17   fc_conn_err '/' ssl_fc_err '/' ssl_c_err '/' ssl_c_ca_err      0/0/0/0
+     17   fc_conn_err '/' ssl_fc_err '/' ssl_c_err
+          '/' ssl_c_ca_err '/' ssl_fc_is_resumed                       0/0/0/0/0
     18   ssl_version '/' ssl_ciphers             TLSv1.3/TLS_AES_256_GCM_SHA384

 Detailed fields description :
@ -21188,6 +21189,10 @@ Detailed fields description :
    verification error code if it is an ignored one. See the "ssl_c_ca_err"
    sample fetch and the "ca-ignore-err" option.

+  - "ssl_fc_is_resumed" is true if the incoming TLS session was resumed with
+    the stateful cache or a stateless ticket. Don't forgot that a TLS session
+    can be shared by multiple requests.
+
  - "ssl_version" is the SSL version of the frontend.

  - "ssl_ciphers" is the SSL cipher used for the connection.
@ -21251,8 +21256,8 @@ the default HTTPS format is defined this way :

    log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC \
               %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r \
-               %[fc_conn_err]/%[ssl_fc_err,hex]/%[ssl_c_err]/%[ssl_c_ca_err] \
-               %sslv/%sslc"
+               %[fc_conn_err]/%[ssl_fc_err,hex]/%[ssl_c_err]/\
+               %[ssl_c_ca_err]/%[ssl_fc_is_resumed] %sslv/%sslc"

 and the default TCP format is defined this way :

--- a/reg-tests/ssl/ssl_errors.vtc
+++ b/reg-tests/ssl/ssl_errors.vtc
@ -63,24 +63,24 @@ syslog Slg_cust_fmt -level info {

 syslog Slg_https_fmt -level info {
    recv
-    expect ~ ".*https_logfmt_ssl_lst~ https_logfmt_ssl_lst/s1.*0/0000000000000000/0/0 TLSv1.2/AES256-GCM-SHA384"
+    expect ~ ".*https_logfmt_ssl_lst~ https_logfmt_ssl_lst/s1.*0/0000000000000000/0/0/.? TLSv1.2/AES256-GCM-SHA384"

    barrier b1 sync
 } -start

 syslog Slg_https_fmt_err -level info {
    recv
-    expect ~ "ERROR.*https_logfmt_ssl_lst~ https_logfmt_ssl_lst/<NOSRV>.*30/0000000000000086/0/2 TLSv1.2/\\(NONE\\)"
+    expect ~ "ERROR.*https_logfmt_ssl_lst~ https_logfmt_ssl_lst/<NOSRV>.*30/0000000000000086/0/2/.? TLSv1.2/\\(NONE\\)"

    barrier b1 sync

    recv
-    expect ~ "ERROR.*https_logfmt_ssl_lst~ https_logfmt_ssl_lst/<NOSRV>.*31/0000000000000086/20/0 TLSv1.2/\\(NONE\\)"
+    expect ~ "ERROR.*https_logfmt_ssl_lst~ https_logfmt_ssl_lst/<NOSRV>.*31/0000000000000086/20/0/.? TLSv1.2/\\(NONE\\)"

    barrier b1 sync

    recv
-    expect ~ "ERROR.*https_logfmt_ssl_lst~ https_logfmt_ssl_lst/<NOSRV>.*34/00000000000000C1/0/0 TLSv1.2/\\(NONE\\)"
+    expect ~ "ERROR.*https_logfmt_ssl_lst~ https_logfmt_ssl_lst/<NOSRV>.*34/00000000000000C1/0/0/.? TLSv1.2/\\(NONE\\)"
 } -start

 syslog Slg_logconnerror -level info {
@ -214,7 +214,7 @@ haproxy h1 -conf {
        option log-separate-errors
        mode http
        option httpslog
-        error-log-format "ERROR %ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r %[fc_conn_err]/%[ssl_fc_err,and(proc.ssl_error_mask),hex]/%[ssl_c_err]/%[ssl_c_ca_err] %sslv/%sslc"
+        error-log-format "ERROR %ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r %[fc_conn_err]/%[ssl_fc_err,and(proc.ssl_error_mask),hex]/%[ssl_c_err]/%[ssl_c_ca_err]/%[ssl_fc_is_resumed] %sslv/%sslc"
        bind "${tmpdir}/https_logfmt_ssl.sock" ssl crt ${testdir}/set_cafile_server.pem ca-verify-file ${testdir}/set_cafile_rootCA.crt ca-file ${testdir}/set_cafile_interCA1.crt verify required ciphers "kRSA"
        server s1 ${s1_addr}:${s1_port}

--- a/src/log.c
+++ b/src/log.c
@ -195,7 +195,7 @@ static const struct logformat_type logformat_keywords[] = {
 };

 char default_http_log_format[] = "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r"; // default format
-char default_https_log_format[] = "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r %[fc_conn_err]/%[ssl_fc_err,hex]/%[ssl_c_err]/%[ssl_c_ca_err] %sslv/%sslc";
+char default_https_log_format[] = "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r %[fc_conn_err]/%[ssl_fc_err,hex]/%[ssl_c_err]/%[ssl_c_ca_err]/%[ssl_fc_is_resumed] %sslv/%sslc";
 char clf_http_log_format[] = "%{+Q}o %{-Q}ci - - [%trg] %r %ST %B \"\" \"\" %cp %ms %ft %b %s %TR %Tw %Tc %Tr %Ta %tsc %ac %fc %bc %sc %rc %sq %bq %CC %CS %hrl %hsl";
 char default_tcp_log_format[] = "%ci:%cp [%t] %ft %b/%s %Tw/%Tc/%Tt %B %ts %ac/%fc/%bc/%sc/%rc %sq/%bq";
 char *log_format = NULL;