MINOR: ssl: add pattern and ACLs fetches 'ssl_fc_protocol', 'ssl_fc_cipher', 'ssl_fc_use_keysize' and 'ssl_fc_alg_keysize'

Some front connection fetches : - ssl_fc_protocol = protocol name (string) - ssl_fc_cipher = cipher name (string) - ssl_fc_use_keysize = symmetric cipher key size used in bits (integer) - ssl_fc_alg_keysize = symmetric cipher key size supported in bits (integer)
2025-12-08 03:01:14 +01:00 · 2012-10-16 14:13:26 +02:00 · 2012-10-16 14:13:26 +02:00 · 589fcadbd9
commit 589fcadbd9
parent 2525b6bb92
2 changed files with 113 additions and 0 deletions
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@ -8384,6 +8384,14 @@ ssl_fc
  layer and is locally deciphered. This means it has matched a socket declared
  with a "bind" line having the "ssl" option.

+ssl_fc_alg_keysize <integer>
+  Returns true when the incoming connection was made over an SSL/TLS transport
+  layer and the symmetric cipher key size supported in bits matches the value.
+
+ssl_fc_cipher <string>
+  returns true when the incoming connection was made over an ssl/tls transport
+  layer and the name of the used cipher matches the string.
+
 ssl_fc_has_crt
  Returns true if a client certificate is present in an incoming connection over
  SSL/TLS transport layer. Useful if 'verify' statement is set to 'optional'.
@ -8404,6 +8412,10 @@ ssl_fc_npn <string>
  the "bind" line specifies a protocol list. Also, nothing forces the client to
  pick a protocol from this list, any other one may be requested.

+ssl_fc_protocol <string>
+  Returns true when the incoming connection was made over an SSL/TLS transport
+  layer and the name of the used protocol matches the string.
+
 ssl_fc_sni <string>
  Returns true when the incoming connection was made over an SSL/TLS transport
  layer which deciphered it and found a Server Name Indication TLS extension
@ -8435,6 +8447,10 @@ ssl_fc_sni_reg <regex>
  requires that the SSL library is build with support for TLS extensions
  enabled (check haproxy -vv).

+ssl_fc_use_keysize <integer>
+  Returns true when the incoming connection was made over an SSL/TLS transport
+  layer and the symmetric cipher key size used in bits matches the value.
+
 wait_end
  Waits for the end of the analysis period to return true. This may be used in
  conjunction with content analysis to avoid returning a wrong verdict early.
@ -9048,6 +9064,14 @@ The list of currently supported pattern fetch functions is the following :
               and returns 1 if it was made via an SSL/TLS transport layer,
               otherwise zero.

+  ssl_fc_alg_keysize
+               Returns the symmetric cipher key size support d in bits when the
+               incoming connection was made over an SSL/TLS transport layer.
+
+  ssl_fc_cipher
+               Returns the name of the used cipher when the incoming connection
+               was made over an SSL/TLS transport layer.
+
  ssl_fc_has_crt
               Returns 1 if a client certificate is present in the front
               connection over SSL/TLS transport layer, otherwise 0.
@ -9066,6 +9090,10 @@ The list of currently supported pattern fetch functions is the following :
               have been built with support for TLS extensions enabled (check
               haproxy -vv). See also the "npn" bind keyword.

+  ssl_fc_protocol
+               Returns the name of the used protocol when the incoming connection
+               was made over an SSL/TLS transport layer.
+
  ssl_fc_sni   This extracts the Server Name Indication field from an incoming
               connection made via an SSL/TLS transport layer and locally
               deciphered by haproxy. The result typically is a string matching
@ -9073,6 +9101,10 @@ The list of currently supported pattern fetch functions is the following :
               have been built with support for TLS extensions enabled (check
               haproxy -vv).

+  ssl_fc_use_keysize
+               Returns the symmetric cipher key size used in bits when the
+               incoming connection was made over an SSL/TLS transport layer.
+
  url          This extracts the request's URL as presented in the request. A
               typical use is with prefetch-capable caches, and with portals
               which need to aggregate multiple information from databases and
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@ -1144,6 +1144,60 @@ smp_fetch_ssl_fc_has_sni(struct proxy *px, struct session *l4, void *l7, unsigne
 #endif
 }

+static int
+smp_fetch_ssl_fc_cipher(struct proxy *px, struct session *l4, void *l7, unsigned int opt,
+                        const struct arg *args, struct sample *smp)
+{
+	smp->flags = 0;
+
+	if (!l4 || !l4->si[0].conn.xprt_ctx || l4->si[0].conn.xprt != &ssl_sock)
+		return 0;
+
+	smp->data.str.str = (char *)SSL_get_cipher_name(l4->si[0].conn.xprt_ctx);
+	if (!smp->data.str.str)
+		return 0;
+
+	smp->type = SMP_T_CSTR;
+	smp->data.str.len = strlen(smp->data.str.str);
+
+	return 1;
+}
+
+static int
+smp_fetch_ssl_fc_alg_keysize(struct proxy *px, struct session *l4, void *l7, unsigned int opt,
+                             const struct arg *args, struct sample *smp)
+{
+	smp->flags = 0;
+
+	if (!l4 || !l4->si[0].conn.xprt_ctx || l4->si[0].conn.xprt != &ssl_sock)
+		return 0;
+
+	if (!SSL_get_cipher_bits(l4->si[0].conn.xprt_ctx, (int *)&smp->data.uint))
+		return 0;
+
+	smp->type = SMP_T_UINT;
+
+	return 1;
+}
+
+static int
+smp_fetch_ssl_fc_use_keysize(struct proxy *px, struct session *l4, void *l7, unsigned int opt,
+                             const struct arg *args, struct sample *smp)
+{
+	smp->flags = 0;
+
+	if (!l4 || !l4->si[0].conn.xprt_ctx || l4->si[0].conn.xprt != &ssl_sock)
+		return 0;
+
+	smp->data.uint = (unsigned int)SSL_get_cipher_bits(l4->si[0].conn.xprt_ctx, NULL);
+	if (!smp->data.uint)
+		return 0;
+
+	smp->type = SMP_T_UINT;
+
+	return 1;
+}
+
 #ifdef OPENSSL_NPN_NEGOTIATED
 static int
 smp_fetch_ssl_fc_npn(struct proxy *px, struct session *l4, void *l7, unsigned int opt,
@ -1166,6 +1220,25 @@ smp_fetch_ssl_fc_npn(struct proxy *px, struct session *l4, void *l7, unsigned in
 }
 #endif

+static int
+smp_fetch_ssl_fc_protocol(struct proxy *px, struct session *l4, void *l7, unsigned int opt,
+                          const struct arg *args, struct sample *smp)
+{
+	smp->flags = 0;
+
+	if (!l4 || !l4->si[0].conn.xprt_ctx || l4->si[0].conn.xprt != &ssl_sock)
+		return 0;
+
+	smp->data.str.str = (char *)SSL_get_version(l4->si[0].conn.xprt_ctx);
+	if (!smp->data.str.str)
+		return 0;
+
+	smp->type = SMP_T_CSTR;
+	smp->data.str.len = strlen(smp->data.str.str);
+
+	return 1;
+}
+
 static int
 smp_fetch_ssl_fc_sni(struct proxy *px, struct session *l4, void *l7, unsigned int opt,
                     const struct arg *args, struct sample *smp)
@ -1760,11 +1833,15 @@ static struct sample_fetch_kw_list sample_fetch_keywords = {{ },{
 	{ "ssl_c_err",              smp_fetch_ssl_c_err,          0,    NULL,    SMP_T_UINT, SMP_CAP_REQ|SMP_CAP_RES },
 	{ "ssl_c_verify",           smp_fetch_ssl_c_verify,       0,    NULL,    SMP_T_UINT, SMP_CAP_REQ|SMP_CAP_RES },
 	{ "ssl_fc",                 smp_fetch_ssl_fc,             0,    NULL,    SMP_T_BOOL, SMP_CAP_REQ|SMP_CAP_RES },
+	{ "ssl_fc_alg_keysize",     smp_fetch_ssl_fc_alg_keysize, 0,    NULL,    SMP_T_UINT, SMP_CAP_REQ|SMP_CAP_RES },
+	{ "ssl_fc_cipher",          smp_fetch_ssl_fc_cipher,      0,    NULL,    SMP_T_CSTR, SMP_CAP_REQ|SMP_CAP_RES },
 	{ "ssl_fc_has_crt",         smp_fetch_ssl_fc_has_crt,     0,    NULL,    SMP_T_BOOL, SMP_CAP_REQ|SMP_CAP_RES },
 	{ "ssl_fc_has_sni",         smp_fetch_ssl_fc_has_sni,     0,    NULL,    SMP_T_BOOL, SMP_CAP_REQ|SMP_CAP_RES },
 #ifdef OPENSSL_NPN_NEGOTIATED
 	{ "ssl_fc_npn",             smp_fetch_ssl_fc_npn,         0,    NULL,    SMP_T_CSTR, SMP_CAP_REQ|SMP_CAP_RES },
 #endif
+	{ "ssl_fc_protocol",        smp_fetch_ssl_fc_protocol,    0,    NULL,    SMP_T_CSTR, SMP_CAP_REQ|SMP_CAP_RES },
+	{ "ssl_fc_use_keysize",     smp_fetch_ssl_fc_use_keysize, 0,    NULL,    SMP_T_UINT, SMP_CAP_REQ|SMP_CAP_RES },
 	{ "ssl_fc_sni",             smp_fetch_ssl_fc_sni,         0,    NULL,    SMP_T_CSTR, SMP_CAP_REQ|SMP_CAP_RES },
 	{ NULL, NULL, 0, 0, 0 },
 }};
@ -1778,11 +1855,15 @@ static struct acl_kw_list acl_kws = {{ },{
 	{ "ssl_c_err",              acl_parse_int, smp_fetch_ssl_c_err,          acl_match_int,     ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
 	{ "ssl_c_verify",           acl_parse_int, smp_fetch_ssl_c_verify,       acl_match_int,     ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
 	{ "ssl_fc",                 acl_parse_int, smp_fetch_ssl_fc,             acl_match_nothing, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
+	{ "ssl_fc_alg_keysize",     acl_parse_str, smp_fetch_ssl_fc_alg_keysize, acl_match_int,     ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
+	{ "ssl_fc_cipher",          acl_parse_str, smp_fetch_ssl_fc_cipher,      acl_match_str,     ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
 	{ "ssl_fc_has_crt",         acl_parse_int, smp_fetch_ssl_fc_has_crt,     acl_match_nothing, ACL_USE_L6REQ_PERMANENT, 0 },
 	{ "ssl_fc_has_sni",         acl_parse_int, smp_fetch_ssl_fc_has_sni,     acl_match_nothing, ACL_USE_L6REQ_PERMANENT, 0 },
 #ifdef OPENSSL_NPN_NEGOTIATED
 	{ "ssl_fc_npn",             acl_parse_str, smp_fetch_ssl_fc_npn,         acl_match_str,     ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
 #endif
+	{ "ssl_fc_protocol",        acl_parse_str, smp_fetch_ssl_fc_protocol,    acl_match_str,     ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
+	{ "ssl_fc_use_keysize",     acl_parse_str, smp_fetch_ssl_fc_use_keysize, acl_match_int,     ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
 	{ "ssl_fc_sni",             acl_parse_str, smp_fetch_ssl_fc_sni,         acl_match_str,     ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
 	{ "ssl_fc_sni_end",         acl_parse_str, smp_fetch_ssl_fc_sni,         acl_match_end,     ACL_USE_L6REQ_PERMANENT, 0 },
 	{ "ssl_fc_sni_reg",         acl_parse_reg, smp_fetch_ssl_fc_sni,         acl_match_reg,     ACL_USE_L6REQ_PERMANENT, 0 },