mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-12-09 11:41:00 +01:00
Code Issues Projects Releases Wiki Activity

MINOR: checks: Add support of server side ssl sample fetches

Browse Source 
SSL sample fetches acting on the server connection can now be called from any
sample expression or log-format string in a tcp-check based ruleset. ssl_bc and
ssl_bc_* sample fetches are concerned.
This commit is contained in:
Christopher Faulet 2020-04-30 10:03:55 +02:00
parent d1b4464b69
commit d92ea7f5e7
2 changed files with 106 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
doc/configuration.txt
View File

@ -16281,11 +16281,13 @@ future information. Those generally include the results of SSL negotiations.
ssl_bc : boolean ssl_bc : boolean
Returns true when the back connection was made via an SSL/TLS transport Returns true when the back connection was made via an SSL/TLS transport
layer and is locally deciphered. This means the outgoing connection was made layer and is locally deciphered. This means the outgoing connection was made
other a server with the "ssl" option. other a server with the "ssl" option. It can be used in a tcp-check or an
http-check ruleset.
ssl_bc_alg_keysize : integer ssl_bc_alg_keysize : integer
Returns the symmetric cipher key size supported in bits when the outgoing Returns the symmetric cipher key size supported in bits when the outgoing
connection was made over an SSL/TLS transport layer. connection was made over an SSL/TLS transport layer. It can be used in a
tcp-check or an http-check ruleset.
ssl_bc_alpn : string ssl_bc_alpn : string
This extracts the Application Layer Protocol Negotiation field from an This extracts the Application Layer Protocol Negotiation field from an
@ -16296,21 +16298,25 @@ ssl_bc_alpn : string
not advertised unless the "alpn" keyword on the "server" line specifies a not advertised unless the "alpn" keyword on the "server" line specifies a
protocol list. Also, nothing forces the server to pick a protocol from this protocol list. Also, nothing forces the server to pick a protocol from this
list, any other one may be requested. The TLS ALPN extension is meant to list, any other one may be requested. The TLS ALPN extension is meant to
replace the TLS NPN extension. See also "ssl_bc_npn". replace the TLS NPN extension. See also "ssl_bc_npn". It can be used in a
tcp-check or an http-check ruleset.
ssl_bc_cipher : string ssl_bc_cipher : string
Returns the name of the used cipher when the outgoing connection was made Returns the name of the used cipher when the outgoing connection was made
over an SSL/TLS transport layer. over an SSL/TLS transport layer. It can be used in a tcp-check or an
http-check ruleset.
ssl_bc_client_random : binary ssl_bc_client_random : binary
Returns the client random of the back connection when the incoming connection Returns the client random of the back connection when the incoming connection
was made over an SSL/TLS transport layer. It is useful to to decrypt traffic was made over an SSL/TLS transport layer. It is useful to to decrypt traffic
sent using ephemeral ciphers. This requires OpenSSL >= 1.1.0, or BoringSSL. sent using ephemeral ciphers. This requires OpenSSL >= 1.1.0, or BoringSSL.
It can be used in a tcp-check or an http-check ruleset.
ssl_bc_is_resumed : boolean ssl_bc_is_resumed : boolean
Returns true when the back connection was made over an SSL/TLS transport Returns true when the back connection was made over an SSL/TLS transport
layer and the newly created SSL session was resumed using a cached layer and the newly created SSL session was resumed using a cached
session or a TLS ticket. session or a TLS ticket. It can be used in a tcp-check or an http-check
ruleset.
ssl_bc_npn : string ssl_bc_npn : string
This extracts the Next Protocol Negotiation field from an outgoing connection This extracts the Next Protocol Negotiation field from an outgoing connection
@ -16320,36 +16326,42 @@ ssl_bc_npn : string
the TLS NPN extension is not advertised unless the "npn" keyword on the the TLS NPN extension is not advertised unless the "npn" keyword on the
"server" line specifies a protocol list. Also, nothing forces the server to "server" line specifies a protocol list. Also, nothing forces the server to
pick a protocol from this list, any other one may be used. Please note that pick a protocol from this list, any other one may be used. Please note that
the TLS NPN extension was replaced with ALPN. the TLS NPN extension was replaced with ALPN. It can be used in a tcp-check
or an http-check ruleset.
ssl_bc_protocol : string ssl_bc_protocol : string
Returns the name of the used protocol when the outgoing connection was made Returns the name of the used protocol when the outgoing connection was made
over an SSL/TLS transport layer. over an SSL/TLS transport layer. It can be used in a tcp-check or an
http-check ruleset.
ssl_bc_unique_id : binary ssl_bc_unique_id : binary
When the outgoing connection was made over an SSL/TLS transport layer, When the outgoing connection was made over an SSL/TLS transport layer,
returns the TLS unique ID as defined in RFC5929 section 3. The unique id returns the TLS unique ID as defined in RFC5929 section 3. The unique id
can be encoded to base64 using the converter: "ssl_bc_unique_id,base64". can be encoded to base64 using the converter: "ssl_bc_unique_id,base64". It
can be used in a tcp-check or an http-check ruleset.
ssl_bc_server_random : binary ssl_bc_server_random : binary
Returns the server random of the back connection when the incoming connection Returns the server random of the back connection when the incoming connection
was made over an SSL/TLS transport layer. It is useful to to decrypt traffic was made over an SSL/TLS transport layer. It is useful to to decrypt traffic
sent using ephemeral ciphers. This requires OpenSSL >= 1.1.0, or BoringSSL. sent using ephemeral ciphers. This requires OpenSSL >= 1.1.0, or BoringSSL.
It can be used in a tcp-check or an http-check ruleset.
ssl_bc_session_id : binary ssl_bc_session_id : binary
Returns the SSL ID of the back connection when the outgoing connection was Returns the SSL ID of the back connection when the outgoing connection was
made over an SSL/TLS transport layer. It is useful to log if we want to know made over an SSL/TLS transport layer. It is useful to log if we want to know
if session was reused or not. if session was reused or not. It can be used in a tcp-check or an http-check
ruleset.
ssl_bc_session_key : binary ssl_bc_session_key : binary
Returns the SSL session master key of the back connection when the outgoing Returns the SSL session master key of the back connection when the outgoing
connection was made over an SSL/TLS transport layer. It is useful to decrypt connection was made over an SSL/TLS transport layer. It is useful to decrypt
traffic sent using ephemeral ciphers. This requires OpenSSL >= 1.1.0, or traffic sent using ephemeral ciphers. This requires OpenSSL >= 1.1.0, or
BoringSSL. BoringSSL. It can be used in a tcp-check or an http-check ruleset.
ssl_bc_use_keysize : integer ssl_bc_use_keysize : integer
Returns the symmetric cipher key size used in bits when the outgoing Returns the symmetric cipher key size used in bits when the outgoing
connection was made over an SSL/TLS transport layer. connection was made over an SSL/TLS transport layer. It can be used in a
tcp-check or an http-check ruleset.
ssl_c_ca_err : integer ssl_c_ca_err : integer
When the incoming connection was made over an SSL/TLS transport layer, When the incoming connection was made over an SSL/TLS transport layer,

108
src/ssl_sock.c
View File

@ -8468,8 +8468,13 @@ smp_fetch_ssl_x_key_alg(const struct arg *args, struct sample *smp, const char *
static int static int
smp_fetch_ssl_fc(const struct arg *args, struct sample *smp, const char *kw, void *private) smp_fetch_ssl_fc(const struct arg *args, struct sample *smp, const char *kw, void *private)
{ {
struct connection *conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) : struct connection *conn;
smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL;
if (smp->sess && obj_type(smp->sess->origin) == OBJ_TYPE_CHECK)
conn = (kw[4] != 'b') ? cs_conn(__objt_check(smp->sess->origin)->cs) : NULL;
else
conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) :
smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL;
smp->data.type = SMP_T_BOOL; smp->data.type = SMP_T_BOOL;
smp->data.u.sint = (conn && conn->xprt == &ssl_sock); smp->data.u.sint = (conn && conn->xprt == &ssl_sock);
@ -8501,10 +8506,16 @@ smp_fetch_ssl_fc_has_sni(const struct arg *args, struct sample *smp, const char
static int static int
smp_fetch_ssl_fc_is_resumed(const struct arg *args, struct sample *smp, const char *kw, void *private) smp_fetch_ssl_fc_is_resumed(const struct arg *args, struct sample *smp, const char *kw, void *private)
{ {
struct connection *conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) : struct connection *conn;
smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL; struct ssl_sock_ctx *ctx;
struct ssl_sock_ctx *ctx = conn ? conn->xprt_ctx : NULL;
if (smp->sess && obj_type(smp->sess->origin) == OBJ_TYPE_CHECK)
conn = (kw[4] != 'b') ? cs_conn(__objt_check(smp->sess->origin)->cs) : NULL;
else
conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) :
smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL;
ctx = conn ? conn->xprt_ctx : NULL;
smp->data.type = SMP_T_BOOL; smp->data.type = SMP_T_BOOL;
smp->data.u.sint = (conn && conn->xprt == &ssl_sock) && smp->data.u.sint = (conn && conn->xprt == &ssl_sock) &&
@ -8520,10 +8531,15 @@ smp_fetch_ssl_fc_is_resumed(const struct arg *args, struct sample *smp, const ch
static int static int
smp_fetch_ssl_fc_cipher(const struct arg *args, struct sample *smp, const char *kw, void *private) smp_fetch_ssl_fc_cipher(const struct arg *args, struct sample *smp, const char *kw, void *private)
{ {
struct connection *conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) : struct connection *conn;
smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL;
struct ssl_sock_ctx *ctx; struct ssl_sock_ctx *ctx;
if (smp->sess && obj_type(smp->sess->origin) == OBJ_TYPE_CHECK)
conn = (kw[4] != 'b') ? cs_conn(__objt_check(smp->sess->origin)->cs) : NULL;
else
conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) :
smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL;
smp->flags = 0; smp->flags = 0;
if (!conn || !conn->xprt_ctx || conn->xprt != &ssl_sock) if (!conn || !conn->xprt_ctx || conn->xprt != &ssl_sock)
return 0; return 0;
@ -8548,11 +8564,16 @@ smp_fetch_ssl_fc_cipher(const struct arg *args, struct sample *smp, const char *
static int static int
smp_fetch_ssl_fc_alg_keysize(const struct arg *args, struct sample *smp, const char *kw, void *private) smp_fetch_ssl_fc_alg_keysize(const struct arg *args, struct sample *smp, const char *kw, void *private)
{ {
struct connection *conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) : struct connection *conn;
smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL;
struct ssl_sock_ctx *ctx; struct ssl_sock_ctx *ctx;
int sint; int sint;
if (smp->sess && obj_type(smp->sess->origin) == OBJ_TYPE_CHECK)
conn = (kw[4] != 'b') ? cs_conn(__objt_check(smp->sess->origin)->cs) : NULL;
else
conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) :
smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL;
smp->flags = 0; smp->flags = 0;
if (!conn || !conn->xprt_ctx || conn->xprt != &ssl_sock) if (!conn || !conn->xprt_ctx || conn->xprt != &ssl_sock)
return 0; return 0;
@ -8574,10 +8595,15 @@ smp_fetch_ssl_fc_alg_keysize(const struct arg *args, struct sample *smp, const c
static int static int
smp_fetch_ssl_fc_use_keysize(const struct arg *args, struct sample *smp, const char *kw, void *private) smp_fetch_ssl_fc_use_keysize(const struct arg *args, struct sample *smp, const char *kw, void *private)
{ {
struct connection *conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) : struct connection *conn;
smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL;
struct ssl_sock_ctx *ctx; struct ssl_sock_ctx *ctx;
if (smp->sess && obj_type(smp->sess->origin) == OBJ_TYPE_CHECK)
conn = (kw[4] != 'b') ? cs_conn(__objt_check(smp->sess->origin)->cs) : NULL;
else
conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) :
smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL;
smp->flags = 0; smp->flags = 0;
if (!conn || !conn->xprt_ctx || conn->xprt != &ssl_sock) if (!conn || !conn->xprt_ctx || conn->xprt != &ssl_sock)
return 0; return 0;
@ -8603,8 +8629,12 @@ smp_fetch_ssl_fc_npn(const struct arg *args, struct sample *smp, const char *kw,
smp->flags = SMP_F_CONST; smp->flags = SMP_F_CONST;
smp->data.type = SMP_T_STR; smp->data.type = SMP_T_STR;
conn = (kw[4] != 'b' ) ? objt_conn(smp->sess->origin) : if (smp->sess && obj_type(smp->sess->origin) == OBJ_TYPE_CHECK)
smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL; conn = (kw[4] != 'b') ? cs_conn(__objt_check(smp->sess->origin)->cs) : NULL;
else
conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) :
smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL;
if (!conn || !conn->xprt_ctx || conn->xprt != &ssl_sock) if (!conn || !conn->xprt_ctx || conn->xprt != &ssl_sock)
return 0; return 0;
ctx = conn->xprt_ctx; ctx = conn->xprt_ctx;
@ -8633,8 +8663,11 @@ smp_fetch_ssl_fc_alpn(const struct arg *args, struct sample *smp, const char *kw
smp->flags = SMP_F_CONST; smp->flags = SMP_F_CONST;
smp->data.type = SMP_T_STR; smp->data.type = SMP_T_STR;
conn = (kw[4] != 'b' ) ? objt_conn(smp->sess->origin) : if (smp->sess && obj_type(smp->sess->origin) == OBJ_TYPE_CHECK)
smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL; conn = (kw[4] != 'b') ? cs_conn(__objt_check(smp->sess->origin)->cs) : NULL;
else
conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) :
smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL;
if (!conn || !conn->xprt_ctx || conn->xprt != &ssl_sock) if (!conn || !conn->xprt_ctx || conn->xprt != &ssl_sock)
return 0; return 0;
@ -8660,10 +8693,15 @@ smp_fetch_ssl_fc_alpn(const struct arg *args, struct sample *smp, const char *kw
static int static int
smp_fetch_ssl_fc_protocol(const struct arg *args, struct sample *smp, const char *kw, void *private) smp_fetch_ssl_fc_protocol(const struct arg *args, struct sample *smp, const char *kw, void *private)
{ {
struct connection *conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) : struct connection *conn;
smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL;
struct ssl_sock_ctx *ctx; struct ssl_sock_ctx *ctx;
if (smp->sess && obj_type(smp->sess->origin) == OBJ_TYPE_CHECK)
conn = (kw[4] != 'b') ? cs_conn(__objt_check(smp->sess->origin)->cs) : NULL;
else
conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) :
smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL;
smp->flags = 0; smp->flags = 0;
if (!conn || !conn->xprt_ctx || conn->xprt != &ssl_sock) if (!conn || !conn->xprt_ctx || conn->xprt != &ssl_sock)
return 0; return 0;
@ -8688,8 +8726,7 @@ smp_fetch_ssl_fc_protocol(const struct arg *args, struct sample *smp, const char
static int static int
smp_fetch_ssl_fc_session_id(const struct arg *args, struct sample *smp, const char *kw, void *private) smp_fetch_ssl_fc_session_id(const struct arg *args, struct sample *smp, const char *kw, void *private)
{ {
struct connection *conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) : struct connection *conn;
smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL;
SSL_SESSION *ssl_sess; SSL_SESSION *ssl_sess;
struct ssl_sock_ctx *ctx; struct ssl_sock_ctx *ctx;
unsigned int len = 0; unsigned int len = 0;
@ -8697,6 +8734,12 @@ smp_fetch_ssl_fc_session_id(const struct arg *args, struct sample *smp, const ch
smp->flags = SMP_F_CONST; smp->flags = SMP_F_CONST;
smp->data.type = SMP_T_BIN; smp->data.type = SMP_T_BIN;
if (smp->sess && obj_type(smp->sess->origin) == OBJ_TYPE_CHECK)
conn = (kw[4] != 'b') ? cs_conn(__objt_check(smp->sess->origin)->cs) : NULL;
else
conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) :
smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL;
if (!conn || !conn->xprt_ctx || conn->xprt != &ssl_sock) if (!conn || !conn->xprt_ctx || conn->xprt != &ssl_sock)
return 0; return 0;
ctx = conn->xprt_ctx; ctx = conn->xprt_ctx;
@ -8719,11 +8762,16 @@ smp_fetch_ssl_fc_session_id(const struct arg *args, struct sample *smp, const ch
static int static int
smp_fetch_ssl_fc_random(const struct arg *args, struct sample *smp, const char *kw, void *private) smp_fetch_ssl_fc_random(const struct arg *args, struct sample *smp, const char *kw, void *private)
{ {
struct connection *conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) : struct connection *conn;
smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL;
struct buffer *data; struct buffer *data;
struct ssl_sock_ctx *ctx; struct ssl_sock_ctx *ctx;
if (smp->sess && obj_type(smp->sess->origin) == OBJ_TYPE_CHECK)
conn = (kw[4] != 'b') ? cs_conn(__objt_check(smp->sess->origin)->cs) : NULL;
else
conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) :
smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL;
if (!conn || !conn->xprt_ctx || conn->xprt != &ssl_sock) if (!conn || !conn->xprt_ctx || conn->xprt != &ssl_sock)
return 0; return 0;
ctx = conn->xprt_ctx; ctx = conn->xprt_ctx;
@ -8750,12 +8798,17 @@ smp_fetch_ssl_fc_random(const struct arg *args, struct sample *smp, const char *
static int static int
smp_fetch_ssl_fc_session_key(const struct arg *args, struct sample *smp, const char *kw, void *private) smp_fetch_ssl_fc_session_key(const struct arg *args, struct sample *smp, const char *kw, void *private)
{ {
struct connection *conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) : struct connection *conn;
smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL;
SSL_SESSION *ssl_sess; SSL_SESSION *ssl_sess;
struct buffer *data; struct buffer *data;
struct ssl_sock_ctx *ctx; struct ssl_sock_ctx *ctx;
if (smp->sess && obj_type(smp->sess->origin) == OBJ_TYPE_CHECK)
conn = (kw[4] != 'b') ? cs_conn(__objt_check(smp->sess->origin)->cs) : NULL;
else
conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) :
smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL;
if (!conn || !conn->xprt_ctx || conn->xprt != &ssl_sock) if (!conn || !conn->xprt_ctx || conn->xprt != &ssl_sock)
return 0; return 0;
ctx = conn->xprt_ctx; ctx = conn->xprt_ctx;
@ -8903,12 +8956,17 @@ smp_fetch_ssl_fc_cl_str(const struct arg *args, struct sample *smp, const char *
static int static int
smp_fetch_ssl_fc_unique_id(const struct arg *args, struct sample *smp, const char *kw, void *private) smp_fetch_ssl_fc_unique_id(const struct arg *args, struct sample *smp, const char *kw, void *private)
{ {
struct connection *conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) : struct connection *conn;
smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL;
int finished_len; int finished_len;
struct buffer *finished_trash; struct buffer *finished_trash;
struct ssl_sock_ctx *ctx; struct ssl_sock_ctx *ctx;
if (smp->sess && obj_type(smp->sess->origin) == OBJ_TYPE_CHECK)
conn = (kw[4] != 'b') ? cs_conn(__objt_check(smp->sess->origin)->cs) : NULL;
else
conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) :
smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL;
smp->flags = 0; smp->flags = 0;
if (!conn || !conn->xprt_ctx || conn->xprt != &ssl_sock) if (!conn || !conn->xprt_ctx || conn->xprt != &ssl_sock)
return 0; return 0;