mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-08-07 07:37:02 +02:00
Code Issues Projects Releases Wiki Activity

MINOR: ssl: add fetch 'ssl_fc_session_key' and 'ssl_bc_session_key'

Browse Source 
These fetches return the SSL master key of the front/back connection.
This is useful to decrypt traffic encrypted with ephemeral ciphers.
This commit is contained in:
Patrick Hemmer 2018-04-28 19:15:51 -04:00 committed by Willy Tarreau
parent 419667746b
commit e027547f8d
2 changed files with 48 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
doc/configuration.txt
View File

@ -14484,6 +14484,12 @@ ssl_bc_session_id : binary
made over an SSL/TLS transport layer. It is useful to log if we want to know
if session was reused or not.
ssl_bc_session_key : binary
Returns the SSL session master key of the back connection when the outgoing
connection was made over an SSL/TLS transport layer. It is useful to decrypt
traffic sent using ephemeral ciphers. This requires OpenSSL >= 1.1.0, or
BoringSSL.
ssl_bc_use_keysize : integer
Returns the symmetric cipher key size used in bits when the outgoing
connection was made over an SSL/TLS transport layer.
@ -14744,6 +14750,13 @@ ssl_fc_session_id : binary
a server. It is important to note that some browsers refresh their session ID
every few minutes.
ssl_fc_session_key : binary
Returns the SSL session master key of the front connection when the incoming
connection was made over an SSL/TLS transport layer. It is useful to decrypt
traffic sent using ephemeral ciphers. This requires OpenSSL >= 1.1.0, or
BoringSSL.
ssl_fc_sni : string
This extracts the Server Name Indication TLS extension (SNI) field from an
incoming connection made via an SSL/TLS transport layer and locally

35
src/ssl_sock.c
View File

@ -6895,6 +6895,35 @@ smp_fetch_ssl_fc_session_id(const struct arg *args, struct sample *smp, const ch
#endif
#if OPENSSL_VERSION_NUMBER >= 0x10100000L || defined(OPENSSL_IS_BORINGSSL)
static int
smp_fetch_ssl_fc_session_key(const struct arg *args, struct sample *smp, const char *kw, void *private)
{
struct connection *conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) :
smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL;
SSL_SESSION *ssl_sess;
struct chunk *data;
if (!conn || !conn->xprt_ctx || conn->xprt != &ssl_sock)
return 0;
ssl_sess = SSL_get_session(conn->xprt_ctx);
if (!ssl_sess)
return 0;
data = get_trash_chunk();
data->len = SSL_SESSION_get_master_key(ssl_sess, (unsigned char *)data->str, data->size);
if (!data->len)
return 0;
smp->flags = 0;
smp->data.type = SMP_T_BIN;
smp->data.u.str = *data;
return 1;
}
#endif
#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
static int
smp_fetch_ssl_fc_sni(const struct arg *args, struct sample *smp, const char *kw, void *private)
@ -8639,6 +8668,9 @@ static struct sample_fetch_kw_list sample_fetch_keywords = {ILH, {
{ "ssl_bc_use_keysize", smp_fetch_ssl_fc_use_keysize, 0, NULL, SMP_T_SINT, SMP_USE_L5SRV },
#if OPENSSL_VERSION_NUMBER > 0x0090800fL
{ "ssl_bc_session_id", smp_fetch_ssl_fc_session_id, 0, NULL, SMP_T_BIN, SMP_USE_L5SRV },
#endif
#if OPENSSL_VERSION_NUMBER >= 0x10100000L || defined(OPENSSL_IS_BORINGSSL)
{ "ssl_bc_session_key", smp_fetch_ssl_fc_session_key, 0, NULL, SMP_T_BIN, SMP_USE_L5SRV },
#endif
{ "ssl_c_ca_err", smp_fetch_ssl_c_ca_err, 0, NULL, SMP_T_SINT, SMP_USE_L5CLI },
{ "ssl_c_ca_err_depth", smp_fetch_ssl_c_ca_err_depth, 0, NULL, SMP_T_SINT, SMP_USE_L5CLI },
@ -8686,6 +8718,9 @@ static struct sample_fetch_kw_list sample_fetch_keywords = {ILH, {
#if OPENSSL_VERSION_NUMBER > 0x0090800fL
{ "ssl_fc_session_id", smp_fetch_ssl_fc_session_id, 0, NULL, SMP_T_BIN, SMP_USE_L5CLI },
#endif
#if OPENSSL_VERSION_NUMBER >= 0x10100000L || defined(OPENSSL_IS_BORINGSSL)
{ "ssl_fc_session_key", smp_fetch_ssl_fc_session_key, 0, NULL, SMP_T_BIN, SMP_USE_L5CLI },
#endif
#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
{ "ssl_fc_sni", smp_fetch_ssl_fc_sni, 0, NULL, SMP_T_STR, SMP_USE_L5CLI },
#endif