add log format for whether origin TLS connection resumed an existing…

… TLS session (apache#8745) (apache#665) (cherry picked from commit 6807019)
JosiahWI · Apr 7, 2022 · c41874e · c41874e
1 parent dbb3f26
commit c41874e
Show file tree

Hide file tree

Showing 8 changed files with 41 additions and 3 deletions.
diff --git a/doc/admin-guide/logging/formatting.en.rst b/doc/admin-guide/logging/formatting.en.rst
@@ -636,6 +636,9 @@ cqssu  Client Request SSL Elliptic Curve used by |TS| to communicate with the
 cqssa  Client Request ALPN Protocol ID negotiated with the client.
 pqssl  Proxy Request  Indicates whether the connection from |TS| to the origin
                       was over SSL or not.
+pqssr  Proxy Request  SSL session ticket reused status from |TS| to the origin;
+                      indicates if the current request hit the SSL session ticket
+                      and avoided a full SSL handshake.
 pscert Proxy Request  1 if origin requested certificate from |TS| during TLS
                       handshake but no client certificate was defined. 2 if origin
                       requested certificate from |TS| during TLS handshake and a

diff --git a/iocore/net/TLSSessionResumptionSupport.cc b/iocore/net/TLSSessionResumptionSupport.cc
@@ -122,6 +122,12 @@ TLSSessionResumptionSupport::getSSLSessionCacheHit() const
   return this->_sslSessionCacheHit;
 }
 
+bool
+TLSSessionResumptionSupport::getSSLOriginSessionCacheHit() const
+{
+  return this->_sslOriginSessionCacheHit;
+}
+
 ssl_curve_id
 TLSSessionResumptionSupport::getSSLCurveNID() const
 {
@@ -190,7 +196,7 @@ TLSSessionResumptionSupport::getOriginSession(SSL *ssl, const std::string &looku
       shared_sess.reset();
     } else {
       SSL_INCREMENT_DYN_STAT(ssl_origin_session_cache_hit);
-      this->_setSSLSessionCacheHit(true);
+      this->_setSSLOriginSessionCacheHit(true);
       this->_setSSLCurveNID(curve);
     }
   } else {
@@ -293,6 +299,12 @@ TLSSessionResumptionSupport::_setSSLSessionCacheHit(bool state)
   this->_sslSessionCacheHit = state;
 }
 
+void
+TLSSessionResumptionSupport::_setSSLOriginSessionCacheHit(bool state)
+{
+  this->_sslOriginSessionCacheHit = state;
+}
+
 void
 TLSSessionResumptionSupport::_setSSLCurveNID(ssl_curve_id curve_nid)
 {

diff --git a/iocore/net/TLSSessionResumptionSupport.h b/iocore/net/TLSSessionResumptionSupport.h
@@ -48,6 +48,7 @@ class TLSSessionResumptionSupport
                            int enc);
 #endif
   bool getSSLSessionCacheHit() const;
+  bool getSSLOriginSessionCacheHit() const;
   ssl_curve_id getSSLCurveNID() const;
 
   SSL_SESSION *getSession(SSL *ssl, const unsigned char *id, int len, int *copy);
@@ -60,8 +61,9 @@ class TLSSessionResumptionSupport
 private:
   static int _ex_data_index;
 
-  bool _sslSessionCacheHit = false;
-  int _sslCurveNID         = NID_undef;
+  bool _sslSessionCacheHit       = false;
+  bool _sslOriginSessionCacheHit = false;
+  int _sslCurveNID               = NID_undef;
 
 #ifdef HAVE_SSL_CTX_SET_TLSEXT_TICKET_KEY_EVP_CB
   int _setSessionInformation(ssl_ticket_key_block *keyblock, SSL *ssl, unsigned char *keyname, unsigned char *iv,
@@ -76,5 +78,6 @@ class TLSSessionResumptionSupport
 #endif
 
   void _setSSLSessionCacheHit(bool state);
+  void _setSSLOriginSessionCacheHit(bool state);
   void _setSSLCurveNID(ssl_curve_id curve_nid);
 };
diff --git a/proxy/http/HttpSM.cc b/proxy/http/HttpSM.cc
@@ -6652,6 +6652,10 @@ HttpSM::attach_server_session()
     server_connection_is_ssl = true;
   }
 
+  if (auto tsrs = dynamic_cast<TLSSessionResumptionSupport *>(server_vc)) {
+    server_ssl_reused = tsrs->getSSLOriginSessionCacheHit();
+  }
+
   server_protocol = server_txn->get_protocol_string();
 
   // Initiate a read on the session so that the SM and not

diff --git a/proxy/http/HttpSM.h b/proxy/http/HttpSM.h
@@ -600,6 +600,7 @@ class HttpSM : public Continuation, public PluginUserArgs<TS_USER_ARGS_TXN>
   bool client_ssl_reused              = false;
   bool client_connection_is_ssl       = false;
   bool is_internal                    = false;
+  bool server_ssl_reused              = false;
   bool server_connection_is_ssl       = false;
   bool is_waiting_for_full_body       = false;
   bool is_using_post_buffer           = false;

diff --git a/proxy/logging/Log.cc b/proxy/logging/Log.cc
@@ -747,6 +747,11 @@ Log::init_fields()
   global_field_list.add(field, false);
   field_symbol_hash.emplace("pqssl", field);
 
+  field = new LogField("proxy_req_ssl_reused", "pqssr", LogField::dINT, &LogAccess::marshal_proxy_req_ssl_reused,
+                       &LogAccess::unmarshal_int_to_str);
+  global_field_list.add(field, false);
+  field_symbol_hash.emplace("pqssr", field);
+
   field = new LogField("proxy_request_all_header_fields", "pqah", LogField::STRING, &LogAccess::marshal_proxy_req_all_header_fields,
                        &LogUtils::unmarshalMimeHdr);
   global_field_list.add(field, false);

diff --git a/proxy/logging/LogAccess.cc b/proxy/logging/LogAccess.cc
@@ -2312,6 +2312,15 @@ LogAccess::marshal_proxy_req_is_ssl(char *buf)
   return INK_MIN_ALIGN;
 }
 
+int
+LogAccess::marshal_proxy_req_ssl_reused(char *buf)
+{
+  if (buf) {
+    marshal_int(buf, m_http_sm->server_ssl_reused ? 1 : 0);
+  }
+  return INK_MIN_ALIGN;
+}
+
 /*-------------------------------------------------------------------------
   -------------------------------------------------------------------------*/
 

diff --git a/proxy/logging/LogAccess.h b/proxy/logging/LogAccess.h
@@ -189,6 +189,7 @@ class LogAccess
   int marshal_proxy_host_name(char *);             // STR
   int marshal_proxy_host_ip(char *);               // STR
   int marshal_proxy_req_is_ssl(char *);            // INT
+  int marshal_proxy_req_ssl_reused(char *);        // INT
   int marshal_proxy_req_all_header_fields(char *); // STR
 
   //