diff --git a/doc/admin-guide/monitoring/statistics/core/ssl.en.rst b/doc/admin-guide/monitoring/statistics/core/ssl.en.rst index 59eaa918a54..22bed6280c0 100644 --- a/doc/admin-guide/monitoring/statistics/core/ssl.en.rst +++ b/doc/admin-guide/monitoring/statistics/core/ssl.en.rst @@ -194,6 +194,50 @@ SSL/TLS Incoming client SSL connections which presented a client certificate that had been revoked, since statistics collection began. +.. ts:stat:: global proxy.process.ssl.user_agent_decryption_failed_or_bad_record_mac integer + :type: counter + + Incoming client SSL connections which failed decryption or had a mismatched + MAC, since statistics collection began. + +.. ts:stat:: global proxy.process.ssl.user_agent_http_request integer + :type: counter + + Incoming client SSL connections which attempted to use plaintext HTTP without + SSL encryption, since statistics collection began. + +.. ts:stat:: global proxy.process.ssl.user_agent_inappropriate_fallback integer + :type: counter + + Incoming client SSL connections which used a fallback to an older TLS version + that |TS| doesn't support, since statistics collection began. + +.. ts:stat:: global proxy.process.ssl.user_agent_no_shared_cipher integer + :type: counter + + Incoming client SSL connections which failed due to no match in supported + ciphers between the client and |TS|, since statistics collection began. + +.. ts:stat:: global proxy.process.ssl.user_agent_version_too_high integer + :type: counter + + Incoming client SSL connections which failed due to the client only + supporting TLS versions that are too high for |TS| to support, since + statistics collection began. + + This stat is only incremented when |TS| is built against an SSL library, such + as OpenSSL, that supports the ``SSL_R_VERSION_TOO_HIGH`` error. + +.. ts:stat:: global proxy.process.ssl.user_agent_version_too_low integer + :type: counter + + Incoming client SSL connections which failed due to the client only + supporting TLS versions that are too low for |TS| to accept, since statistics + collection began. + + This stat is only incremented when |TS| is built against an SSL library, such + as OpenSSL, that supports the ``SSL_R_VERSION_TOO_LOW`` error. + .. ts:stat:: global proxy.process.ssl.user_agent_session_hit integer :type: counter diff --git a/src/iocore/net/SSLDiags.cc b/src/iocore/net/SSLDiags.cc index a7d5bffa458..7883fe6b422 100644 --- a/src/iocore/net/SSLDiags.cc +++ b/src/iocore/net/SSLDiags.cc @@ -30,6 +30,7 @@ #include "P_SSLNetVConnection.h" static DbgCtl ssl_diags_dbg_ctl{"ssl-diag"}; +static DbgCtl ssl_error_dbg_ctl{"ssl-error"}; // return true if we have a stat for the error static bool @@ -37,6 +38,7 @@ increment_ssl_client_error(unsigned long err) { // we only look for LIB_SSL errors atm if (ERR_LIB_SSL != ERR_GET_LIB(err)) { + Dbg(ssl_error_dbg_ctl, "User agent SSL error not ERR_LIB_SSL: %lu", err); Metrics::Counter::increment(ssl_rsb.user_agent_other_errors); return false; } @@ -69,7 +71,31 @@ increment_ssl_client_error(unsigned long err) case SSL_R_TLSV1_ALERT_UNKNOWN_CA: Metrics::Counter::increment(ssl_rsb.user_agent_unknown_ca); break; + case SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC: + Metrics::Counter::increment(ssl_rsb.user_agent_decryption_failed_or_bad_record_mac); + break; + case SSL_R_HTTP_REQUEST: + Metrics::Counter::increment(ssl_rsb.user_agent_http_request); + break; + case SSL_R_INAPPROPRIATE_FALLBACK: + Metrics::Counter::increment(ssl_rsb.user_agent_inappropriate_fallback); + break; + case SSL_R_NO_SHARED_CIPHER: + Metrics::Counter::increment(ssl_rsb.user_agent_no_shared_cipher); + break; +#ifdef SSL_R_VERSION_TOO_HIGH + case SSL_R_VERSION_TOO_HIGH: + Metrics::Counter::increment(ssl_rsb.user_agent_version_too_high); + break; +#endif /* SSL_R_VERSION_TOO_HIGH */ +#ifdef SSL_R_VERSION_TOO_LOW + case SSL_R_VERSION_TOO_LOW: + Metrics::Counter::increment(ssl_rsb.user_agent_version_too_low); + break; +#endif /* SSL_R_VERSION_TOO_LOW */ + default: + Dbg(ssl_error_dbg_ctl, "Unknown user agent SSL error: %d", ERR_GET_REASON(err)); Metrics::Counter::increment(ssl_rsb.user_agent_other_errors); return false; } @@ -84,6 +110,7 @@ increment_ssl_server_error(unsigned long err) { // we only look for LIB_SSL errors atm if (ERR_LIB_SSL != ERR_GET_LIB(err)) { + Dbg(ssl_error_dbg_ctl, "Origin server SSL error not ERR_LIB_SSL: %lu", err); Metrics::Counter::increment(ssl_rsb.origin_server_other_errors); return false; } @@ -117,6 +144,7 @@ increment_ssl_server_error(unsigned long err) Metrics::Counter::increment(ssl_rsb.origin_server_unknown_ca); break; default: + Dbg(ssl_error_dbg_ctl, "Unknown origin server SSL error: %d", ERR_GET_REASON(err)); Metrics::Counter::increment(ssl_rsb.origin_server_other_errors); return false; } diff --git a/src/iocore/net/SSLStats.cc b/src/iocore/net/SSLStats.cc index 4caa5c4cadc..c0b19f65d63 100644 --- a/src/iocore/net/SSLStats.cc +++ b/src/iocore/net/SSLStats.cc @@ -209,16 +209,23 @@ SSLInitializeStatistics() ssl_rsb.user_agent_bad_cert = Metrics::Counter::createPtr("proxy.process.ssl.user_agent_bad_cert"); ssl_rsb.user_agent_cert_verify_failed = Metrics::Counter::createPtr("proxy.process.ssl.user_agent_cert_verify_failed"); ssl_rsb.user_agent_decryption_failed = Metrics::Counter::createPtr("proxy.process.ssl.user_agent_decryption_failed"); - ssl_rsb.user_agent_expired_cert = Metrics::Counter::createPtr("proxy.process.ssl.user_agent_expired_cert"); - ssl_rsb.user_agent_other_errors = Metrics::Counter::createPtr("proxy.process.ssl.user_agent_other_errors"); - ssl_rsb.user_agent_revoked_cert = Metrics::Counter::createPtr("proxy.process.ssl.user_agent_revoked_cert"); - ssl_rsb.user_agent_session_hit = Metrics::Gauge::createPtr("proxy.process.ssl.user_agent_session_hit"); - ssl_rsb.user_agent_session_miss = Metrics::Gauge::createPtr("proxy.process.ssl.user_agent_session_miss"); - ssl_rsb.user_agent_session_timeout = Metrics::Gauge::createPtr("proxy.process.ssl.user_agent_session_timeout"); - ssl_rsb.user_agent_sessions = Metrics::Gauge::createPtr("proxy.process.ssl.user_agent_sessions"); - ssl_rsb.user_agent_unknown_ca = Metrics::Counter::createPtr("proxy.process.ssl.user_agent_unknown_ca"); - ssl_rsb.user_agent_unknown_cert = Metrics::Counter::createPtr("proxy.process.ssl.user_agent_unknown_cert"); - ssl_rsb.user_agent_wrong_version = Metrics::Counter::createPtr("proxy.process.ssl.user_agent_wrong_version"); + ssl_rsb.user_agent_decryption_failed_or_bad_record_mac = + Metrics::Counter::createPtr("proxy.process.ssl.user_agent_decryption_failed_or_bad_record_mac"); + ssl_rsb.user_agent_expired_cert = Metrics::Counter::createPtr("proxy.process.ssl.user_agent_expired_cert"); + ssl_rsb.user_agent_http_request = Metrics::Counter::createPtr("proxy.process.ssl.user_agent_http_request"); + ssl_rsb.user_agent_inappropriate_fallback = Metrics::Counter::createPtr("proxy.process.ssl.user_agent_inappropriate_fallback"); + ssl_rsb.user_agent_no_shared_cipher = Metrics::Counter::createPtr("proxy.process.ssl.user_agent_no_shared_cipher"); + ssl_rsb.user_agent_other_errors = Metrics::Counter::createPtr("proxy.process.ssl.user_agent_other_errors"); + ssl_rsb.user_agent_revoked_cert = Metrics::Counter::createPtr("proxy.process.ssl.user_agent_revoked_cert"); + ssl_rsb.user_agent_session_hit = Metrics::Gauge::createPtr("proxy.process.ssl.user_agent_session_hit"); + ssl_rsb.user_agent_session_miss = Metrics::Gauge::createPtr("proxy.process.ssl.user_agent_session_miss"); + ssl_rsb.user_agent_session_timeout = Metrics::Gauge::createPtr("proxy.process.ssl.user_agent_session_timeout"); + ssl_rsb.user_agent_sessions = Metrics::Gauge::createPtr("proxy.process.ssl.user_agent_sessions"); + ssl_rsb.user_agent_unknown_ca = Metrics::Counter::createPtr("proxy.process.ssl.user_agent_unknown_ca"); + ssl_rsb.user_agent_unknown_cert = Metrics::Counter::createPtr("proxy.process.ssl.user_agent_unknown_cert"); + ssl_rsb.user_agent_version_too_high = Metrics::Counter::createPtr("proxy.process.ssl.user_agent_version_too_high"); + ssl_rsb.user_agent_version_too_low = Metrics::Counter::createPtr("proxy.process.ssl.user_agent_version_too_low"); + ssl_rsb.user_agent_wrong_version = Metrics::Counter::createPtr("proxy.process.ssl.user_agent_wrong_version"); #if defined(OPENSSL_IS_BORINGSSL) size_t n = SSL_get_all_cipher_names(nullptr, 0); diff --git a/src/iocore/net/SSLStats.h b/src/iocore/net/SSLStats.h index 1630036a300..c0112ddaac8 100644 --- a/src/iocore/net/SSLStats.h +++ b/src/iocore/net/SSLStats.h @@ -39,64 +39,70 @@ using ts::Metrics; // for ssl_rsb.total_ticket_keys_renewed needs this initialization, but lets be // consistent at least. struct SSLStatsBlock { - Metrics::Counter::AtomicType *early_data_received_count = nullptr; - Metrics::Counter::AtomicType *error_async = nullptr; - Metrics::Counter::AtomicType *error_ssl = nullptr; - Metrics::Counter::AtomicType *error_syscall = nullptr; - Metrics::Counter::AtomicType *ocsp_refresh_cert_failure = nullptr; - Metrics::Counter::AtomicType *ocsp_refreshed_cert = nullptr; - Metrics::Counter::AtomicType *ocsp_revoked_cert = nullptr; - Metrics::Counter::AtomicType *ocsp_unknown_cert = nullptr; - Metrics::Counter::AtomicType *origin_server_bad_cert = nullptr; - Metrics::Counter::AtomicType *origin_server_cert_verify_failed = nullptr; - Metrics::Counter::AtomicType *origin_server_decryption_failed = nullptr; - Metrics::Counter::AtomicType *origin_server_expired_cert = nullptr; - Metrics::Counter::AtomicType *origin_server_other_errors = nullptr; - Metrics::Counter::AtomicType *origin_server_revoked_cert = nullptr; - Metrics::Counter::AtomicType *origin_server_unknown_ca = nullptr; - Metrics::Counter::AtomicType *origin_server_unknown_cert = nullptr; - Metrics::Counter::AtomicType *origin_server_wrong_version = nullptr; - Metrics::Counter::AtomicType *origin_session_cache_hit = nullptr; - Metrics::Counter::AtomicType *origin_session_cache_miss = nullptr; - Metrics::Counter::AtomicType *origin_session_reused_count = nullptr; - Metrics::Counter::AtomicType *session_cache_eviction = nullptr; - Metrics::Counter::AtomicType *session_cache_hit = nullptr; - Metrics::Counter::AtomicType *session_cache_lock_contention = nullptr; - Metrics::Counter::AtomicType *session_cache_miss = nullptr; - Metrics::Counter::AtomicType *session_cache_new_session = nullptr; - Metrics::Counter::AtomicType *sni_name_set_failure = nullptr; - Metrics::Counter::AtomicType *total_attempts_handshake_count_in = nullptr; - Metrics::Counter::AtomicType *total_attempts_handshake_count_out = nullptr; - Metrics::Counter::AtomicType *total_dyn_def_tls_record_count = nullptr; - Metrics::Counter::AtomicType *total_dyn_max_tls_record_count = nullptr; - Metrics::Counter::AtomicType *total_dyn_redo_tls_record_count = nullptr; - Metrics::Counter::AtomicType *total_handshake_time = nullptr; - Metrics::Counter::AtomicType *total_sslv3 = nullptr; - Metrics::Counter::AtomicType *total_success_handshake_count_in = nullptr; - Metrics::Counter::AtomicType *total_success_handshake_count_out = nullptr; - Metrics::Counter::AtomicType *total_ticket_keys_renewed = nullptr; - Metrics::Counter::AtomicType *total_tickets_created = nullptr; - Metrics::Counter::AtomicType *total_tickets_not_found = nullptr; - Metrics::Counter::AtomicType *total_tickets_renewed = nullptr; - Metrics::Counter::AtomicType *total_tickets_verified_old_key = nullptr; - Metrics::Counter::AtomicType *total_tickets_verified = nullptr; - Metrics::Counter::AtomicType *total_tlsv1 = nullptr; - Metrics::Counter::AtomicType *total_tlsv11 = nullptr; - Metrics::Counter::AtomicType *total_tlsv12 = nullptr; - Metrics::Counter::AtomicType *total_tlsv13 = nullptr; - Metrics::Counter::AtomicType *user_agent_bad_cert = nullptr; - Metrics::Counter::AtomicType *user_agent_cert_verify_failed = nullptr; - Metrics::Counter::AtomicType *user_agent_decryption_failed = nullptr; - Metrics::Counter::AtomicType *user_agent_expired_cert = nullptr; - Metrics::Counter::AtomicType *user_agent_other_errors = nullptr; - Metrics::Counter::AtomicType *user_agent_revoked_cert = nullptr; - Metrics::Gauge::AtomicType *user_agent_session_hit = nullptr; - Metrics::Gauge::AtomicType *user_agent_session_miss = nullptr; - Metrics::Gauge::AtomicType *user_agent_session_timeout = nullptr; - Metrics::Gauge::AtomicType *user_agent_sessions = nullptr; - Metrics::Counter::AtomicType *user_agent_unknown_ca = nullptr; - Metrics::Counter::AtomicType *user_agent_unknown_cert = nullptr; - Metrics::Counter::AtomicType *user_agent_wrong_version = nullptr; + Metrics::Counter::AtomicType *early_data_received_count = nullptr; + Metrics::Counter::AtomicType *error_async = nullptr; + Metrics::Counter::AtomicType *error_ssl = nullptr; + Metrics::Counter::AtomicType *error_syscall = nullptr; + Metrics::Counter::AtomicType *ocsp_refresh_cert_failure = nullptr; + Metrics::Counter::AtomicType *ocsp_refreshed_cert = nullptr; + Metrics::Counter::AtomicType *ocsp_revoked_cert = nullptr; + Metrics::Counter::AtomicType *ocsp_unknown_cert = nullptr; + Metrics::Counter::AtomicType *origin_server_bad_cert = nullptr; + Metrics::Counter::AtomicType *origin_server_cert_verify_failed = nullptr; + Metrics::Counter::AtomicType *origin_server_decryption_failed = nullptr; + Metrics::Counter::AtomicType *origin_server_expired_cert = nullptr; + Metrics::Counter::AtomicType *origin_server_other_errors = nullptr; + Metrics::Counter::AtomicType *origin_server_revoked_cert = nullptr; + Metrics::Counter::AtomicType *origin_server_unknown_ca = nullptr; + Metrics::Counter::AtomicType *origin_server_unknown_cert = nullptr; + Metrics::Counter::AtomicType *origin_server_wrong_version = nullptr; + Metrics::Counter::AtomicType *origin_session_cache_hit = nullptr; + Metrics::Counter::AtomicType *origin_session_cache_miss = nullptr; + Metrics::Counter::AtomicType *origin_session_reused_count = nullptr; + Metrics::Counter::AtomicType *session_cache_eviction = nullptr; + Metrics::Counter::AtomicType *session_cache_hit = nullptr; + Metrics::Counter::AtomicType *session_cache_lock_contention = nullptr; + Metrics::Counter::AtomicType *session_cache_miss = nullptr; + Metrics::Counter::AtomicType *session_cache_new_session = nullptr; + Metrics::Counter::AtomicType *sni_name_set_failure = nullptr; + Metrics::Counter::AtomicType *total_attempts_handshake_count_in = nullptr; + Metrics::Counter::AtomicType *total_attempts_handshake_count_out = nullptr; + Metrics::Counter::AtomicType *total_dyn_def_tls_record_count = nullptr; + Metrics::Counter::AtomicType *total_dyn_max_tls_record_count = nullptr; + Metrics::Counter::AtomicType *total_dyn_redo_tls_record_count = nullptr; + Metrics::Counter::AtomicType *total_handshake_time = nullptr; + Metrics::Counter::AtomicType *total_sslv3 = nullptr; + Metrics::Counter::AtomicType *total_success_handshake_count_in = nullptr; + Metrics::Counter::AtomicType *total_success_handshake_count_out = nullptr; + Metrics::Counter::AtomicType *total_ticket_keys_renewed = nullptr; + Metrics::Counter::AtomicType *total_tickets_created = nullptr; + Metrics::Counter::AtomicType *total_tickets_not_found = nullptr; + Metrics::Counter::AtomicType *total_tickets_renewed = nullptr; + Metrics::Counter::AtomicType *total_tickets_verified_old_key = nullptr; + Metrics::Counter::AtomicType *total_tickets_verified = nullptr; + Metrics::Counter::AtomicType *total_tlsv1 = nullptr; + Metrics::Counter::AtomicType *total_tlsv11 = nullptr; + Metrics::Counter::AtomicType *total_tlsv12 = nullptr; + Metrics::Counter::AtomicType *total_tlsv13 = nullptr; + Metrics::Counter::AtomicType *user_agent_bad_cert = nullptr; + Metrics::Counter::AtomicType *user_agent_cert_verify_failed = nullptr; + Metrics::Counter::AtomicType *user_agent_decryption_failed = nullptr; + Metrics::Counter::AtomicType *user_agent_decryption_failed_or_bad_record_mac = nullptr; + Metrics::Counter::AtomicType *user_agent_expired_cert = nullptr; + Metrics::Counter::AtomicType *user_agent_http_request = nullptr; + Metrics::Counter::AtomicType *user_agent_inappropriate_fallback = nullptr; + Metrics::Counter::AtomicType *user_agent_no_shared_cipher = nullptr; + Metrics::Counter::AtomicType *user_agent_other_errors = nullptr; + Metrics::Counter::AtomicType *user_agent_revoked_cert = nullptr; + Metrics::Counter::AtomicType *user_agent_unknown_ca = nullptr; + Metrics::Counter::AtomicType *user_agent_unknown_cert = nullptr; + Metrics::Counter::AtomicType *user_agent_version_too_high = nullptr; + Metrics::Counter::AtomicType *user_agent_version_too_low = nullptr; + Metrics::Counter::AtomicType *user_agent_wrong_version = nullptr; + Metrics::Gauge::AtomicType *user_agent_session_hit = nullptr; + Metrics::Gauge::AtomicType *user_agent_session_miss = nullptr; + Metrics::Gauge::AtomicType *user_agent_session_timeout = nullptr; + Metrics::Gauge::AtomicType *user_agent_sessions = nullptr; }; extern SSLStatsBlock ssl_rsb;