From dae4cfe8c57dc7644a7afd847d964c8d7444deda Mon Sep 17 00:00:00 2001 From: Willy Tarreau Date: Mon, 29 Sep 2025 13:30:12 +0200 Subject: [PATCH] MINOR: ssl: add the ssl_bc_sni sample fetch function to retrieve backend SNI Sometimes in order to debug certain difficult situations it can be useful to know what SNI was configured on a connection going to a server, for example to match it against what the server saw or to detect cases where a server would route on SNI instead of Host. This sample fetch function simply retrieves the SNI configured on the backend connection, if any. --- doc/configuration.txt | 8 ++++++++ src/ssl_sample.c | 9 ++++++++- 2 files changed, 16 insertions(+), 1 deletion(-) diff --git a/doc/configuration.txt b/doc/configuration.txt index 4583653d97..64314d7897 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -24111,6 +24111,7 @@ ssl_bc_server_random binary ssl_bc_server_traffic_secret_0 string ssl_bc_session_id binary ssl_bc_session_key binary +ssl_bc_sni string ssl_bc_unique_id binary ssl_bc_use_keysize integer ssl_c_ca_err integer @@ -24442,6 +24443,13 @@ ssl_bc_session_key : binary traffic sent using ephemeral ciphers. This requires OpenSSL >= 1.1.0, or BoringSSL. It can be used in a tcp-check or an http-check ruleset. +ssl_bc_sni : string + This retrieves the Server Name Indication TLS extension (SNI) field that was + used on the connection to the server. The result (when present) typically is + a string matching the HTTPS host name (253 chars or less). The main use case + is for logging and debugging purposes (e.g. figure what SNI was used when the + connection was established to match it against what the server has seen). + ssl_bc_unique_id : binary When the outgoing connection was made over an SSL/TLS transport layer, returns the TLS unique ID as defined in RFC5929 section 3. The unique id diff --git a/src/ssl_sample.c b/src/ssl_sample.c index defa913aba..c64522d240 100644 --- a/src/ssl_sample.c +++ b/src/ssl_sample.c @@ -1818,6 +1818,7 @@ smp_fetch_ssl_fc_session_key(const struct arg *args, struct sample *smp, const c } #endif +/* ssl_fc_sni and ssl_bc_sni */ static int smp_fetch_ssl_fc_sni(const struct arg *args, struct sample *smp, const char *kw, void *private) { @@ -1828,7 +1829,12 @@ smp_fetch_ssl_fc_sni(const struct arg *args, struct sample *smp, const char *kw, smp->flags = SMP_F_VOL_SESS | SMP_F_CONST; smp->data.type = SMP_T_STR; - conn = objt_conn(smp->sess->origin); + if (obj_type(smp->sess->origin) == OBJ_TYPE_CHECK) + conn = (kw[4] == 'b') ? sc_conn(__objt_check(smp->sess->origin)->sc) : NULL; + else + conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) : + smp->strm ? sc_conn(smp->strm->scb) : NULL; + ssl = ssl_sock_get_ssl_object(conn); if (!ssl) return 0; @@ -2472,6 +2478,7 @@ static struct sample_fetch_kw_list sample_fetch_keywords = {ILH, { #endif { "ssl_bc_err", smp_fetch_ssl_fc_err, 0, NULL, SMP_T_SINT, SMP_USE_L5SRV }, { "ssl_bc_err_str", smp_fetch_ssl_fc_err_str, 0, NULL, SMP_T_STR, SMP_USE_L5SRV }, + { "ssl_bc_sni", smp_fetch_ssl_fc_sni, 0, NULL, SMP_T_STR, SMP_USE_L5SRV }, { "ssl_c_ca_err", smp_fetch_ssl_c_ca_err, 0, NULL, SMP_T_SINT, SMP_USE_L5CLI }, { "ssl_c_ca_err_depth", smp_fetch_ssl_c_ca_err_depth, 0, NULL, SMP_T_SINT, SMP_USE_L5CLI }, { "ssl_c_der", smp_fetch_ssl_x_der, 0, NULL, SMP_T_BIN, SMP_USE_L5CLI }, -- 2.47.3