Add 2 counters in the SSL stats module for OCSP stapling.
- ssl_ocsp_staple is the number of OCSP response successfully stapled
with the handshake
- ssl_failed_ocsp_stapled is the number of OCSP response that we
couldn't staple, it could be because of an error or because the
response is expired.
These counters are incremented in the OCSP stapling callback, so if no
OCSP was configured they won't never increase. Also they are only
working in frontends.
This was discussed in github issue #2822.
long long sess;
long long reused_sess;
long long failed_handshake;
+ long long ocsp_staple;
+ long long failed_ocsp_staple;
};
#endif /* USE_OPENSSL */
*/
int ssl_sock_ocsp_stapling_cbk(SSL *ssl, void *arg)
{
+ struct connection *conn = SSL_get_ex_data(ssl, ssl_app_data_index);
+ struct listener *li;
+ struct ssl_counters *counters = NULL;
+ struct ssl_counters *counters_px = NULL;
struct certificate_ocsp *ocsp;
struct ocsp_cbk_arg *ocsp_arg;
char *ssl_buf;
if (!ctx)
goto error;
+ if (obj_type(conn->target) == OBJ_TYPE_LISTENER) {
+ li = __objt_listener(conn->target);
+ counters = EXTRA_COUNTERS_GET(li->extra_counters, &ssl_stats_module);
+ counters_px = EXTRA_COUNTERS_GET(li->bind_conf->frontend->extra_counters_fe, &ssl_stats_module);
+ }
+
ocsp_arg = SSL_CTX_get_ex_data(ctx, ocsp_ex_index);
if (!ocsp_arg)
goto error;
memcpy(ssl_buf, ocsp->response.area, ocsp->response.data);
SSL_set_tlsext_status_ocsp_resp(ssl, (unsigned char*)ssl_buf, ocsp->response.data);
+ if (counters) {
+ HA_ATOMIC_INC(&counters->ocsp_staple);
+ HA_ATOMIC_INC(&counters_px->ocsp_staple);
+ }
+
return SSL_TLSEXT_ERR_OK;
+
error:
+
+ if (counters) {
+ HA_ATOMIC_INC(&counters->failed_ocsp_staple);
+ HA_ATOMIC_INC(&counters_px->failed_ocsp_staple);
+ }
+
return SSL_TLSEXT_ERR_NOACK;
}
SSL_ST_SESS,
SSL_ST_REUSED_SESS,
SSL_ST_FAILED_HANDSHAKE,
+ SSL_ST_OCSP_STAPLE,
+ SSL_ST_FAILED_OCSP_STAPLE,
SSL_ST_STATS_COUNT /* must be the last member of the enum */
};
.desc = "Total number of ssl sessions reused" },
[SSL_ST_FAILED_HANDSHAKE] = { .name = "ssl_failed_handshake",
.desc = "Total number of failed handshake" },
+ [SSL_ST_OCSP_STAPLE] = { .name = "ssl_ocsp_staple",
+ .desc = "Total number of stapled OCSP responses" },
+ [SSL_ST_FAILED_OCSP_STAPLE] = { .name = "ssl_failed_ocsp_staple",
+ .desc = "Total number of failed OCSP stapling (expired or error)" },
};
static struct ssl_counters ssl_counters;
case SSL_ST_FAILED_HANDSHAKE:
metric = mkf_u64(FN_COUNTER, counters->failed_handshake);
break;
+ case SSL_ST_OCSP_STAPLE:
+ metric = mkf_u64(FN_COUNTER, counters->ocsp_staple);
+ break;
+ case SSL_ST_FAILED_OCSP_STAPLE:
+ metric = mkf_u64(FN_COUNTER, counters->failed_ocsp_staple);
+ break;
+
default:
/* not used for frontends. If a specific metric
* is requested, return an error. Otherwise continue.
projects / thirdparty / haproxy.git / commitdiff
