MINOR: ssl: Add new ssl_bc_hsk_err sample fetch

This new sample fetch along the ssl_bc_hsk_err_str fetch contain the
last SSL error of the error stack that occurred during the SSL
handshake (from the backend's perspective).

diff --git a/doc/configuration.txt b/doc/configuration.txt
index 182ecc644c8664ed9b4cc1c545bcd1095d915154..dbbf19ea1a42cef7fcdd1a430a7bbc12911d9d31 100644 (file)
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -18646,6 +18646,20 @@ ssl_bc_client_random : binary
   sent using ephemeral ciphers. This requires OpenSSL >= 1.1.0, or BoringSSL.
   It can be used in a tcp-check or an http-check ruleset.
 
+ssl_bc_hsk_err : integer
+  When the outgoing connection was made over an SSL/TLS transport layer,
+  returns the ID of the latest error that happened during the handshake on the
+  backend side, or 0 if no error was encountered. In order to get a text
+  description of this error code, you can either use the "ssl_bc_hsk_err_str"
+  sample fetch or use the "openssl errstr" command (which takes an error code
+  in hexadecimal representation as parameter). Please refer to your SSL
+  library's documentation to find the exhaustive list of error codes.
+
+ssl_bc_hsk_err_str : string
+  When the outgoing connection was made over an SSL/TLS transport layer,
+  returns a string representation of the latest error that happened during the
+  handshake on the backend side. See also "ssl_fc_hsk_err".
+
 ssl_bc_is_resumed : boolean
   Returns true when the back connection was made over an SSL/TLS transport
   layer and the newly created SSL session was resumed using a cached

diff --git a/src/ssl_sample.c b/src/ssl_sample.c
index aa9a547e44bcb429443476460d9bec3c6447f37b..f93ae0a8f1a05a183a73be0f55f0ff8933605002 100644 (file)
--- a/src/ssl_sample.c
+++ b/src/ssl_sample.c
@@ -1212,7 +1212,12 @@ smp_fetch_ssl_fc_hsk_err(const struct arg *args, struct sample *smp, const char
        struct connection *conn;
        struct ssl_sock_ctx *ctx;
 
-       conn = objt_conn(smp->sess->origin);
+       if (obj_type(smp->sess->origin) == OBJ_TYPE_CHECK)
+               conn = (kw[4] == 'b') ? cs_conn(__objt_check(smp->sess->origin)->cs) : NULL;
+       else
+               conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) :
+                       smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL;
+
        if (!conn || conn->xprt != &ssl_sock)
                return 0;
        ctx = conn->xprt_ctx;
@@ -1260,7 +1265,12 @@ smp_fetch_ssl_fc_hsk_err_str(const struct arg *args, struct sample *smp, const c
        struct ssl_sock_ctx *ctx;
        const char *err_code_str;
 
-       conn = objt_conn(smp->sess->origin);
+       if (obj_type(smp->sess->origin) == OBJ_TYPE_CHECK)
+               conn = (kw[4] == 'b') ? cs_conn(__objt_check(smp->sess->origin)->cs) : NULL;
+       else
+               conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) :
+                       smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL;
+
        if (!conn || conn->xprt != &ssl_sock)
                return 0;
        ctx = conn->xprt_ctx;
@@ -1669,6 +1679,8 @@ static struct sample_fetch_kw_list sample_fetch_keywords = {ILH, {
        { "ssl_bc_server_random",   smp_fetch_ssl_fc_random,      0,                   NULL,    SMP_T_BIN,  SMP_USE_L5SRV },
        { "ssl_bc_session_key",     smp_fetch_ssl_fc_session_key, 0,                   NULL,    SMP_T_BIN,  SMP_USE_L5SRV },
 #endif
+       { "ssl_bc_hsk_err",         smp_fetch_ssl_fc_hsk_err,     0,                   NULL,    SMP_T_SINT, SMP_USE_L5SRV },
+       { "ssl_bc_hsk_err_str",     smp_fetch_ssl_fc_hsk_err_str, 0,                   NULL,    SMP_T_STR,  SMP_USE_L5SRV },
        { "ssl_c_ca_err",           smp_fetch_ssl_c_ca_err,       0,                   NULL,    SMP_T_SINT, SMP_USE_L5CLI },
        { "ssl_c_ca_err_depth",     smp_fetch_ssl_c_ca_err_depth, 0,                   NULL,    SMP_T_SINT, SMP_USE_L5CLI },
        { "ssl_c_der",              smp_fetch_ssl_x_der,          0,                   NULL,    SMP_T_BIN,  SMP_USE_L5CLI },