From: William Lallemand Date: Mon, 23 Dec 2024 10:06:17 +0000 (+0100) Subject: MEDIUM: ssl/ocsp: counters for OCSP stapling X-Git-Tag: v3.2-dev2~20 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=056ec51c26;p=thirdparty%2Fhaproxy.git MEDIUM: ssl/ocsp: counters for OCSP stapling Add 2 counters in the SSL stats module for OCSP stapling. - ssl_ocsp_staple is the number of OCSP response successfully stapled with the handshake - ssl_failed_ocsp_stapled is the number of OCSP response that we couldn't staple, it could be because of an error or because the response is expired. These counters are incremented in the OCSP stapling callback, so if no OCSP was configured they won't never increase. Also they are only working in frontends. This was discussed in github issue #2822. --- diff --git a/include/haproxy/ssl_sock-t.h b/include/haproxy/ssl_sock-t.h index 410a789a16..2c7f73b3b1 100644 --- a/include/haproxy/ssl_sock-t.h +++ b/include/haproxy/ssl_sock-t.h @@ -331,6 +331,8 @@ struct ssl_counters { long long sess; long long reused_sess; long long failed_handshake; + long long ocsp_staple; + long long failed_ocsp_staple; }; #endif /* USE_OPENSSL */ diff --git a/src/ssl_ocsp.c b/src/ssl_ocsp.c index 73f1666894..44c86f3983 100644 --- a/src/ssl_ocsp.c +++ b/src/ssl_ocsp.c @@ -99,6 +99,10 @@ int ssl_sock_get_ocsp_arg_kt_index(int evp_keytype) */ int ssl_sock_ocsp_stapling_cbk(SSL *ssl, void *arg) { + struct connection *conn = SSL_get_ex_data(ssl, ssl_app_data_index); + struct listener *li; + struct ssl_counters *counters = NULL; + struct ssl_counters *counters_px = NULL; struct certificate_ocsp *ocsp; struct ocsp_cbk_arg *ocsp_arg; char *ssl_buf; @@ -111,6 +115,12 @@ int ssl_sock_ocsp_stapling_cbk(SSL *ssl, void *arg) if (!ctx) goto error; + if (obj_type(conn->target) == OBJ_TYPE_LISTENER) { + li = __objt_listener(conn->target); + counters = EXTRA_COUNTERS_GET(li->extra_counters, &ssl_stats_module); + counters_px = EXTRA_COUNTERS_GET(li->bind_conf->frontend->extra_counters_fe, &ssl_stats_module); + } + ocsp_arg = SSL_CTX_get_ex_data(ctx, ocsp_ex_index); if (!ocsp_arg) goto error; @@ -150,9 +160,21 @@ int ssl_sock_ocsp_stapling_cbk(SSL *ssl, void *arg) memcpy(ssl_buf, ocsp->response.area, ocsp->response.data); SSL_set_tlsext_status_ocsp_resp(ssl, (unsigned char*)ssl_buf, ocsp->response.data); + if (counters) { + HA_ATOMIC_INC(&counters->ocsp_staple); + HA_ATOMIC_INC(&counters_px->ocsp_staple); + } + return SSL_TLSEXT_ERR_OK; + error: + + if (counters) { + HA_ATOMIC_INC(&counters->failed_ocsp_staple); + HA_ATOMIC_INC(&counters_px->failed_ocsp_staple); + } + return SSL_TLSEXT_ERR_NOACK; } diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 45d34b246c..23316c2e5c 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -156,6 +156,8 @@ enum { SSL_ST_SESS, SSL_ST_REUSED_SESS, SSL_ST_FAILED_HANDSHAKE, + SSL_ST_OCSP_STAPLE, + SSL_ST_FAILED_OCSP_STAPLE, SSL_ST_STATS_COUNT /* must be the last member of the enum */ }; @@ -167,6 +169,10 @@ static struct stat_col ssl_stats[] = { .desc = "Total number of ssl sessions reused" }, [SSL_ST_FAILED_HANDSHAKE] = { .name = "ssl_failed_handshake", .desc = "Total number of failed handshake" }, + [SSL_ST_OCSP_STAPLE] = { .name = "ssl_ocsp_staple", + .desc = "Total number of stapled OCSP responses" }, + [SSL_ST_FAILED_OCSP_STAPLE] = { .name = "ssl_failed_ocsp_staple", + .desc = "Total number of failed OCSP stapling (expired or error)" }, }; static struct ssl_counters ssl_counters; @@ -189,6 +195,13 @@ static int ssl_fill_stats(void *data, struct field *stats, unsigned int *selecte case SSL_ST_FAILED_HANDSHAKE: metric = mkf_u64(FN_COUNTER, counters->failed_handshake); break; + case SSL_ST_OCSP_STAPLE: + metric = mkf_u64(FN_COUNTER, counters->ocsp_staple); + break; + case SSL_ST_FAILED_OCSP_STAPLE: + metric = mkf_u64(FN_COUNTER, counters->failed_ocsp_staple); + break; + default: /* not used for frontends. If a specific metric * is requested, return an error. Otherwise continue.