Close #116 去除根据ClientHello镜像上游SSL版本的功能,增加在连接摘要日志记录SSL版本和SNI的功能
This commit is contained in:
luqiuwen
@@ -134,6 +134,10 @@ struct tfe_stream_private
|
||||
#define STREAM_EVENT_LOG_MAX 8
|
||||
struct tfe_stream_event_log log_event[STREAM_EVENT_LOG_MAX];
|
||||
unsigned int nr_log_event;
|
||||
|
||||
/* CONNECTION LOG */
|
||||
char ssl_downstream_info_dump[TFE_STRING_MAX];
|
||||
char ssl_upstream_info_dump[TFE_STRING_MAX];
|
||||
};
|
||||
|
||||
static inline void * __STREAM_LOGGER(struct tfe_stream_private * _stream)
|
||||
|
||||
@@ -124,6 +124,7 @@ struct ssl_mgr
|
||||
unsigned int no_alpn;
|
||||
unsigned int no_cert_verify;
|
||||
unsigned int no_mirror_client_cipher_suite;
|
||||
|
||||
CONST_SSL_METHOD * (* sslmethod)(void); //Parameter of SSL_CTX_new
|
||||
int ssl_min_version, ssl_max_version;
|
||||
char ssl_session_context[8];
|
||||
@@ -133,22 +134,18 @@ struct ssl_mgr
|
||||
|
||||
struct sess_cache * down_sess_cache;
|
||||
struct sess_cache * up_sess_cache;
|
||||
|
||||
struct session_ticket_key ticket_key;
|
||||
|
||||
|
||||
char default_ciphers[TFE_SYMBOL_MAX];
|
||||
DH * dh;
|
||||
char * ecdhcurve;
|
||||
char * crl_url;
|
||||
|
||||
|
||||
struct cert_store_param cert_verify_param;
|
||||
uint8_t ssl_mode_release_buffers;
|
||||
char trusted_cert_file[TFE_PATH_MAX];
|
||||
char trusted_cert_dir[TFE_PATH_MAX];
|
||||
|
||||
|
||||
struct ssl_trusted_cert_storage * trust_CA_store;
|
||||
struct key_keeper * key_keeper;
|
||||
struct event_base * ev_base_gc;
|
||||
@@ -582,21 +579,25 @@ struct ssl_mgr * ssl_manager_init(const char * ini_profile, const char * section
|
||||
MESA_load_profile_uint_def(ini_profile, section, "no_tls12", &(mgr->no_tls12), 0);
|
||||
MESA_load_profile_string_def(ini_profile, section, "default_ciphers", mgr->default_ciphers,
|
||||
sizeof(mgr->default_ciphers), DFLT_CIPHERS);
|
||||
|
||||
MESA_load_profile_uint_def(ini_profile, section, "no_session_cache", &(mgr->no_sesscache), 0);
|
||||
MESA_load_profile_uint_def(ini_profile, section, "no_session_ticket", &(mgr->no_sessticket), 0);
|
||||
MESA_load_profile_uint_def(ini_profile, section, "no_alpn", &(mgr->no_alpn), 0);
|
||||
MESA_load_profile_uint_def(ini_profile, section, "no_cert_verify", &(mgr->no_cert_verify), 0);
|
||||
MESA_load_profile_uint_def(ini_profile, section, "no_mirror_client_cipher_suite", &(mgr->no_mirror_client_cipher_suite), 0);
|
||||
|
||||
|
||||
MESA_load_profile_uint_def(ini_profile, section, "session_cache_slots", &(mgr->cache_slots), 4 * 1024 * 1024);
|
||||
MESA_load_profile_uint_def(ini_profile, section, "session_cache_expire_seconds", &(mgr->sess_expire_seconds), 30 * 60);
|
||||
MESA_load_profile_uint_def(ini_profile, section, "no_mirror_client_cipher_suite",
|
||||
&(mgr->no_mirror_client_cipher_suite), 0);
|
||||
MESA_load_profile_uint_def(ini_profile, section, "session_cache_slots",
|
||||
&(mgr->cache_slots), 4 * 1024 * 1024);
|
||||
MESA_load_profile_uint_def(ini_profile, section, "session_cache_expire_seconds",
|
||||
&(mgr->sess_expire_seconds), 30 * 60);
|
||||
|
||||
if(!mgr->no_sesscache)
|
||||
{
|
||||
mgr->up_sess_cache = ssl_sess_cache_create(mgr->cache_slots, mgr->sess_expire_seconds, CONN_DIR_UPSTREAM);
|
||||
mgr->down_sess_cache = ssl_sess_cache_create(mgr->cache_slots, mgr->sess_expire_seconds, CONN_DIR_DOWNSTREAM);
|
||||
}
|
||||
|
||||
//Reference to NGINX: http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_ticket_key
|
||||
//Support key rotation in futher.
|
||||
|
||||
@@ -775,6 +776,7 @@ static SSL * upstream_ssl_create(struct ssl_mgr * mgr, const struct ssl_chello *
|
||||
sslctx = SSL_CTX_new(mgr->sslmethod());
|
||||
sslctx_set_opts(sslctx, mgr);
|
||||
int ret=0;
|
||||
|
||||
if(chello->cipher_suites!=NULL)
|
||||
{
|
||||
//SSL_CTX_set_cipher_list() and SSL_set_cipher_list() return 1 if any cipher could be selected and 0 on complete failure.
|
||||
@@ -789,15 +791,13 @@ static SSL * upstream_ssl_create(struct ssl_mgr * mgr, const struct ssl_chello *
|
||||
{
|
||||
ret=SSL_CTX_set_cipher_list(sslctx, mgr->default_ciphers);
|
||||
}
|
||||
if (mgr->ssl_min_version)
|
||||
{
|
||||
if (SSL_CTX_set_min_proto_version(sslctx, MAX(chello->min_version.ossl_format, mgr->ssl_min_version)) == 0 ||
|
||||
SSL_CTX_set_max_proto_version(sslctx, MIN(chello->max_version.ossl_format, mgr->ssl_max_version)) == 0)
|
||||
|
||||
if (SSL_CTX_set_min_proto_version(sslctx, mgr->ssl_min_version) == 0 ||
|
||||
SSL_CTX_set_max_proto_version(sslctx, mgr->ssl_max_version) == 0)
|
||||
{
|
||||
SSL_CTX_free(sslctx);
|
||||
return NULL;
|
||||
}
|
||||
}
|
||||
|
||||
SSL_CTX_set_verify(sslctx, SSL_VERIFY_NONE, NULL);
|
||||
ssl = SSL_new(sslctx);
|
||||
|
||||
@@ -875,6 +875,13 @@ void ssl_downstream_create_on_success(future_result_t * result, void * user)
|
||||
_stream->defer_fd_downstream = 0;
|
||||
|
||||
assert(_stream->conn_downstream != NULL && _stream->conn_upstream != NULL);
|
||||
|
||||
ssl_stream_dump_info(_stream->ssl_downstream, _stream->ssl_downstream_info_dump,
|
||||
sizeof(_stream->ssl_downstream_info_dump));
|
||||
|
||||
ssl_stream_dump_info(_stream->ssl_upstream, _stream->ssl_upstream_info_dump,
|
||||
sizeof(_stream->ssl_upstream_info_dump));
|
||||
|
||||
__conn_private_enable(_stream->conn_downstream);
|
||||
__conn_private_enable(_stream->conn_upstream);
|
||||
|
||||
@@ -964,8 +971,9 @@ void __stream_access_log_write(struct tfe_stream_private * stream)
|
||||
}
|
||||
|
||||
MESA_handle_runtime_log(stream->stream_logger, RLOG_LV_INFO, "access",
|
||||
"%d %d %d %s %s %s %s", stream->log_fd_downstream, stream->log_fd_upstream, stream->keyring_id,
|
||||
stream->str_stream_addr, str_passthrough, str_kill, str_log_event);
|
||||
"%d %d %d %s %s %s %s %s %s", stream->log_fd_downstream, stream->log_fd_upstream, stream->keyring_id,
|
||||
stream->str_stream_addr, str_passthrough, str_kill, str_log_event,
|
||||
stream->ssl_downstream_info_dump, stream->ssl_upstream_info_dump);
|
||||
}
|
||||
|
||||
static int ev_log_to_stat_map[__EVENT_LOG_CLOSE_MAX][__CONN_DIR_MAX]{{-1}};
|
||||
|
||||
Reference in New Issue
Block a user