Hello,
as some of you know, 2.5 will come with a new "option httpslog" to ease
logging some useful TLS info by default.
While running some tests in production with the error-log-format, I
realized that we're not logging the SNI in "httpslog", and that it's
probably a significant miss that we ought to fix before the release.
I think it could be particularly useful for those using long crt-lists
with a default domain, as it will allow to figure which ones have been
handled by the default one possibly due to a missing certificate or a
misconfiguration.
Right now the default HTTPS format is defined this way :
log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC \
%CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r \
%[fc_conn_err]/%[ssl_fc_err,hex]/%[ssl_c_err]/\
%[ssl_c_ca_err]/%[ssl_fc_is_resumed] %sslv/%sslc"
As it is, it closely matches the httplog one so that tools configured to
process the latter should also work unmodified with the new one.
The question is, should we add "ssl_fc_sni" somewhere in this line, and
if so, where? Logging it at the end seems sensible to me so that even if
it's absent we're not missing anything. But maybe there are better options
or opinions on the subject.
Feel free to suggest so that we put something there before tomorrow and
have it in a last dev13 before the release.
Thanks,
Willy
