[trafficserver] branch 9.0.x updated: Log whether client certs were exchanged in TLS handshake (#6699)
This is an automated email from the ASF dual-hosted git repository. zwoop pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/trafficserver.git The following commit(s) were added to refs/heads/9.0.x by this push: new 513a80e Log whether client certs were exchanged in TLS handshake (#6699) 513a80e is described below commit 513a80e8d377e66be0435ff762c10f108059b74d Author: Susan Hinrichs AuthorDate: Wed Jul 1 11:26:17 2020 -0500 Log whether client certs were exchanged in TLS handshake (#6699) Log whether client certs were exchanged in TLS handshake (cherry picked from commit 3ffd8acf0b5f3f6258270d8ffea1c28d9f412d9c) --- doc/admin-guide/logging/formatting.en.rst | 46 +++ iocore/net/I_NetVConnection.h | 12 + iocore/net/P_SSLNetVConnection.h | 30 iocore/net/SSLClientUtils.cc | 16 +++ proxy/http/HttpSM.cc | 25 ++ proxy/http/HttpSM.h| 39 proxy/logging/Log.cc | 10 proxy/logging/LogAccess.cc | 38 proxy/logging/LogAccess.h | 2 + proxy/private/SSLProxySession.cc | 1 + proxy/private/SSLProxySession.h| 7 +++ .../gold_tests/tls/gold/clientcert-accesslog.gold | 9 tests/gold_tests/tls/gold/proxycert-accesslog.gold | 8 .../gold_tests/tls/gold/proxycert2-accesslog.gold | 8 tests/gold_tests/tls/tls_client_cert.test.py | 39 +--- tests/gold_tests/tls/tls_client_cert2.test.py | 21 + tests/gold_tests/tls/tls_client_verify.test.py | 53 -- tests/gold_tests/tls/tls_tunnel.test.py| 17 +-- 18 files changed, 287 insertions(+), 94 deletions(-) diff --git a/doc/admin-guide/logging/formatting.en.rst b/doc/admin-guide/logging/formatting.en.rst index 5b98f0b..93df61c 100644 --- a/doc/admin-guide/logging/formatting.en.rst +++ b/doc/admin-guide/logging/formatting.en.rst @@ -597,35 +597,43 @@ SSL / Encryption .. _cssn: +.. _cscert: .. _cqssl: .. _cqssr: .. _cqssv: .. _cqssc: .. _cqssu: .. _pqssl: +.. _pscert: Fields which expose the use, or lack thereof, of specific SSL and encryption features. -= == == -Field Source Description -= == == -cssn Client TLS SNI server name in client Hello message in TLS handshake. - Hello If no server name present in Hello, or the transaction - was not over TLS (over TCP), this field will contain - ``-``. -cqssl Client Request SSL client request status indicates if this client - connection is over SSL. -cqssr Client Request SSL session ticket reused status; indicates if the current - request hit the SSL session ticket and avoided a full SSL - handshake. -cqssv Client Request SSL version used to communicate with the client. -cqssc Client Request SSL Cipher used by |TS| to communicate with the client. -cqssu Client Request SSL Elliptic Curve used by |TS| to communicate with the - client when using an ECDHE cipher. -pqssl Proxy Request Indicates whether the connection from |TS| to the origin - was over SSL or not. -= == == +== == == +Field Source Description +== == == +cssn Client TLS SNI server name in client Hello message in TLS handshake. + Hello If no server name present in Hello, or the transaction + was not over TLS (over TCP), this field will contain + ``-``. +cscert Client Request 1 if |TS| requested certificate from client during TLS + handshake. 0 otherwise. +cqssl Client Request SSL client request status indicates if this client + connection is over SSL. +cqssr Client Request SSL session ticket reused status; indicates if the current + request hit the SSL session ticket and avoided a full SSL + handshake. +cqssv Client Request SSL version used to communicate with the client. +cqssc Client Request SSL Cipher used by |TS| to communicate with the client. +cqssu Client Request SSL Elliptic Curve used by |TS| to communicate with the + client when using an ECDHE cipher. +pqssl Proxy Request Indicates whether the connection from |TS| to the origin + was o
[trafficserver] branch 9.0.x updated: Update docs for some DNS config settings (#6969)
This is an automated email from the ASF dual-hosted git repository. zwoop pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/trafficserver.git The following commit(s) were added to refs/heads/9.0.x by this push: new a3e7068 Update docs for some DNS config settings (#6969) a3e7068 is described below commit a3e70682c86541116f894b1e6c13841ebb3f088e Author: Sudheer Vinukonda AuthorDate: Wed Jul 1 16:17:55 2020 -0700 Update docs for some DNS config settings (#6969) (cherry picked from commit e5fcd1d415a96627917d03da47b86118751df7a5) --- doc/admin-guide/files/records.config.en.rst | 12 1 file changed, 12 insertions(+) diff --git a/doc/admin-guide/files/records.config.en.rst b/doc/admin-guide/files/records.config.en.rst index 217a362..6b87563 100644 --- a/doc/admin-guide/files/records.config.en.rst +++ b/doc/admin-guide/files/records.config.en.rst @@ -2527,6 +2527,18 @@ DNS ``2`` TCP_ONLY: |TS| always talks to nameservers over TCP. = == +.. ts:cv:: CONFIG proxy.config.dns.max_dns_in_flight INT 2048 + + Maximum inflight DNS queries made by |TS| at any given instant + +.. ts:cv:: CONFIG proxy.config.dns.lookup_timeout INT 20 + + Time to wait for a DNS response in seconds. + +.. ts:cv:: CONFIG proxy.config.dns.retries INT 5 + + Maximum number of retries made by |TS| on a given DNS query + HostDB ==
[trafficserver] branch 9.0.x updated: RateLimiting and Connection Config changes (#6968)
This is an automated email from the ASF dual-hosted git repository. zwoop pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/trafficserver.git The following commit(s) were added to refs/heads/9.0.x by this push: new e529965 RateLimiting and Connection Config changes (#6968) e529965 is described below commit e5299650fd7680184f2ee3602ed238e0c4014641 Author: Sudheer Vinukonda AuthorDate: Thu Jul 2 09:29:01 2020 -0700 RateLimiting and Connection Config changes (#6968) Conn config renaming to support a protocol agnostic rate limiter (using request concurrency as opposed to active connections) (cherry picked from commit e2a0d8cf580b0e954848fbc645a77040ebcbd1f3) --- doc/admin-guide/files/records.config.en.rst| 27 .../monitoring/statistics/core/network-io.en.rst | 2 +- iocore/net/Net.cc | 4 +-- iocore/net/P_Net.h | 2 +- iocore/net/P_UnixNet.h | 6 ++-- iocore/net/UnixNet.cc | 36 ++ mgmt/RecordsConfig.cc | 2 +- 7 files changed, 39 insertions(+), 40 deletions(-) diff --git a/doc/admin-guide/files/records.config.en.rst b/doc/admin-guide/files/records.config.en.rst index a9db974..217a362 100644 --- a/doc/admin-guide/files/records.config.en.rst +++ b/doc/admin-guide/files/records.config.en.rst @@ -414,19 +414,20 @@ Network .. ts:cv:: CONFIG proxy.config.net.max_connections_in INT 3 - The total number of client connections that the :program:`traffic_server` - can handle simultaneously. This should be tuned according to your memory size, - and expected work load (network, cpu etc). This limit includes both keepalive - and active client connections that :program:`traffic_server` can handle at - any given instant. - -.. ts:cv:: CONFIG proxy.config.net.max_active_connections_in INT 1 - - The total number of active client connections that the |TS| can handle - simultaneously. This should be tuned according to your memory size, - and expected work load (network, cpu etc). If this is set to 0, active - connection tracking is disabled and active connections have no separate - limit and the total connections follow `proxy.config.net.connections_throttle` + The total number of client requests that |TS| can handle simultaneously. + This should be tuned according to your memory size, and expected work load + (network, cpu etc). This limit includes both idle (keep alive) connections + and active requests that |TS| can handle at any given instant. The delta + between `proxy.config.net.max_connections_in` and `proxy.config.net.max_requests_in` + is the amount of maximum idle (keepalive) connections |TS| will maintain. + +.. ts:cv:: CONFIG proxy.config.net.max_requests_in INT 0 + + The total number of concurrent requests or active client connections + that the |TS| can handle simultaneously. This should be tuned according + to your memory size, and expected work load (network, cpu etc). When + set to 0, active request tracking is disabled and max requests has no + separate limit and the total connections follow `proxy.config.net.connections_throttle` .. ts:cv:: CONFIG proxy.config.net.default_inactivity_timeout INT 86400 :reloadable: diff --git a/doc/admin-guide/monitoring/statistics/core/network-io.en.rst b/doc/admin-guide/monitoring/statistics/core/network-io.en.rst index 3777359..5ea7687 100644 --- a/doc/admin-guide/monitoring/statistics/core/network-io.en.rst +++ b/doc/admin-guide/monitoring/statistics/core/network-io.en.rst @@ -66,7 +66,7 @@ Network I/O .. ts:stat:: global proxy.process.net.connections_throttled_out integer :type: counter -.. ts:stat:: global proxy.process.net.max.active.connections_throttled_in integer +.. ts:stat:: global proxy.process.net.max.requests_throttled_in integer :type: counter .. ts:stat:: global proxy.process.net.default_inactivity_timeout_applied integer diff --git a/iocore/net/Net.cc b/iocore/net/Net.cc index 2ee21f9..f0cac5b 100644 --- a/iocore/net/Net.cc +++ b/iocore/net/Net.cc @@ -142,8 +142,8 @@ register_net_stats() (int)net_connections_throttled_in_stat, RecRawStatSyncSum); RecRegisterRawStat(net_rsb, RECT_PROCESS, "proxy.process.net.connections_throttled_out", RECD_INT, RECP_PERSISTENT, (int)net_connections_throttled_out_stat, RecRawStatSyncSum); - RecRegisterRawStat(net_rsb, RECT_PROCESS, "proxy.process.net.max.active.connections_throttled_in", RECD_INT, RECP_PERSISTENT, - (int)net_connections_max_active_throttled_in_stat, RecRawStatSyncSum); + RecRegisterRawStat(net_rsb, RECT_PROCESS, "proxy.process.net.max.requests_throttled_in", RECD_INT, RECP_PERSISTENT, + (int)net_requests_max_throttled_in_stat, RecRawStatSyncSum); } void dif
[trafficserver] branch master updated: Assert non-zero HdrHeap object size (#6954)
This is an automated email from the ASF dual-hosted git repository. gancho pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/trafficserver.git The following commit(s) were added to refs/heads/master by this push: new 986d355 Assert non-zero HdrHeap object size (#6954) 986d355 is described below commit 986d355daf0fc97131e9d6ed22988563e59547c7 Author: Gancho Tenev <10522628+gte...@users.noreply.github.com> AuthorDate: Tue Jul 7 11:03:03 2020 -0700 Assert non-zero HdrHeap object size (#6954) HdrHeap object length cannot be 0 by design otherwise there is something wrong, i.e. possible memory corruption, in such cases iterating over HdrHeap objects would lead to infinite loop, i.e. during unmarshaling. --- proxy/hdrs/HdrHeap.cc | 12 1 file changed, 12 insertions(+) diff --git a/proxy/hdrs/HdrHeap.cc b/proxy/hdrs/HdrHeap.cc index 1452a8e..dfa387a 100644 --- a/proxy/hdrs/HdrHeap.cc +++ b/proxy/hdrs/HdrHeap.cc @@ -400,6 +400,9 @@ HdrHeap::evacuate_from_str_heaps(HdrStrHeap *new_heap) while (data < h->m_free_start) { HdrHeapObjImpl *obj = reinterpret_cast(data); + // Object length cannot be 0 by design, otherwise something is wrong + infinite loop here! + ink_release_assert(0 != obj->m_length); + switch (obj->m_type) { case HDR_HEAP_OBJ_URL: ((URLImpl *)obj)->move_strings(new_heap); @@ -440,6 +443,9 @@ HdrHeap::required_space_for_evacuation() while (data < h->m_free_start) { HdrHeapObjImpl *obj = reinterpret_cast(data); + // Object length cannot be 0 by design, otherwise something is wrong + infinite loop here! + ink_release_assert(0 != obj->m_length); + switch (obj->m_type) { case HDR_HEAP_OBJ_URL: ret += ((URLImpl *)obj)->strings_length(); @@ -514,6 +520,9 @@ HdrHeap::sanity_check_strs() while (data < h->m_free_start) { HdrHeapObjImpl *obj = reinterpret_cast(data); + // Object length cannot be 0 by design, otherwise something is wrong + infinite loop here! + ink_release_assert(0 != obj->m_length); + switch (obj->m_type) { case HDR_HEAP_OBJ_URL: ((URLImpl *)obj)->check_strings(heaps, num_heaps); @@ -937,6 +946,9 @@ HdrHeap::unmarshal(int buf_length, int obj_type, HdrHeapObjImpl **found_obj, Ref HdrHeapObjImpl *obj = reinterpret_cast(obj_data); ink_assert(obj_is_aligned(obj)); +// Object length cannot be 0 by design, otherwise something is wrong + infinite loop here! +ink_release_assert(0 != obj->m_length); + if (obj->m_type == static_cast(obj_type) && *found_obj == nullptr) { *found_obj = obj; }