[trafficserver] branch 9.0.x updated: Log whether client certs were exchanged in TLS handshake (#6699)

[zwoop]

This is an automated email from the ASF dual-hosted git repository.

zwoop pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/trafficserver.git


The following commit(s) were added to refs/heads/9.0.x by this push:
 new 513a80e  Log whether client certs were exchanged in TLS handshake 
(#6699)
513a80e is described below

commit 513a80e8d377e66be0435ff762c10f108059b74d
Author: Susan Hinrichs 
AuthorDate: Wed Jul 1 11:26:17 2020 -0500

Log whether client certs were exchanged in TLS handshake (#6699)

Log whether client certs were exchanged in TLS handshake

(cherry picked from commit 3ffd8acf0b5f3f6258270d8ffea1c28d9f412d9c)
---
 doc/admin-guide/logging/formatting.en.rst  | 46 +++
 iocore/net/I_NetVConnection.h  | 12 +
 iocore/net/P_SSLNetVConnection.h   | 30 
 iocore/net/SSLClientUtils.cc   | 16 +++
 proxy/http/HttpSM.cc   | 25 ++
 proxy/http/HttpSM.h| 39 
 proxy/logging/Log.cc   | 10 
 proxy/logging/LogAccess.cc | 38 
 proxy/logging/LogAccess.h  |  2 +
 proxy/private/SSLProxySession.cc   |  1 +
 proxy/private/SSLProxySession.h|  7 +++
 .../gold_tests/tls/gold/clientcert-accesslog.gold  |  9 
 tests/gold_tests/tls/gold/proxycert-accesslog.gold |  8 
 .../gold_tests/tls/gold/proxycert2-accesslog.gold  |  8 
 tests/gold_tests/tls/tls_client_cert.test.py   | 39 +---
 tests/gold_tests/tls/tls_client_cert2.test.py  | 21 +
 tests/gold_tests/tls/tls_client_verify.test.py | 53 --
 tests/gold_tests/tls/tls_tunnel.test.py| 17 +--
 18 files changed, 287 insertions(+), 94 deletions(-)

diff --git a/doc/admin-guide/logging/formatting.en.rst 
b/doc/admin-guide/logging/formatting.en.rst
index 5b98f0b..93df61c 100644
--- a/doc/admin-guide/logging/formatting.en.rst
+++ b/doc/admin-guide/logging/formatting.en.rst
@@ -597,35 +597,43 @@ SSL / Encryption
 
 
 .. _cssn:
+.. _cscert:
 .. _cqssl:
 .. _cqssr:
 .. _cqssv:
 .. _cqssc:
 .. _cqssu:
 .. _pqssl:
+.. _pscert:
 
 Fields which expose the use, or lack thereof, of specific SSL and encryption
 features.
 
-= == ==
-Field Source Description
-= == ==
-cssn  Client TLS SNI server name in client Hello message in TLS handshake.
-  Hello  If no server name present in Hello, or the transaction
- was not over TLS (over TCP), this field will contain
- ``-``.
-cqssl Client Request SSL client request status indicates if this client
- connection is over SSL.
-cqssr Client Request SSL session ticket reused status; indicates if the current
- request hit the SSL session ticket and avoided a full SSL
- handshake.
-cqssv Client Request SSL version used to communicate with the client.
-cqssc Client Request SSL Cipher used by |TS| to communicate with the client.
-cqssu Client Request SSL Elliptic Curve used by |TS| to communicate with the
- client when using an ECDHE cipher.
-pqssl Proxy Request  Indicates whether the connection from |TS| to the origin
- was over SSL or not.
-= == ==
+== == 
==
+Field  Source Description
+== == 
==
+cssn   Client TLS SNI server name in client Hello message in TLS handshake.
+   Hello  If no server name present in Hello, or the transaction
+  was not over TLS (over TCP), this field will contain
+  ``-``.
+cscert Client Request 1 if |TS| requested certificate from client during TLS
+  handshake. 0 otherwise.
+cqssl  Client Request SSL client request status indicates if this client
+  connection is over SSL.
+cqssr  Client Request SSL session ticket reused status; indicates if the 
current
+  request hit the SSL session ticket and avoided a full SSL
+  handshake.
+cqssv  Client Request SSL version used to communicate with the client.
+cqssc  Client Request SSL Cipher used by |TS| to communicate with the client.
+cqssu  Client Request SSL Elliptic Curve used by |TS| to communicate with the
+  client when using an ECDHE cipher.
+pqssl  Proxy Request  Indicates whether the connection from |TS| to the origin
+  was o

[trafficserver] branch 9.0.x updated: Update docs for some DNS config settings (#6969)

[zwoop]

This is an automated email from the ASF dual-hosted git repository.

zwoop pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/trafficserver.git


The following commit(s) were added to refs/heads/9.0.x by this push:
 new a3e7068  Update docs for some DNS config settings (#6969)
a3e7068 is described below

commit a3e70682c86541116f894b1e6c13841ebb3f088e
Author: Sudheer Vinukonda 
AuthorDate: Wed Jul 1 16:17:55 2020 -0700

Update docs for some DNS config settings (#6969)

(cherry picked from commit e5fcd1d415a96627917d03da47b86118751df7a5)
---
 doc/admin-guide/files/records.config.en.rst | 12 
 1 file changed, 12 insertions(+)

diff --git a/doc/admin-guide/files/records.config.en.rst 
b/doc/admin-guide/files/records.config.en.rst
index 217a362..6b87563 100644
--- a/doc/admin-guide/files/records.config.en.rst
+++ b/doc/admin-guide/files/records.config.en.rst
@@ -2527,6 +2527,18 @@ DNS
``2`` TCP_ONLY:  |TS| always talks to nameservers over TCP.
= ==
 
+.. ts:cv:: CONFIG proxy.config.dns.max_dns_in_flight INT 2048
+
+   Maximum inflight DNS queries made by |TS| at any given instant
+
+.. ts:cv:: CONFIG proxy.config.dns.lookup_timeout INT 20
+
+   Time to wait for a DNS response in seconds.
+
+.. ts:cv:: CONFIG proxy.config.dns.retries INT 5
+
+   Maximum number of retries made by |TS| on a given DNS query
+
 HostDB
 ==
 

[trafficserver] branch 9.0.x updated: RateLimiting and Connection Config changes (#6968)

[zwoop]

This is an automated email from the ASF dual-hosted git repository.

zwoop pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/trafficserver.git


The following commit(s) were added to refs/heads/9.0.x by this push:
 new e529965  RateLimiting and Connection Config changes (#6968)
e529965 is described below

commit e5299650fd7680184f2ee3602ed238e0c4014641
Author: Sudheer Vinukonda 
AuthorDate: Thu Jul 2 09:29:01 2020 -0700

RateLimiting and Connection Config changes (#6968)

Conn config renaming to support a protocol agnostic
rate limiter (using request concurrency as opposed to
active connections)

(cherry picked from commit e2a0d8cf580b0e954848fbc645a77040ebcbd1f3)
---
 doc/admin-guide/files/records.config.en.rst| 27 
 .../monitoring/statistics/core/network-io.en.rst   |  2 +-
 iocore/net/Net.cc  |  4 +--
 iocore/net/P_Net.h |  2 +-
 iocore/net/P_UnixNet.h |  6 ++--
 iocore/net/UnixNet.cc  | 36 ++
 mgmt/RecordsConfig.cc  |  2 +-
 7 files changed, 39 insertions(+), 40 deletions(-)

diff --git a/doc/admin-guide/files/records.config.en.rst 
b/doc/admin-guide/files/records.config.en.rst
index a9db974..217a362 100644
--- a/doc/admin-guide/files/records.config.en.rst
+++ b/doc/admin-guide/files/records.config.en.rst
@@ -414,19 +414,20 @@ Network
 
 .. ts:cv:: CONFIG proxy.config.net.max_connections_in INT 3
 
-   The total number of client connections that the :program:`traffic_server`
-   can handle simultaneously. This should be tuned according to your memory 
size,
-   and expected work load (network, cpu etc). This limit includes both 
keepalive
-   and active client connections that :program:`traffic_server` can handle at
-   any given instant.
-
-.. ts:cv:: CONFIG proxy.config.net.max_active_connections_in INT 1
-
-   The total number of active client connections that the |TS| can handle
-   simultaneously. This should be tuned according to your memory size,
-   and expected work load (network, cpu etc). If this is set to 0, active
-   connection tracking is disabled and active connections have no separate
-   limit and the total connections follow 
`proxy.config.net.connections_throttle`
+   The total number of client requests that |TS| can handle simultaneously.
+   This should be tuned according to your memory size, and expected work load
+   (network, cpu etc). This limit includes both idle (keep alive) connections
+   and active requests that |TS| can handle at any given instant. The delta
+   between `proxy.config.net.max_connections_in` and 
`proxy.config.net.max_requests_in`
+   is the amount of maximum idle (keepalive) connections |TS| will maintain.
+
+.. ts:cv:: CONFIG proxy.config.net.max_requests_in INT 0
+
+   The total number of concurrent requests or active client connections
+   that the |TS| can handle simultaneously. This should be tuned according
+   to your memory size, and expected work load (network, cpu etc). When
+   set to 0, active request tracking is disabled and max requests has no
+   separate limit and the total connections follow 
`proxy.config.net.connections_throttle`
 
 .. ts:cv:: CONFIG proxy.config.net.default_inactivity_timeout INT 86400
:reloadable:
diff --git a/doc/admin-guide/monitoring/statistics/core/network-io.en.rst 
b/doc/admin-guide/monitoring/statistics/core/network-io.en.rst
index 3777359..5ea7687 100644
--- a/doc/admin-guide/monitoring/statistics/core/network-io.en.rst
+++ b/doc/admin-guide/monitoring/statistics/core/network-io.en.rst
@@ -66,7 +66,7 @@ Network I/O
 .. ts:stat:: global proxy.process.net.connections_throttled_out integer
:type: counter
 
-.. ts:stat:: global proxy.process.net.max.active.connections_throttled_in 
integer
+.. ts:stat:: global proxy.process.net.max.requests_throttled_in integer
:type: counter
 
 .. ts:stat:: global proxy.process.net.default_inactivity_timeout_applied 
integer
diff --git a/iocore/net/Net.cc b/iocore/net/Net.cc
index 2ee21f9..f0cac5b 100644
--- a/iocore/net/Net.cc
+++ b/iocore/net/Net.cc
@@ -142,8 +142,8 @@ register_net_stats()
  (int)net_connections_throttled_in_stat, 
RecRawStatSyncSum);
   RecRegisterRawStat(net_rsb, RECT_PROCESS, 
"proxy.process.net.connections_throttled_out", RECD_INT, RECP_PERSISTENT,
  (int)net_connections_throttled_out_stat, 
RecRawStatSyncSum);
-  RecRegisterRawStat(net_rsb, RECT_PROCESS, 
"proxy.process.net.max.active.connections_throttled_in", RECD_INT, 
RECP_PERSISTENT,
- (int)net_connections_max_active_throttled_in_stat, 
RecRawStatSyncSum);
+  RecRegisterRawStat(net_rsb, RECT_PROCESS, 
"proxy.process.net.max.requests_throttled_in", RECD_INT, RECP_PERSISTENT,
+ (int)net_requests_max_throttled_in_stat, 
RecRawStatSyncSum);
 }
 
 void
dif

[trafficserver] branch master updated: Assert non-zero HdrHeap object size (#6954)

[gancho]

This is an automated email from the ASF dual-hosted git repository.

gancho pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficserver.git


The following commit(s) were added to refs/heads/master by this push:
 new 986d355  Assert non-zero HdrHeap object size (#6954)
986d355 is described below

commit 986d355daf0fc97131e9d6ed22988563e59547c7
Author: Gancho Tenev <10522628+gte...@users.noreply.github.com>
AuthorDate: Tue Jul 7 11:03:03 2020 -0700

Assert non-zero HdrHeap object size (#6954)

HdrHeap object length cannot be 0 by design otherwise there is something
wrong, i.e. possible memory corruption, in such cases iterating over
HdrHeap objects would lead to infinite loop, i.e. during unmarshaling.
---
 proxy/hdrs/HdrHeap.cc | 12 
 1 file changed, 12 insertions(+)

diff --git a/proxy/hdrs/HdrHeap.cc b/proxy/hdrs/HdrHeap.cc
index 1452a8e..dfa387a 100644
--- a/proxy/hdrs/HdrHeap.cc
+++ b/proxy/hdrs/HdrHeap.cc
@@ -400,6 +400,9 @@ HdrHeap::evacuate_from_str_heaps(HdrStrHeap *new_heap)
 while (data < h->m_free_start) {
   HdrHeapObjImpl *obj = reinterpret_cast(data);
 
+  // Object length cannot be 0 by design, otherwise something is wrong + 
infinite loop here!
+  ink_release_assert(0 != obj->m_length);
+
   switch (obj->m_type) {
   case HDR_HEAP_OBJ_URL:
 ((URLImpl *)obj)->move_strings(new_heap);
@@ -440,6 +443,9 @@ HdrHeap::required_space_for_evacuation()
 while (data < h->m_free_start) {
   HdrHeapObjImpl *obj = reinterpret_cast(data);
 
+  // Object length cannot be 0 by design, otherwise something is wrong + 
infinite loop here!
+  ink_release_assert(0 != obj->m_length);
+
   switch (obj->m_type) {
   case HDR_HEAP_OBJ_URL:
 ret += ((URLImpl *)obj)->strings_length();
@@ -514,6 +520,9 @@ HdrHeap::sanity_check_strs()
 while (data < h->m_free_start) {
   HdrHeapObjImpl *obj = reinterpret_cast(data);
 
+  // Object length cannot be 0 by design, otherwise something is wrong + 
infinite loop here!
+  ink_release_assert(0 != obj->m_length);
+
   switch (obj->m_type) {
   case HDR_HEAP_OBJ_URL:
 ((URLImpl *)obj)->check_strings(heaps, num_heaps);
@@ -937,6 +946,9 @@ HdrHeap::unmarshal(int buf_length, int obj_type, 
HdrHeapObjImpl **found_obj, Ref
 HdrHeapObjImpl *obj = reinterpret_cast(obj_data);
 ink_assert(obj_is_aligned(obj));
 
+// Object length cannot be 0 by design, otherwise something is wrong + 
infinite loop here!
+ink_release_assert(0 != obj->m_length);
+
 if (obj->m_type == static_cast(obj_type) && *found_obj == 
nullptr) {
   *found_obj = obj;
 }