MINOR: ssl: Add new ssl_bc_hsk_err sample fetch
This new sample fetch along the ssl_bc_hsk_err_str fetch contain the
last SSL error of the error stack that occurred during the SSL
handshake (from the backend's perspective).
diff --git a/doc/configuration.txt b/doc/configuration.txt
index 182ecc6..dbbf19e 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -18646,6 +18646,20 @@
sent using ephemeral ciphers. This requires OpenSSL >= 1.1.0, or BoringSSL.
It can be used in a tcp-check or an http-check ruleset.
+ssl_bc_hsk_err : integer
+ When the outgoing connection was made over an SSL/TLS transport layer,
+ returns the ID of the latest error that happened during the handshake on the
+ backend side, or 0 if no error was encountered. In order to get a text
+ description of this error code, you can either use the "ssl_bc_hsk_err_str"
+ sample fetch or use the "openssl errstr" command (which takes an error code
+ in hexadecimal representation as parameter). Please refer to your SSL
+ library's documentation to find the exhaustive list of error codes.
+
+ssl_bc_hsk_err_str : string
+ When the outgoing connection was made over an SSL/TLS transport layer,
+ returns a string representation of the latest error that happened during the
+ handshake on the backend side. See also "ssl_fc_hsk_err".
+
ssl_bc_is_resumed : boolean
Returns true when the back connection was made over an SSL/TLS transport
layer and the newly created SSL session was resumed using a cached
diff --git a/src/ssl_sample.c b/src/ssl_sample.c
index aa9a547..f93ae0a 100644
--- a/src/ssl_sample.c
+++ b/src/ssl_sample.c
@@ -1212,7 +1212,12 @@
struct connection *conn;
struct ssl_sock_ctx *ctx;
- conn = objt_conn(smp->sess->origin);
+ if (obj_type(smp->sess->origin) == OBJ_TYPE_CHECK)
+ conn = (kw[4] == 'b') ? cs_conn(__objt_check(smp->sess->origin)->cs) : NULL;
+ else
+ conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) :
+ smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL;
+
if (!conn || conn->xprt != &ssl_sock)
return 0;
ctx = conn->xprt_ctx;
@@ -1260,7 +1265,12 @@
struct ssl_sock_ctx *ctx;
const char *err_code_str;
- conn = objt_conn(smp->sess->origin);
+ if (obj_type(smp->sess->origin) == OBJ_TYPE_CHECK)
+ conn = (kw[4] == 'b') ? cs_conn(__objt_check(smp->sess->origin)->cs) : NULL;
+ else
+ conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) :
+ smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL;
+
if (!conn || conn->xprt != &ssl_sock)
return 0;
ctx = conn->xprt_ctx;
@@ -1669,6 +1679,8 @@
{ "ssl_bc_server_random", smp_fetch_ssl_fc_random, 0, NULL, SMP_T_BIN, SMP_USE_L5SRV },
{ "ssl_bc_session_key", smp_fetch_ssl_fc_session_key, 0, NULL, SMP_T_BIN, SMP_USE_L5SRV },
#endif
+ { "ssl_bc_hsk_err", smp_fetch_ssl_fc_hsk_err, 0, NULL, SMP_T_SINT, SMP_USE_L5SRV },
+ { "ssl_bc_hsk_err_str", smp_fetch_ssl_fc_hsk_err_str, 0, NULL, SMP_T_STR, SMP_USE_L5SRV },
{ "ssl_c_ca_err", smp_fetch_ssl_c_ca_err, 0, NULL, SMP_T_SINT, SMP_USE_L5CLI },
{ "ssl_c_ca_err_depth", smp_fetch_ssl_c_ca_err_depth, 0, NULL, SMP_T_SINT, SMP_USE_L5CLI },
{ "ssl_c_der", smp_fetch_ssl_x_der, 0, NULL, SMP_T_BIN, SMP_USE_L5CLI },