MINOR: ssl: add pattern and ACLs fetches 'ssl_fc_protocol', 'ssl_fc_cipher', 'ssl_fc_use_keysize' and 'ssl_fc_alg_keysize' Some front connection fetches : - ssl_fc_protocol = protocol name (string) - ssl_fc_cipher = cipher name (string) - ssl_fc_use_keysize = symmetric cipher key size used in bits (integer) - ssl_fc_alg_keysize = symmetric cipher key size supported in bits (integer)

commit: 589fcadbd9cc4b2b7ddaed739a3fa5ef7fcfd793 [log] [tgz]
author: Emeric Brun <ebrun@exceliance.fr> Tue Oct 16 14:13:26 2012 +0200
committer: Willy Tarreau <w@1wt.eu> Fri Oct 26 15:07:59 2012 +0200
tree: 863d92cdcef5978695bd009f6a0c874803e8e0d6
parent: 2525b6bb92ec5fee18b775344de3ebcc1fab5516 [diff]
diff --git a/doc/configuration.txt b/doc/configuration.txt
index c7c6b4b..6450042 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt

@@ -8384,6 +8384,14 @@
   layer and is locally deciphered. This means it has matched a socket declared
   with a "bind" line having the "ssl" option.
 
+ssl_fc_alg_keysize <integer>
+  Returns true when the incoming connection was made over an SSL/TLS transport
+  layer and the symmetric cipher key size supported in bits matches the value.
+
+ssl_fc_cipher <string>
+  returns true when the incoming connection was made over an ssl/tls transport
+  layer and the name of the used cipher matches the string.
+
 ssl_fc_has_crt
   Returns true if a client certificate is present in an incoming connection over
   SSL/TLS transport layer. Useful if 'verify' statement is set to 'optional'.
@@ -8404,6 +8412,10 @@
   the "bind" line specifies a protocol list. Also, nothing forces the client to
   pick a protocol from this list, any other one may be requested.
 
+ssl_fc_protocol <string>
+  Returns true when the incoming connection was made over an SSL/TLS transport
+  layer and the name of the used protocol matches the string.
+
 ssl_fc_sni <string>
   Returns true when the incoming connection was made over an SSL/TLS transport
   layer which deciphered it and found a Server Name Indication TLS extension
@@ -8435,6 +8447,10 @@
   requires that the SSL library is build with support for TLS extensions
   enabled (check haproxy -vv).
 
+ssl_fc_use_keysize <integer>
+  Returns true when the incoming connection was made over an SSL/TLS transport
+  layer and the symmetric cipher key size used in bits matches the value.
+
 wait_end
   Waits for the end of the analysis period to return true. This may be used in
   conjunction with content analysis to avoid returning a wrong verdict early.
@@ -9048,6 +9064,14 @@
                and returns 1 if it was made via an SSL/TLS transport layer,
                otherwise zero.
 
+  ssl_fc_alg_keysize
+               Returns the symmetric cipher key size support d in bits when the
+               incoming connection was made over an SSL/TLS transport layer.
+
+  ssl_fc_cipher
+               Returns the name of the used cipher when the incoming connection
+               was made over an SSL/TLS transport layer.
+
   ssl_fc_has_crt
                Returns 1 if a client certificate is present in the front
                connection over SSL/TLS transport layer, otherwise 0.
@@ -9066,6 +9090,10 @@
                have been built with support for TLS extensions enabled (check
                haproxy -vv). See also the "npn" bind keyword.
 
+  ssl_fc_protocol
+               Returns the name of the used protocol when the incoming connection
+               was made over an SSL/TLS transport layer.
+
   ssl_fc_sni   This extracts the Server Name Indication field from an incoming
                connection made via an SSL/TLS transport layer and locally
                deciphered by haproxy. The result typically is a string matching
@@ -9073,6 +9101,10 @@
                have been built with support for TLS extensions enabled (check
                haproxy -vv).
 
+  ssl_fc_use_keysize
+               Returns the symmetric cipher key size used in bits when the
+               incoming connection was made over an SSL/TLS transport layer.
+
   url          This extracts the request's URL as presented in the request. A
                typical use is with prefetch-capable caches, and with portals
                which need to aggregate multiple information from databases and

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index ce0c67d..650b281 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c

@@ -1144,6 +1144,60 @@
 #endif
 }
 
+static int
+smp_fetch_ssl_fc_cipher(struct proxy *px, struct session *l4, void *l7, unsigned int opt,
+                        const struct arg *args, struct sample *smp)
+{
+	smp->flags = 0;
+
+	if (!l4 || !l4->si[0].conn.xprt_ctx || l4->si[0].conn.xprt != &ssl_sock)
+		return 0;
+
+	smp->data.str.str = (char *)SSL_get_cipher_name(l4->si[0].conn.xprt_ctx);
+	if (!smp->data.str.str)
+		return 0;
+
+	smp->type = SMP_T_CSTR;
+	smp->data.str.len = strlen(smp->data.str.str);
+
+	return 1;
+}
+
+static int
+smp_fetch_ssl_fc_alg_keysize(struct proxy *px, struct session *l4, void *l7, unsigned int opt,
+                             const struct arg *args, struct sample *smp)
+{
+	smp->flags = 0;
+
+	if (!l4 || !l4->si[0].conn.xprt_ctx || l4->si[0].conn.xprt != &ssl_sock)
+		return 0;
+
+	if (!SSL_get_cipher_bits(l4->si[0].conn.xprt_ctx, (int *)&smp->data.uint))
+		return 0;
+
+	smp->type = SMP_T_UINT;
+
+	return 1;
+}
+
+static int
+smp_fetch_ssl_fc_use_keysize(struct proxy *px, struct session *l4, void *l7, unsigned int opt,
+                             const struct arg *args, struct sample *smp)
+{
+	smp->flags = 0;
+
+	if (!l4 || !l4->si[0].conn.xprt_ctx || l4->si[0].conn.xprt != &ssl_sock)
+		return 0;
+
+	smp->data.uint = (unsigned int)SSL_get_cipher_bits(l4->si[0].conn.xprt_ctx, NULL);
+	if (!smp->data.uint)
+		return 0;
+
+	smp->type = SMP_T_UINT;
+
+	return 1;
+}
+
 #ifdef OPENSSL_NPN_NEGOTIATED
 static int
 smp_fetch_ssl_fc_npn(struct proxy *px, struct session *l4, void *l7, unsigned int opt,
@@ -1167,6 +1221,25 @@
 #endif
 
 static int
+smp_fetch_ssl_fc_protocol(struct proxy *px, struct session *l4, void *l7, unsigned int opt,
+                          const struct arg *args, struct sample *smp)
+{
+	smp->flags = 0;
+
+	if (!l4 || !l4->si[0].conn.xprt_ctx || l4->si[0].conn.xprt != &ssl_sock)
+		return 0;
+
+	smp->data.str.str = (char *)SSL_get_version(l4->si[0].conn.xprt_ctx);
+	if (!smp->data.str.str)
+		return 0;
+
+	smp->type = SMP_T_CSTR;
+	smp->data.str.len = strlen(smp->data.str.str);
+
+	return 1;
+}
+
+static int
 smp_fetch_ssl_fc_sni(struct proxy *px, struct session *l4, void *l7, unsigned int opt,
                      const struct arg *args, struct sample *smp)
 {
@@ -1760,11 +1833,15 @@
 	{ "ssl_c_err",              smp_fetch_ssl_c_err,          0,    NULL,    SMP_T_UINT, SMP_CAP_REQ|SMP_CAP_RES },
 	{ "ssl_c_verify",           smp_fetch_ssl_c_verify,       0,    NULL,    SMP_T_UINT, SMP_CAP_REQ|SMP_CAP_RES },
 	{ "ssl_fc",                 smp_fetch_ssl_fc,             0,    NULL,    SMP_T_BOOL, SMP_CAP_REQ|SMP_CAP_RES },
+	{ "ssl_fc_alg_keysize",     smp_fetch_ssl_fc_alg_keysize, 0,    NULL,    SMP_T_UINT, SMP_CAP_REQ|SMP_CAP_RES },
+	{ "ssl_fc_cipher",          smp_fetch_ssl_fc_cipher,      0,    NULL,    SMP_T_CSTR, SMP_CAP_REQ|SMP_CAP_RES },
 	{ "ssl_fc_has_crt",         smp_fetch_ssl_fc_has_crt,     0,    NULL,    SMP_T_BOOL, SMP_CAP_REQ|SMP_CAP_RES },
 	{ "ssl_fc_has_sni",         smp_fetch_ssl_fc_has_sni,     0,    NULL,    SMP_T_BOOL, SMP_CAP_REQ|SMP_CAP_RES },
 #ifdef OPENSSL_NPN_NEGOTIATED
 	{ "ssl_fc_npn",             smp_fetch_ssl_fc_npn,         0,    NULL,    SMP_T_CSTR, SMP_CAP_REQ|SMP_CAP_RES },
 #endif
+	{ "ssl_fc_protocol",        smp_fetch_ssl_fc_protocol,    0,    NULL,    SMP_T_CSTR, SMP_CAP_REQ|SMP_CAP_RES },
+	{ "ssl_fc_use_keysize",     smp_fetch_ssl_fc_use_keysize, 0,    NULL,    SMP_T_UINT, SMP_CAP_REQ|SMP_CAP_RES },
 	{ "ssl_fc_sni",             smp_fetch_ssl_fc_sni,         0,    NULL,    SMP_T_CSTR, SMP_CAP_REQ|SMP_CAP_RES },
 	{ NULL, NULL, 0, 0, 0 },
 }};
@@ -1778,11 +1855,15 @@
 	{ "ssl_c_err",              acl_parse_int, smp_fetch_ssl_c_err,          acl_match_int,     ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
 	{ "ssl_c_verify",           acl_parse_int, smp_fetch_ssl_c_verify,       acl_match_int,     ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
 	{ "ssl_fc",                 acl_parse_int, smp_fetch_ssl_fc,             acl_match_nothing, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
+	{ "ssl_fc_alg_keysize",     acl_parse_str, smp_fetch_ssl_fc_alg_keysize, acl_match_int,     ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
+	{ "ssl_fc_cipher",          acl_parse_str, smp_fetch_ssl_fc_cipher,      acl_match_str,     ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
 	{ "ssl_fc_has_crt",         acl_parse_int, smp_fetch_ssl_fc_has_crt,     acl_match_nothing, ACL_USE_L6REQ_PERMANENT, 0 },
 	{ "ssl_fc_has_sni",         acl_parse_int, smp_fetch_ssl_fc_has_sni,     acl_match_nothing, ACL_USE_L6REQ_PERMANENT, 0 },
 #ifdef OPENSSL_NPN_NEGOTIATED
 	{ "ssl_fc_npn",             acl_parse_str, smp_fetch_ssl_fc_npn,         acl_match_str,     ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
 #endif
+	{ "ssl_fc_protocol",        acl_parse_str, smp_fetch_ssl_fc_protocol,    acl_match_str,     ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
+	{ "ssl_fc_use_keysize",     acl_parse_str, smp_fetch_ssl_fc_use_keysize, acl_match_int,     ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
 	{ "ssl_fc_sni",             acl_parse_str, smp_fetch_ssl_fc_sni,         acl_match_str,     ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
 	{ "ssl_fc_sni_end",         acl_parse_str, smp_fetch_ssl_fc_sni,         acl_match_end,     ACL_USE_L6REQ_PERMANENT, 0 },
 	{ "ssl_fc_sni_reg",         acl_parse_reg, smp_fetch_ssl_fc_sni,         acl_match_reg,     ACL_USE_L6REQ_PERMANENT, 0 },
commit	589fcadbd9cc4b2b7ddaed739a3fa5ef7fcfd793	[log] [tgz]
author	Emeric Brun <ebrun@exceliance.fr>	Tue Oct 16 14:13:26 2012 +0200
committer	Willy Tarreau <w@1wt.eu>	Fri Oct 26 15:07:59 2012 +0200
tree	863d92cdcef5978695bd009f6a0c874803e8e0d6
parent	2525b6bb92ec5fee18b775344de3ebcc1fab5516 [diff]