void logsslstats(SSL *reference)
{
char sglobal[1024];
p_log(LOG_INFO,-1, lngtxt(613));
if(reference==NULL)
p_log(LOG_INFO,-1,lngtxt(614));
else
{
if(SSL_get_shared_ciphers(reference,sglobal,1023)==NULL)
strmncpy(sglobal,lngtxt(615),sizeof(sglobal));
p_log(LOG_INFO,-1,lngtxt(616),sglobal);
}
p_log(LOG_INFO,-1, lngtxt(617),
SSL_CTX_sess_number(srvctx)+SSL_CTX_sess_number(clnctx));
p_log(LOG_INFO,-1, lngtxt(618),
SSL_CTX_sess_connect(srvctx)+SSL_CTX_sess_connect(clnctx));
p_log(LOG_INFO,-1, lngtxt(619),
SSL_CTX_sess_connect_good(srvctx)+SSL_CTX_sess_connect_good(clnctx));
#if SSLEAY_VERSION_NUMBER >= 0x0922
p_log(LOG_INFO,-1, lngtxt(620),
SSL_CTX_sess_connect_renegotiate(srvctx)+SSL_CTX_sess_connect_renegotiate(clnctx));
#endif
p_log(LOG_INFO,-1, lngtxt(621),
SSL_CTX_sess_accept(srvctx)+SSL_CTX_sess_accept(clnctx));
p_log(LOG_INFO,-1, lngtxt(622),
SSL_CTX_sess_accept_good(srvctx)+SSL_CTX_sess_accept_good(clnctx));
#if SSLEAY_VERSION_NUMBER >= 0x0922
p_log(LOG_INFO,-1, lngtxt(623),
SSL_CTX_sess_accept_renegotiate(srvctx)+SSL_CTX_sess_accept_renegotiate(clnctx));
#endif
p_log(LOG_INFO,-1, lngtxt(624), SSL_CTX_sess_hits(srvctx)+SSL_CTX_sess_hits(clnctx));
p_log(LOG_INFO,-1, lngtxt(625), SSL_CTX_sess_misses(srvctx)+SSL_CTX_sess_misses(clnctx));
p_log(LOG_INFO,-1, lngtxt(626), SSL_CTX_sess_timeouts(srvctx)+SSL_CTX_sess_timeouts(clnctx));
p_log(LOG_INFO,-1, lngtxt(627));
return;
}
static void print_stats(void) { /* print statistics */
printf("%4ld items in the session cache\r\n",
SSL_CTX_sess_number(pSSLSrvCtx));
printf("%4ld client connects (SSL_connect())\r\n",
SSL_CTX_sess_connect(pSSLSrvCtx));
printf("%4ld client connects that finished\r\n",
SSL_CTX_sess_connect_good(pSSLSrvCtx));
#if SSLEAY_VERSION_NUMBER >= 0x0922
printf("%4ld client renegotiatations requested\r\n",
SSL_CTX_sess_connect_renegotiate(pSSLSrvCtx));
#endif
printf("%4ld server connects (SSL_accept())\r\n",
SSL_CTX_sess_accept(pSSLSrvCtx));
printf("%4ld server connects that finished\r\n",
SSL_CTX_sess_accept_good(pSSLSrvCtx));
#if SSLEAY_VERSION_NUMBER >= 0x0922
printf("%4ld server renegotiatiations requested\r\n",
SSL_CTX_sess_accept_renegotiate(pSSLSrvCtx));
#endif
printf("%4ld session cache hits\r\n", SSL_CTX_sess_hits(pSSLSrvCtx));
printf("%4ld session cache misses\r\n", SSL_CTX_sess_misses(pSSLSrvCtx));
printf("%4ld session cache timeouts\r\n", SSL_CTX_sess_timeouts(pSSLSrvCtx));
}
/*
* call-seq:
* ctx.session_cache_stats -> Hash
*
*/
static VALUE
ossl_sslctx_get_session_cache_stats(VALUE self)
{
SSL_CTX *ctx;
VALUE hash;
Data_Get_Struct(self, SSL_CTX, ctx);
hash = rb_hash_new();
rb_hash_aset(hash, ID2SYM(rb_intern("cache_num")), LONG2NUM(SSL_CTX_sess_number(ctx)));
rb_hash_aset(hash, ID2SYM(rb_intern("connect")), LONG2NUM(SSL_CTX_sess_connect(ctx)));
rb_hash_aset(hash, ID2SYM(rb_intern("connect_good")), LONG2NUM(SSL_CTX_sess_connect_good(ctx)));
rb_hash_aset(hash, ID2SYM(rb_intern("connect_renegotiate")), LONG2NUM(SSL_CTX_sess_connect_renegotiate(ctx)));
rb_hash_aset(hash, ID2SYM(rb_intern("accept")), LONG2NUM(SSL_CTX_sess_accept(ctx)));
rb_hash_aset(hash, ID2SYM(rb_intern("accept_good")), LONG2NUM(SSL_CTX_sess_accept_good(ctx)));
rb_hash_aset(hash, ID2SYM(rb_intern("accept_renegotiate")), LONG2NUM(SSL_CTX_sess_accept_renegotiate(ctx)));
rb_hash_aset(hash, ID2SYM(rb_intern("cache_hits")), LONG2NUM(SSL_CTX_sess_hits(ctx)));
rb_hash_aset(hash, ID2SYM(rb_intern("cb_hits")), LONG2NUM(SSL_CTX_sess_cb_hits(ctx)));
rb_hash_aset(hash, ID2SYM(rb_intern("cache_misses")), LONG2NUM(SSL_CTX_sess_misses(ctx)));
rb_hash_aset(hash, ID2SYM(rb_intern("cache_full")), LONG2NUM(SSL_CTX_sess_cache_full(ctx)));
rb_hash_aset(hash, ID2SYM(rb_intern("timeouts")), LONG2NUM(SSL_CTX_sess_timeouts(ctx)));
return hash;
}
static void print_stats(BIO *bio, SSL_CTX *ssl_ctx)
{
BIO_printf(bio,"%4ld items in the session cache\n",
SSL_CTX_sess_number(ssl_ctx));
BIO_printf(bio,"%4ld client connects (SSL_connect())\n",
SSL_CTX_sess_connect(ssl_ctx));
BIO_printf(bio,"%4ld client renegotiates (SSL_connect())\n",
SSL_CTX_sess_connect_renegotiate(ssl_ctx));
BIO_printf(bio,"%4ld client connects that finished\n",
SSL_CTX_sess_connect_good(ssl_ctx));
BIO_printf(bio,"%4ld server accepts (SSL_accept())\n",
SSL_CTX_sess_accept(ssl_ctx));
BIO_printf(bio,"%4ld server renegotiates (SSL_accept())\n",
SSL_CTX_sess_accept_renegotiate(ssl_ctx));
BIO_printf(bio,"%4ld server accepts that finished\n",
SSL_CTX_sess_accept_good(ssl_ctx));
BIO_printf(bio,"%4ld session cache hits\n",SSL_CTX_sess_hits(ssl_ctx));
BIO_printf(bio,"%4ld session cache misses\n",SSL_CTX_sess_misses(ssl_ctx));
BIO_printf(bio,"%4ld session cache timeouts\n",SSL_CTX_sess_timeouts(ssl_ctx));
BIO_printf(bio,"%4ld callback cache hits\n",SSL_CTX_sess_cb_hits(ssl_ctx));
BIO_printf(bio,"%4ld cache full overflows (%ld allowed)\n",
SSL_CTX_sess_cache_full(ssl_ctx),
SSL_CTX_sess_get_cache_size(ssl_ctx));
}
NOEXPORT void info_callback(const SSL *ssl, int where, int ret) {
CLI *c;
SSL_CTX *ctx;
const char *state_string;
c=SSL_get_ex_data((SSL *)ssl, index_cli);
if(c) {
int state=SSL_get_state((SSL *)ssl);
#if 0
s_log(LOG_DEBUG, "state = %x", state);
#endif
/* log the client certificate request (if received) */
#ifndef SSL3_ST_CR_CERT_REQ_A
if(state==TLS_ST_CR_CERT_REQ)
#else
if(state==SSL3_ST_CR_CERT_REQ_A)
#endif
print_client_CA_list(SSL_get_client_CA_list(ssl));
#ifndef SSL3_ST_CR_SRVR_DONE_A
if(state==TLS_ST_CR_SRVR_DONE)
#else
if(state==SSL3_ST_CR_SRVR_DONE_A)
#endif
if(!SSL_get_client_CA_list(ssl))
s_log(LOG_INFO, "Client certificate not requested");
/* prevent renegotiation DoS attack */
if((where&SSL_CB_HANDSHAKE_DONE)
&& c->reneg_state==RENEG_INIT) {
/* first (initial) handshake was completed, remember this,
* so that further renegotiation attempts can be detected */
c->reneg_state=RENEG_ESTABLISHED;
} else if((where&SSL_CB_ACCEPT_LOOP)
&& c->reneg_state==RENEG_ESTABLISHED) {
#ifndef SSL3_ST_SR_CLNT_HELLO_A
if(state==TLS_ST_SR_CLNT_HELLO
|| state==TLS_ST_SR_CLNT_HELLO) {
#else
if(state==SSL3_ST_SR_CLNT_HELLO_A
|| state==SSL23_ST_SR_CLNT_HELLO_A) {
#endif
/* client hello received after initial handshake,
* this means renegotiation -> mark it */
c->reneg_state=RENEG_DETECTED;
}
}
if(c->opt->log_level<LOG_DEBUG) /* performance optimization */
return;
}
if(where & SSL_CB_LOOP) {
state_string=SSL_state_string_long(ssl);
if(strcmp(state_string, "unknown state"))
s_log(LOG_DEBUG, "SSL state (%s): %s",
where & SSL_ST_CONNECT ? "connect" :
where & SSL_ST_ACCEPT ? "accept" :
"undefined", state_string);
} else if(where & SSL_CB_ALERT) {
s_log(LOG_DEBUG, "SSL alert (%s): %s: %s",
where & SSL_CB_READ ? "read" : "write",
SSL_alert_type_string_long(ret),
SSL_alert_desc_string_long(ret));
} else if(where==SSL_CB_HANDSHAKE_DONE) {
ctx=SSL_get_SSL_CTX((SSL *)ssl);
if(c->opt->option.client) {
s_log(LOG_DEBUG, "%6ld client connect(s) requested",
SSL_CTX_sess_connect(ctx));
s_log(LOG_DEBUG, "%6ld client connect(s) succeeded",
SSL_CTX_sess_connect_good(ctx));
s_log(LOG_DEBUG, "%6ld client renegotiation(s) requested",
SSL_CTX_sess_connect_renegotiate(ctx));
} else {
s_log(LOG_DEBUG, "%6ld server accept(s) requested",
SSL_CTX_sess_accept(ctx));
s_log(LOG_DEBUG, "%6ld server accept(s) succeeded",
SSL_CTX_sess_accept_good(ctx));
s_log(LOG_DEBUG, "%6ld server renegotiation(s) requested",
SSL_CTX_sess_accept_renegotiate(ctx));
}
/* according to the source it not only includes internal
and external session caches, but also session tickets */
s_log(LOG_DEBUG, "%6ld session reuse(s)",
SSL_CTX_sess_hits(ctx));
if(!c->opt->option.client) { /* server session cache stats */
s_log(LOG_DEBUG, "%6ld internal session cache item(s)",
SSL_CTX_sess_number(ctx));
s_log(LOG_DEBUG, "%6ld internal session cache fill-up(s)",
SSL_CTX_sess_cache_full(ctx));
s_log(LOG_DEBUG, "%6ld internal session cache miss(es)",
SSL_CTX_sess_misses(ctx));
s_log(LOG_DEBUG, "%6ld external session cache hit(s)",
SSL_CTX_sess_cb_hits(ctx));
s_log(LOG_DEBUG, "%6ld expired session(s) retrieved",
SSL_CTX_sess_timeouts(ctx));
}
}
}
/**************************************** SSL error reporting */
void sslerror(char *txt) { /* OpenSSL error handler */
unsigned long err;
err=ERR_get_error();
if(err) {
sslerror_queue();
sslerror_log(err, txt);
} else {
s_log(LOG_ERR, "%s: Peer suddenly disconnected", txt);
}
}
NOEXPORT void info_callback(
#if OPENSSL_VERSION_NUMBER>=0x0090700fL
const
#endif
SSL *ssl, int where, int ret) {
CLI *c;
c=SSL_get_ex_data(ssl, cli_index);
if(c) {
if((where&SSL_CB_HANDSHAKE_DONE)
&& c->reneg_state==RENEG_INIT) {
/* first (initial) handshake was completed, remember this,
* so that further renegotiation attempts can be detected */
c->reneg_state=RENEG_ESTABLISHED;
} else if((where&SSL_CB_ACCEPT_LOOP)
&& c->reneg_state==RENEG_ESTABLISHED) {
int state=SSL_get_state(ssl);
if(state==SSL3_ST_SR_CLNT_HELLO_A
|| state==SSL23_ST_SR_CLNT_HELLO_A) {
/* client hello received after initial handshake,
* this means renegotiation -> mark it */
c->reneg_state=RENEG_DETECTED;
}
}
}
if(global_options.debug_level<LOG_DEBUG)
return; /* performance optimization */
if(where & SSL_CB_LOOP) {
s_log(LOG_DEBUG, "SSL state (%s): %s",
where & SSL_ST_CONNECT ? "connect" :
where & SSL_ST_ACCEPT ? "accept" :
"undefined", SSL_state_string_long(ssl));
} else if(where & SSL_CB_ALERT) {
s_log(LOG_DEBUG, "SSL alert (%s): %s: %s",
where & SSL_CB_READ ? "read" : "write",
SSL_alert_type_string_long(ret),
SSL_alert_desc_string_long(ret));
} else if(where==SSL_CB_HANDSHAKE_DONE) {
s_log(LOG_DEBUG, "%4ld items in the session cache",
SSL_CTX_sess_number(ssl->ctx));
s_log(LOG_DEBUG, "%4ld client connects (SSL_connect())",
SSL_CTX_sess_connect(ssl->ctx));
s_log(LOG_DEBUG, "%4ld client connects that finished",
SSL_CTX_sess_connect_good(ssl->ctx));
s_log(LOG_DEBUG, "%4ld client renegotiations requested",
SSL_CTX_sess_connect_renegotiate(ssl->ctx));
s_log(LOG_DEBUG, "%4ld server connects (SSL_accept())",
SSL_CTX_sess_accept(ssl->ctx));
s_log(LOG_DEBUG, "%4ld server connects that finished",
SSL_CTX_sess_accept_good(ssl->ctx));
s_log(LOG_DEBUG, "%4ld server renegotiations requested",
SSL_CTX_sess_accept_renegotiate(ssl->ctx));
s_log(LOG_DEBUG, "%4ld session cache hits",
SSL_CTX_sess_hits(ssl->ctx));
s_log(LOG_DEBUG, "%4ld external session cache hits",
SSL_CTX_sess_cb_hits(ssl->ctx));
s_log(LOG_DEBUG, "%4ld session cache misses",
SSL_CTX_sess_misses(ssl->ctx));
s_log(LOG_DEBUG, "%4ld session cache timeouts",
SSL_CTX_sess_timeouts(ssl->ctx));
}
}
NOEXPORT void info_callback(const SSL *ssl, int where, int ret) {
CLI *c;
SSL_CTX *ctx;
c=SSL_get_ex_data((SSL *)ssl, index_cli);
if(c) {
if((where&SSL_CB_HANDSHAKE_DONE)
&& c->reneg_state==RENEG_INIT) {
/* first (initial) handshake was completed, remember this,
* so that further renegotiation attempts can be detected */
c->reneg_state=RENEG_ESTABLISHED;
} else if((where&SSL_CB_ACCEPT_LOOP)
&& c->reneg_state==RENEG_ESTABLISHED) {
int state=SSL_get_state((SSL *)ssl);
if(state==SSL3_ST_SR_CLNT_HELLO_A
|| state==SSL23_ST_SR_CLNT_HELLO_A) {
/* client hello received after initial handshake,
* this means renegotiation -> mark it */
c->reneg_state=RENEG_DETECTED;
}
}
if(c->opt->log_level<LOG_DEBUG)
return; /* performance optimization */
}
if(where & SSL_CB_LOOP) {
s_log(LOG_DEBUG, "SSL state (%s): %s",
where & SSL_ST_CONNECT ? "connect" :
where & SSL_ST_ACCEPT ? "accept" :
"undefined", SSL_state_string_long(ssl));
} else if(where & SSL_CB_ALERT) {
s_log(LOG_DEBUG, "SSL alert (%s): %s: %s",
where & SSL_CB_READ ? "read" : "write",
SSL_alert_type_string_long(ret),
SSL_alert_desc_string_long(ret));
} else if(where==SSL_CB_HANDSHAKE_DONE) {
ctx=SSL_get_SSL_CTX((SSL *)ssl);
if(c->opt->option.client) {
s_log(LOG_DEBUG, "%4ld client connect(s) requested",
SSL_CTX_sess_connect(ctx));
s_log(LOG_DEBUG, "%4ld client connect(s) succeeded",
SSL_CTX_sess_connect_good(ctx));
s_log(LOG_DEBUG, "%4ld client renegotiation(s) requested",
SSL_CTX_sess_connect_renegotiate(ctx));
} else {
s_log(LOG_DEBUG, "%4ld server accept(s) requested",
SSL_CTX_sess_accept(ctx));
s_log(LOG_DEBUG, "%4ld server accept(s) succeeded",
SSL_CTX_sess_accept_good(ctx));
s_log(LOG_DEBUG, "%4ld server renegotiation(s) requested",
SSL_CTX_sess_accept_renegotiate(ctx));
}
/* according to the source it not only includes internal
and external session caches, but also session tickets */
s_log(LOG_DEBUG, "%4ld session reuse(s)",
SSL_CTX_sess_hits(ctx));
if(!c->opt->option.client) { /* server session cache stats */
s_log(LOG_DEBUG, "%4ld internal session cache item(s)",
SSL_CTX_sess_number(ctx));
s_log(LOG_DEBUG, "%4ld internal session cache fill-up(s)",
SSL_CTX_sess_cache_full(ctx));
s_log(LOG_DEBUG, "%4ld internal session cache miss(es)",
SSL_CTX_sess_misses(ctx));
s_log(LOG_DEBUG, "%4ld external session cache hit(s)",
SSL_CTX_sess_cb_hits(ctx));
s_log(LOG_DEBUG, "%4ld expired session(s) retrieved",
SSL_CTX_sess_timeouts(ctx));
}
}
}
