Uploaded image for project: 'Traffic Server'
  1. Traffic Server
  2. TS-3007

Stats for all TLS alerts defined in RFC 5246

    XMLWordPrintableJSON

    Details

    • Type: Improvement
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: sometime
    • Component/s: Metrics, SSL
    • Labels:
      None

      Description

      Currently we collect following TLS alerts stats:

      proxy.process.ssl.user_agent_other_errors=0
      proxy.process.ssl.user_agent_expired_cert=0
      proxy.process.ssl.user_agent_revoked_cert=0
      proxy.process.ssl.user_agent_unknown_cert=0
      proxy.process.ssl.user_agent_cert_verify_failed=0
      proxy.process.ssl.user_agent_bad_cert=0
      proxy.process.ssl.user_agent_decryption_failed=0
      proxy.process.ssl.user_agent_wrong_version=0
      proxy.process.ssl.user_agent_unknown_ca=0
      /* + same set for origin_server */
      

      Though [RFC 5246] defines following set:

            enum {
                close_notify(0),
                unexpected_message(10),
                bad_record_mac(20),
                decryption_failed_RESERVED(21),
                record_overflow(22),
                decompression_failure(30),
                handshake_failure(40),
                no_certificate_RESERVED(41),
                bad_certificate(42),
                unsupported_certificate(43),
                certificate_revoked(44),
                certificate_expired(45),
                certificate_unknown(46),
                illegal_parameter(47),
                unknown_ca(48),
                access_denied(49),
                decode_error(50),
                decrypt_error(51),
                export_restriction_RESERVED(60),
                protocol_version(70),
                insufficient_security(71),
                internal_error(80),
                user_canceled(90),
                no_renegotiation(100),
                unsupported_extension(110),
                (255)
            } AlertDescription;
      

      Probably we want to adjust ATS naming and number of collected stats to match RFC.

      Also maybe it's good idea to put them under proxy.process.ssl.alerts

      [RFC 5246] http://tools.ietf.org/html/rfc5246#section-7.2

      Brian Geffon Can you take a look into it?

        Attachments

          Activity

            People

            • Assignee:
              shinrich Susan Hinrichs
              Reporter:
              SaveTheRbtz Alexey Ivanov
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated: