Major Description
Currently we collect following TLS alerts stats:
proxy.process.ssl.user_agent_other_errors=0
proxy.process.ssl.user_agent_expired_cert=0
proxy.process.ssl.user_agent_revoked_cert=0
proxy.process.ssl.user_agent_unknown_cert=0
proxy.process.ssl.user_agent_cert_verify_failed=0
proxy.process.ssl.user_agent_bad_cert=0
proxy.process.ssl.user_agent_decryption_failed=0
proxy.process.ssl.user_agent_wrong_version=0
proxy.process.ssl.user_agent_unknown_ca=0
/* + same set for origin_server */
Though [RFC 5246] defines following set:
enum {
close_notify(0),
unexpected_message(10),
bad_record_mac(20),
decryption_failed_RESERVED(21),
record_overflow(22),
decompression_failure(30),
handshake_failure(40),
no_certificate_RESERVED(41),
bad_certificate(42),
unsupported_certificate(43),
certificate_revoked(44),
certificate_expired(45),
certificate_unknown(46),
illegal_parameter(47),
unknown_ca(48),
access_denied(49),
decode_error(50),
decrypt_error(51),
export_restriction_RESERVED(60),
protocol_version(70),
insufficient_security(71),
internal_error(80),
user_canceled(90),
no_renegotiation(100),
unsupported_extension(110),
(255)
} AlertDescription;
Probably we want to adjust ATS naming and number of collected stats to match RFC.
Also maybe it's good idea to put them under proxy.process.ssl.alerts
[RFC 5246] http://tools.ietf.org/html/rfc5246#section-7.2
briang Can you take a look into it?