Log TLS signature algorithms#13378
Open
bneradt wants to merge 1 commit into
Open
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
Adds new access-log fields to expose TLS signature-scheme information (client-offered list and ATS-selected scheme), improving visibility for certificate selection / client-compatibility analysis across TLS 1.2/1.3 and resumed sessions.
Changes:
- Introduces two new logging fields (
cqssig,cqssin) wired throughTransactionLogData/LogAccess/Logand documented in the admin guide. - Captures and formats signature-scheme data (GREASE-filtered, dash-separated decimal code points) for both TCP-TLS and QUIC paths.
- Adds a unit test for GREASE filtering/formatting and a new gold test validating the access-log output for full vs resumed TLS 1.2/1.3 handshakes.
Reviewed changes
Copilot reviewed 22 out of 22 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| tests/gold_tests/tls/tls_signature_algorithms.test.py | New gold test driving OpenSSL handshakes and validating new log fields. |
| tests/gold_tests/tls/gold/tls_signature_algorithms.gold | Expected access-log output for the new fields across handshake modes/versions. |
| src/proxy/logging/TransactionLogData.cc | Exposes new TLS signature data from HttpUserAgent to logging. |
| src/proxy/logging/LogAccess.cc | Adds marshalling for the new signature-algorithm log fields. |
| src/proxy/logging/Log.cc | Registers cqssig / cqssin logging field symbols. |
| src/iocore/net/unit_tests/test_SSLUtils.cc | Unit tests for GREASE omission and wire-order formatting. |
| src/iocore/net/TLSBasicSupport.cc | Adds capture/cache plumbing for offered + negotiated signature scheme values. |
| src/iocore/net/SSLUtils.cc | Implements extraction/formatting and hooks capture into TLS callbacks. |
| src/iocore/net/SSLNetVConnection.cc | Provides SSLNetVConnection implementations for the new TLSBasicSupport virtuals. |
| src/iocore/net/QUICNetVConnection.cc | Provides QUICNetVConnection implementations for the new TLSBasicSupport virtuals. |
| src/iocore/net/QUICMultiCertConfigLoader.cc | Enables handshake info callback for QUIC to capture negotiated scheme. |
| src/iocore/net/P_SSLUtils.h | Declares new signature-algorithm helper APIs. |
| src/iocore/net/P_SSLNetVConnection.h | Declares new TLSBasicSupport virtual overrides for SSLNetVConnection. |
| src/iocore/net/P_QUICNetVConnection.h | Declares new TLSBasicSupport virtual overrides for QUICNetVConnection. |
| src/iocore/net/CMakeLists.txt | Adds the new SSLUtils unit test to the build. |
| include/tscore/ink_config.h.cmake.in | Adds feature-detection macros for TLS signature API availability. |
| include/proxy/logging/TransactionLogData.h | Declares new TransactionLogData accessors for signature fields. |
| include/proxy/logging/LogAccess.h | Declares new marshal functions for signature fields. |
| include/proxy/http/HttpUserAgent.h | Stores signature-scheme strings in ClientConnectionInfo and exposes getters. |
| include/iocore/net/TLSBasicSupport.h | Adds APIs/virtuals and optional caches for signature scheme capture. |
| doc/admin-guide/logging/formatting.en.rst | Documents cqssig/cqssin. |
| CMakeLists.txt | Adds configure-time checks for OpenSSL/BoringSSL signature API symbols. |
f685eb6 to
ee1564d
Compare
Certificate selection decisions require visibility into the signature algorithms clients offer, but access logs currently expose only TLS cipher and group details. This makes it difficult to identify clients that depend on a particular certificate signature type. This adds native fields for the offered signature-algorithm list and the algorithm used by ATS, with GREASE filtering and resumption-aware capture. It documents the fields and covers TLS 1.2 and TLS 1.3 full and resumed handshakes.
ee1564d to
8cfd649
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Certificate selection decisions require visibility into the signature
algorithms clients offer, but access logs currently expose only TLS
cipher and group details. This makes it difficult to identify clients
that depend on a particular certificate signature type.
This adds native fields for the offered signature-algorithm list and
the algorithm used by ATS, with GREASE filtering and resumption-aware
capture. It documents the fields and covers TLS 1.2 and TLS 1.3 full
and resumed handshakes.