Skip to content

Log TLS signature algorithms#13378

Open
bneradt wants to merge 1 commit into
apache:masterfrom
bneradt:tls-signature-algorithm-logging
Open

Log TLS signature algorithms#13378
bneradt wants to merge 1 commit into
apache:masterfrom
bneradt:tls-signature-algorithm-logging

Conversation

@bneradt

@bneradt bneradt commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

Certificate selection decisions require visibility into the signature
algorithms clients offer, but access logs currently expose only TLS
cipher and group details. This makes it difficult to identify clients
that depend on a particular certificate signature type.

This adds native fields for the offered signature-algorithm list and
the algorithm used by ATS, with GREASE filtering and resumption-aware
capture. It documents the fields and covers TLS 1.2 and TLS 1.3 full
and resumed handshakes.

Copilot AI review requested due to automatic review settings July 13, 2026 21:36
@bneradt bneradt added this to the 11.0.0 milestone Jul 13, 2026
@bneradt bneradt self-assigned this Jul 13, 2026

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds new access-log fields to expose TLS signature-scheme information (client-offered list and ATS-selected scheme), improving visibility for certificate selection / client-compatibility analysis across TLS 1.2/1.3 and resumed sessions.

Changes:

  • Introduces two new logging fields (cqssig, cqssin) wired through TransactionLogData/LogAccess/Log and documented in the admin guide.
  • Captures and formats signature-scheme data (GREASE-filtered, dash-separated decimal code points) for both TCP-TLS and QUIC paths.
  • Adds a unit test for GREASE filtering/formatting and a new gold test validating the access-log output for full vs resumed TLS 1.2/1.3 handshakes.

Reviewed changes

Copilot reviewed 22 out of 22 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
tests/gold_tests/tls/tls_signature_algorithms.test.py New gold test driving OpenSSL handshakes and validating new log fields.
tests/gold_tests/tls/gold/tls_signature_algorithms.gold Expected access-log output for the new fields across handshake modes/versions.
src/proxy/logging/TransactionLogData.cc Exposes new TLS signature data from HttpUserAgent to logging.
src/proxy/logging/LogAccess.cc Adds marshalling for the new signature-algorithm log fields.
src/proxy/logging/Log.cc Registers cqssig / cqssin logging field symbols.
src/iocore/net/unit_tests/test_SSLUtils.cc Unit tests for GREASE omission and wire-order formatting.
src/iocore/net/TLSBasicSupport.cc Adds capture/cache plumbing for offered + negotiated signature scheme values.
src/iocore/net/SSLUtils.cc Implements extraction/formatting and hooks capture into TLS callbacks.
src/iocore/net/SSLNetVConnection.cc Provides SSLNetVConnection implementations for the new TLSBasicSupport virtuals.
src/iocore/net/QUICNetVConnection.cc Provides QUICNetVConnection implementations for the new TLSBasicSupport virtuals.
src/iocore/net/QUICMultiCertConfigLoader.cc Enables handshake info callback for QUIC to capture negotiated scheme.
src/iocore/net/P_SSLUtils.h Declares new signature-algorithm helper APIs.
src/iocore/net/P_SSLNetVConnection.h Declares new TLSBasicSupport virtual overrides for SSLNetVConnection.
src/iocore/net/P_QUICNetVConnection.h Declares new TLSBasicSupport virtual overrides for QUICNetVConnection.
src/iocore/net/CMakeLists.txt Adds the new SSLUtils unit test to the build.
include/tscore/ink_config.h.cmake.in Adds feature-detection macros for TLS signature API availability.
include/proxy/logging/TransactionLogData.h Declares new TransactionLogData accessors for signature fields.
include/proxy/logging/LogAccess.h Declares new marshal functions for signature fields.
include/proxy/http/HttpUserAgent.h Stores signature-scheme strings in ClientConnectionInfo and exposes getters.
include/iocore/net/TLSBasicSupport.h Adds APIs/virtuals and optional caches for signature scheme capture.
doc/admin-guide/logging/formatting.en.rst Documents cqssig/cqssin.
CMakeLists.txt Adds configure-time checks for OpenSSL/BoringSSL signature API symbols.

Comment thread src/iocore/net/TLSBasicSupport.cc
Copilot AI review requested due to automatic review settings July 13, 2026 21:52
@bneradt bneradt force-pushed the tls-signature-algorithm-logging branch from f685eb6 to ee1564d Compare July 13, 2026 21:52

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 22 out of 22 changed files in this pull request and generated no new comments.

Certificate selection decisions require visibility into the signature
algorithms clients offer, but access logs currently expose only TLS
cipher and group details. This makes it difficult to identify clients
that depend on a particular certificate signature type.

This adds native fields for the offered signature-algorithm list and
the algorithm used by ATS, with GREASE filtering and resumption-aware
capture. It documents the fields and covers TLS 1.2 and TLS 1.3 full
and resumed handshakes.
Copilot AI review requested due to automatic review settings July 13, 2026 23:22
@bneradt bneradt force-pushed the tls-signature-algorithm-logging branch from ee1564d to 8cfd649 Compare July 13, 2026 23:22

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 22 out of 22 changed files in this pull request and generated no new comments.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

Status: No status

Development

Successfully merging this pull request may close these issues.

2 participants