Skip to content

Add scipts to monitor nginx ssl session ticket keys and session ticket r... #7

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 6 commits into
base: master
Choose a base branch
from
Open

Add scipts to monitor nginx ssl session ticket keys and session ticket r... #7

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
3eb5acd
Add scipts to monitor nginx ssl session ticket keys and session ticke…
lziest Nov 24, 2014
bba6a34
Address agentzh's comments.
lziest Nov 25, 2014
3ffd8e8
comment fixup
lziest Nov 25, 2014
76600fd
better tracing msg.
lziest Nov 25, 2014
4a1b448
Address agentzh's comments, rename one script.
lziest Jan 27, 2015
3878abd
more polish
lziest Jan 27, 2015
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
34 changes: 33 additions & 1 deletion README.markdown
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,8 @@ Table of Contents
* [ngx-orig-resp-body-len](#ngx-orig-resp-body-len)
* [zlib-deflate-chunk-size](#zlib-deflate-chunk-size)
* [lj-str-tab](#lj-str-tab)
* [ngx-ssl-session-ticket-keys](#ngx-ssl-session-ticket-keys)
Copy link
Member

@agentzh agentzh Jan 27, 2015

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just in case you add these manually, we usually use the markdown-toc.pl script to generate the TOC links and "Back to TOC" links automatically. See

https://github.com/openresty/nginx-devel-utils/blob/master/markdown-toc.pl

* [ngx-ssl-session-resumption-stats](#ngx-ssl-session-resumption-stats)
* [Installation](#installation)
* [Author](#author)
* [Copyright and License](#copyright-and-license)
Expand Down Expand Up @@ -1453,7 +1455,37 @@ value |-------------------------------------------------- count
lj-str-tab
----------

Analayzing the structure and various statistics of the global Lua string hash table in the LuaJIT v2.1 VM.
Analyzing the structure and various statistics of the global Lua string hash table in the LuaJIT v2.1 VM.

[Back to TOC](#table-of-contents)

ngx-ssl-session-ticket-keys
----------

Dumping ssl session ticket keys of a nginx worker.

```bash
# making the ./stap++ tool visible in PATH:
$ export PATH=$PWD:$PATH

# assuming one nginx worker process has the pid 3781.
$ ./samples/ngx-ssl-session-ticket-keys.sxx -x 3781
Copy link
Member

@agentzh agentzh Nov 25, 2014

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will you add some sample outputs?

Copy link
Member

@agentzh agentzh Jan 27, 2015

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also, please add sample outputs here in its docs and also some brief explanation if not too obvious.

```

[Back to TOC](#table-of-contents)

ngx-ssl-session-resumption-stats
----------

Analyzing the statistics of nginx SSL/TLS session ticket resumption.

```bash
# making the ./stap++ tool visible in PATH:
$ export PATH=$PWD:$PATH

# assuming one nginx worker process has the pid 3781.
$ ./samples/ngx-ssl-session-resumption-stats.sxx -x 3781
Copy link
Member

@agentzh agentzh Nov 25, 2014

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ditto.

```

[Back to TOC](#table-of-contents)

Expand Down
47 changes: 47 additions & 0 deletions samples/ngx-ssl-session-resumption-stats.sxx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
#!/usr/bin/env stap++

# Capture ssl session resumption statistics.

global total
global tickets
global resumed
global reencrypted

probe begin {
printf("Start tracing NGX OPENSSL ticket key callback\n");
Copy link
Member

@agentzh agentzh Nov 25, 2014

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's make the startup message more informative by displaying the current exec file path for the process being traced, as well as the pid(s) being traced (when -m is specified, there can be more than one workers being traced).

}

probe @pfunc(ngx_ssl_session_ticket_key_callback).return {
total++;
# record client session ticket decryption calls
if ($enc == 0) {
tickets++;
if ($return > 0) resumed++;
if ($return > 1) reencrypted++;
}
}

probe end {
printf("Stop tracing NGX OPENSSL ticket key callback\n");
printf("Total sessions: %d\n", total);
printf("Total session tickets: %d\n", tickets);
printf("Total resumed session: %d\n", resumed);
printf("Total re-encrypted session ticket: %d\n", reencrypted);

if (total > 0) {
ratio1 = (tickets * 100) / total;

} else {
ratio1 = 0;
}

if (tickets > 0) {
ratio2 = (resumed * 100) / tickets;

} else {
ratio2 = 0;
}
printf("Session resumption attempts ratio: %d percent\n", ratio1)
printf("Session resumption success ratio: %d percent\n", ratio2)
exit();
}
79 changes: 79 additions & 0 deletions samples/ngx-ssl-session-ticket-keys.sxx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,79 @@
#!/usr/bin/env stap++

# Capture ssl session tickets.

@use nginx.array
@use openssl

probe begin {
printf("Start tracing NGX OPENSSL ticket key callback\n")
}

// print 16-byte key name
function print_key_name(name) {
printf("key name: ");
$*n := @cast(name, "unsigned char", "$^exec_path")
for (i=0; i<16; i++) {
printf("%02x", $*n[i])
}
printf("\n")
}

// print 16-byte aes state
function print_key_aes(state) {
printf("key aes state: ");
$*s := @cast(state, "unsigned char", "$^exec_path")
for (i=0; i<16; i++) {
printf("%02x", $*s[i])
}
printf("\n")
}

// print 16-byte hmac state
function print_key_hmac(state) {
printf("key hmac state: ");
$*s := @cast(state, "unsigned char", "$^exec_path")
for (i=0; i<16; i++) {
printf("%02x", $*s[i])
}
printf("\n")
}

// print session ticket content
function print_session_ticket_key(key) {
$*k := @cast(key, "ngx_ssl_session_ticket_key_t", "$^exec_path")
print_key_name($*k->name)
// should disable by default the two calls below to maintain key confidentiality.
print_key_aes($*k->aes_key)
print_key_hmac($*k->hmac_key)
}

probe @pfunc(ngx_ssl_session_ticket_key_callback).return {
Copy link
Member

@agentzh agentzh Nov 25, 2014

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's not use this probe. This C function is seldom or never called in production. Alas.

keys_index = @var("ngx_ssl_session_ticket_keys_index@src/event/ngx_event_openssl.c")
num = get_ssl_ex_data_len($ssl_conn->ctx)
if (keys_index > num) {
printf("Error: ticket key list is not supported")

} else {
keys = get_ssl_ex_data_item($ssl_conn->ctx, keys_index)
keys_len = get_ngx_array_len(keys)
if (keys_len <= 0) {
printf("Error: empty key list")

} else {
key_ptr = get_ngx_array_elts(keys)
enc_key = key_ptr
last_key = &@cast(key_ptr, "ngx_ssl_session_ticket_key_t", "$^exec_path")[keys_len-1]
printf("keys len %d\n", keys_len)
printf("enc key:\n")
print_session_ticket_key(enc_key)
printf("last dec key:\n")
print_session_ticket_key(last_key)
}
}
Copy link
Member

@agentzh agentzh Jan 27, 2015

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this tool should exit here as soon as it dumps the first key set. Thoughts?

}

probe end {
Copy link
Member

@agentzh agentzh Nov 25, 2014

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we can just eliminate this end probe because it does not do anything interesting at all.

printf("Stop tracing NGX OPENSSL ticket key callback\n")
exit()
}
12 changes: 12 additions & 0 deletions tapset/nginx/array.sxx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
// module nginx.array

function get_ngx_array_len(ngx_arr) {
$*arr := @cast(ngx_arr, "ngx_array_t", "$^exec_path")
return $*arr->nelts

}

function get_ngx_array_elts(ngx_arr) {
$*arr := @cast(ngx_arr, "ngx_array_t", "$^exec_path")
return $*arr->elts
}
21 changes: 21 additions & 0 deletions tapset/openssl.sxx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
// module openssl

// extract ex_data pointer from openssl SSL_CTX
function get_ssl_ex_data(ssl_ctx) {
$*ctx := @cast(ssl_ctx, "SSL_CTX", "$^exec_path")
return &$*ctx->ex_data
}

// extract number of items in SSL_CTX ex_data
function get_ssl_ex_data_len(ssl_ctx) {
ex_data = get_ssl_ex_data(ssl_ctx)
$*data := @cast(ex_data, "CRYPTO_EX_DATA", "$^exec_path")
return $*data->sk->stack->num
}

// extract the item specified by idx in SSL_CTX ex_data
function get_ssl_ex_data_item(ssl_ctx, idx) {
ex_data = get_ssl_ex_data(ssl_ctx)
$*data := @cast(ex_data, "CRYPTO_EX_DATA", "$^exec_path")
return $*data->sk->stack->data[idx]
}