nghttpx: Add $tls_client_serial log variable

2017-11-16 21:40:33 +09:00 · 2017-11-16 21:40:33 +09:00 · eca0a3025b
parent 4720c5cb3d
commit eca0a3025b
5 changed files with 32 additions and 0 deletions
--- a/gennghttpxfun.py
+++ b/gennghttpxfun.py
@ -195,6 +195,7 @@ LOGVARS = [
    "tls_client_fingerprint_sha1",
    "tls_client_subject_name",
    "tls_client_issuer_name",
+    "tls_client_serial",
    "backend_host",
    "backend_port",
 ]
--- a/src/shrpx.cc
+++ b/src/shrpx.cc
@ -2502,6 +2502,8 @@ Logging:
                certificate.
              * $tls_client_issuer_name:   issuer   name   in   client
                certificate.
+              * $tls_client_serial:    serial    number   in    client
+                certificate.
              * $tls_protocol: protocol for SSL/TLS connection.
              * $tls_session_id: session ID for SSL/TLS connection.
              * $tls_session_reused:  "r"   if  SSL/TLS   session  was
--- a/src/shrpx_config.cc
+++ b/src/shrpx_config.cc
@ -498,6 +498,15 @@ LogFragmentType log_var_lookup_token(const char *name, size_t namelen) {
      break;
    }
    break;
+  case 17:
+    switch (name[16]) {
+    case 'l':
+      if (util::strieq_l("tls_client_seria", name, 16)) {
+        return SHRPX_LOGF_TLS_CLIENT_SERIAL;
+      }
+      break;
+    }
+    break;
  case 18:
    switch (name[17]) {
    case 'd':
--- a/src/shrpx_log.cc
+++ b/src/shrpx_log.cc
@ -579,6 +579,25 @@ void upstream_accesslog(const std::vector<LogFragment> &lfv,
      std::tie(p, last) = copy(name, p, last);
      break;
    }
+    case SHRPX_LOGF_TLS_CLIENT_SERIAL: {
+      if (!lgsp.ssl) {
+        std::tie(p, last) = copy('-', p, last);
+        break;
+      }
+      auto x = SSL_get_peer_certificate(lgsp.ssl);
+      if (!x) {
+        std::tie(p, last) = copy('-', p, last);
+        break;
+      }
+      auto sn = tls::get_x509_serial(balloc, x);
+      X509_free(x);
+      if (sn.empty()) {
+        std::tie(p, last) = copy('-', p, last);
+        break;
+      }
+      std::tie(p, last) = copy(sn, p, last);
+      break;
+    }
    case SHRPX_LOGF_BACKEND_HOST:
      if (!downstream_addr) {
        std::tie(p, last) = copy('-', p, last);
--- a/src/shrpx_log.h
+++ b/src/shrpx_log.h
@ -141,6 +141,7 @@ enum LogFragmentType {
  SHRPX_LOGF_TLS_CLIENT_FINGERPRINT_SHA1,
  SHRPX_LOGF_TLS_CLIENT_FINGERPRINT_SHA256,
  SHRPX_LOGF_TLS_CLIENT_ISSUER_NAME,
+  SHRPX_LOGF_TLS_CLIENT_SERIAL,
  SHRPX_LOGF_TLS_CLIENT_SUBJECT_NAME,
  SHRPX_LOGF_BACKEND_HOST,
  SHRPX_LOGF_BACKEND_PORT,