From c2d2261544a479124de8fbd6adfee4e97044e5d0 Mon Sep 17 00:00:00 2001
From: dormando <dormando@rydia.net>
Date: Wed, 26 Jun 2024 12:59:45 -0700
Subject: [PATCH] tls: add ssl_proto_errors counter

If this is ticking, you can look at `watch connevents` to get full
detail.
---
 doc/protocol.txt | 5 ++++-
 memcached.c      | 1 +
 memcached.h      | 1 +
 tls.c            | 6 ++++++
 4 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/doc/protocol.txt b/doc/protocol.txt
index d78a5a897b..3fb96d2ab5 100644
--- a/doc/protocol.txt
+++ b/doc/protocol.txt
@@ -1240,7 +1240,8 @@ The arguments are:
 - "connevents": Emits logs when connections are opened and closed, i.e. when
   clients connect or disconnect. For TCP transports, logs indicate the remote
   address IP and port. Connection close events additionally supply a reason for
-  closing the connection.
+  closing the connection. If TLS is enabled, this stream also contains
+  detailed TLS protocol errors.
 
 - "proxyreqs": Emits detailed timing logs about requests/responses being
   returned to a client while in proxy mode. The conditions which logs are
@@ -1774,6 +1775,8 @@ following additional statistics are available via the "stats" command.
 | ssl_handshake_errors           | 64u      | Number of times the server has |
 |                                |          | encountered an OpenSSL error   |
 |                                |          | during handshake (SSL_accept). |
+| ssl_proto_errors               | 64u      | Number of times a client has   |
+|                                |          | seen a fatal TLS protocol error|
 | ssl_min_version                | char     | Minimum supported TLS version  |
 |                                |          | for client handshakes.         |
 | ssl_new_sessions               | 64u      | When SSL session caching is    |
diff --git a/memcached.c b/memcached.c
index a78473269b..ef16775e75 100644
--- a/memcached.c
+++ b/memcached.c
@@ -1903,6 +1903,7 @@ void server_stats(ADD_STAT add_stats, void *c) {
             APPEND_STAT("ssl_new_sessions", "%llu", (unsigned long long)stats.ssl_new_sessions);
         }
         APPEND_STAT("ssl_handshake_errors", "%llu", (unsigned long long)stats.ssl_handshake_errors);
+        APPEND_STAT("ssl_proto_errors", "%llu", (unsigned long long)stats.ssl_proto_errors);
         APPEND_STAT("time_since_server_cert_refresh", "%u", now - settings.ssl_last_cert_refresh_time);
     }
 #endif
diff --git a/memcached.h b/memcached.h
index d33562c83f..f77ea918b8 100644
--- a/memcached.h
+++ b/memcached.h
@@ -415,6 +415,7 @@ struct stats {
     uint64_t      extstore_compact_resc_old; /* items re-written during compaction */
 #endif
 #ifdef TLS
+    uint64_t      ssl_proto_errors; /* TLS failures during SSL_read() and SSL_write() calls */
     uint64_t      ssl_handshake_errors; /* TLS failures at accept/handshake time */
     uint64_t      ssl_new_sessions; /* successfully negotiated new (non-reused) TLS sessions */
 #endif
diff --git a/tls.c b/tls.c
index 1e60a86310..7b888df3d6 100644
--- a/tls.c
+++ b/tls.c
@@ -139,6 +139,9 @@ static ssize_t ssl_read(conn *c, void *buf, size_t count) {
             print_ssl_error(ssl_err, SSL_ERROR_MSG_SIZE);
             LOGGER_LOG(c->thread->l, LOG_CONNEVENTS, LOGGER_CONNECTION_ERROR,
                     NULL, c->sfd, ssl_err);
+            STATS_LOCK();
+            stats.ssl_proto_errors++;
+            STATS_UNLOCK();
         }
         ERR_clear_error();
     }
@@ -172,6 +175,9 @@ static ssize_t ssl_write(conn *c, void *buf, size_t count) {
             print_ssl_error(ssl_err, SSL_ERROR_MSG_SIZE);
             LOGGER_LOG(c->thread->l, LOG_CONNEVENTS, LOGGER_CONNECTION_ERROR,
                     NULL, c->sfd, ssl_err);
+            STATS_LOCK();
+            stats.ssl_proto_errors++;
+            STATS_UNLOCK();
         }
         ERR_clear_error();
     }