tls: add ssl_proto_errors counter

If this is ticking, you can look at `watch connevents` to get full detail.
dormando · Jun 26, 2024 · cf793b1 · cf793b1
1 parent e819073
commit cf793b1
Show file tree

Hide file tree

Showing 4 changed files with 12 additions and 1 deletion.
diff --git a/doc/protocol.txt b/doc/protocol.txt
@@ -1230,7 +1230,8 @@ The arguments are:
 - "connevents": Emits logs when connections are opened and closed, i.e. when
   clients connect or disconnect. For TCP transports, logs indicate the remote
   address IP and port. Connection close events additionally supply a reason for
-  closing the connection.
+  closing the connection. If TLS is enabled, this stream also contains
+  detailed TLS protocol errors.
 
 - "proxyreqs": Emits detailed timing logs about requests/responses being
   returned to a client while in proxy mode. The conditions which logs are
@@ -1764,6 +1765,8 @@ following additional statistics are available via the "stats" command.
 | ssl_handshake_errors           | 64u      | Number of times the server has |
 |                                |          | encountered an OpenSSL error   |
 |                                |          | during handshake (SSL_accept). |
+| ssl_proto_errors               | 64u      | Number of times a client has   |
+|                                |          | seen a fatal TLS protocol error|
 | ssl_min_version                | char     | Minimum supported TLS version  |
 |                                |          | for client handshakes.         |
 | ssl_new_sessions               | 64u      | When SSL session caching is    |

diff --git a/memcached.c b/memcached.c
@@ -1903,6 +1903,7 @@ void server_stats(ADD_STAT add_stats, void *c) {
             APPEND_STAT("ssl_new_sessions", "%llu", (unsigned long long)stats.ssl_new_sessions);
         }
         APPEND_STAT("ssl_handshake_errors", "%llu", (unsigned long long)stats.ssl_handshake_errors);
+        APPEND_STAT("ssl_proto_errors", "%llu", (unsigned long long)stats.ssl_proto_errors);
         APPEND_STAT("time_since_server_cert_refresh", "%u", now - settings.ssl_last_cert_refresh_time);
     }
 #endif

diff --git a/memcached.h b/memcached.h
@@ -415,6 +415,7 @@ struct stats {
     uint64_t      extstore_compact_resc_old; /* items re-written during compaction */
 #endif
 #ifdef TLS
+    uint64_t      ssl_proto_errors; /* TLS failures during SSL_read() and SSL_write() calls */
     uint64_t      ssl_handshake_errors; /* TLS failures at accept/handshake time */
     uint64_t      ssl_new_sessions; /* successfully negotiated new (non-reused) TLS sessions */
 #endif

diff --git a/tls.c b/tls.c
@@ -139,6 +139,9 @@ static ssize_t ssl_read(conn *c, void *buf, size_t count) {
             print_ssl_error(ssl_err, SSL_ERROR_MSG_SIZE);
             LOGGER_LOG(c->thread->l, LOG_CONNEVENTS, LOGGER_CONNECTION_ERROR,
                     NULL, c->sfd, ssl_err);
+            STATS_LOCK();
+            stats.ssl_proto_errors++;
+            STATS_UNLOCK();
         }
         ERR_clear_error();
     }
@@ -172,6 +175,9 @@ static ssize_t ssl_write(conn *c, void *buf, size_t count) {
             print_ssl_error(ssl_err, SSL_ERROR_MSG_SIZE);
             LOGGER_LOG(c->thread->l, LOG_CONNEVENTS, LOGGER_CONNECTION_ERROR,
                     NULL, c->sfd, ssl_err);
+            STATS_LOCK();
+            stats.ssl_proto_errors++;
+            STATS_UNLOCK();
         }
         ERR_clear_error();
     }