trafficserver-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From shinr...@apache.org
Subject [trafficserver] branch master updated: Remove the ssl wire trace feature.
Date Tue, 04 Dec 2018 21:38:53 GMT
This is an automated email from the ASF dual-hosted git repository.

shinrich pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficserver.git


The following commit(s) were added to refs/heads/master by this push:
     new 6ee5c61  Remove the ssl wire trace feature.
6ee5c61 is described below

commit 6ee5c616d165b969b42a86c4eb2ca0b1be86b881
Author: Susan Hinrichs <shinrich@oath.com>
AuthorDate: Mon Dec 3 23:24:38 2018 +0000

    Remove the ssl wire trace feature.
---
 doc/admin-guide/files/records.config.en.rst |  19 -----
 iocore/net/P_SSLConfig.h                    |   7 --
 iocore/net/P_SSLNetVConnection.h            |  13 ---
 iocore/net/SSLConfig.cc                     |  31 +-------
 iocore/net/SSLNetVConnection.cc             | 119 ----------------------------
 iocore/net/SSLUtils.cc                      |   5 --
 iocore/net/UnixNetVConnection.cc            |  39 +--------
 mgmt/RecordsConfig.cc                       |   8 --
 proxy/http/HttpSM.cc                        |  21 -----
 9 files changed, 3 insertions(+), 259 deletions(-)

diff --git a/doc/admin-guide/files/records.config.en.rst b/doc/admin-guide/files/records.config.en.rst
index c14df88..2936600 100644
--- a/doc/admin-guide/files/records.config.en.rst
+++ b/doc/admin-guide/files/records.config.en.rst
@@ -3450,25 +3450,6 @@ SSL Termination
 
    See :ref:`admin-performance-timeouts` for more discussion on |TS| timeouts.
 
-.. ts:cv:: CONFIG proxy.config.ssl.wire_trace_enabled INT 0
-
-   When enabled this turns on wire tracing of SSL connections that meet
-   the conditions specified by wire_trace_percentage, wire_trace_addr
-   and wire_trace_server_name.
-
-.. ts:cv:: CONFIG proxy.config.ssl.wire_trace_percentage INT 0
-
-   This specifies the percentage of traffic meeting the other wire_trace
-   conditions to be traced.
-
-.. ts:cv:: CONFIG proxy.config.ssl.wire_trace_addr STRING NULL
-
-   This specifies the client IP for which wire_traces should be printed.
-
-.. ts:cv:: CONFIG proxy.config.ssl.wire_trace_server_name STRING NULL
-
-   This specifies the server name for which wire_traces should be printed.
-
 Client-Related Configuration
 ----------------------------
 
diff --git a/iocore/net/P_SSLConfig.h b/iocore/net/P_SSLConfig.h
index a691e5b..3bccf9f 100644
--- a/iocore/net/P_SSLConfig.h
+++ b/iocore/net/P_SSLConfig.h
@@ -107,13 +107,6 @@ struct SSLConfigParams : public ConfigInfo {
   static size_t session_cache_max_bucket_size;
   static bool session_cache_skip_on_lock_contention;
 
-  // TS-3435 Wiretracing for SSL Connections
-  static int ssl_wire_trace_enabled;
-  static char *ssl_wire_trace_addr;
-  static IpAddr *ssl_wire_trace_ip;
-  static int ssl_wire_trace_percentage;
-  static char *ssl_wire_trace_server_name;
-
   static init_ssl_ctx_func init_ssl_ctx_cb;
   static load_ssl_file_func load_ssl_file_cb;
 
diff --git a/iocore/net/P_SSLNetVConnection.h b/iocore/net/P_SSLNetVConnection.h
index 144cf37..f2eadb3 100644
--- a/iocore/net/P_SSLNetVConnection.h
+++ b/iocore/net/P_SSLNetVConnection.h
@@ -286,19 +286,6 @@ public:
     }
     return retval;
   }
-  bool
-  getSSLTrace() const
-  {
-    return sslTrace || super::origin_trace;
-  }
-
-  void
-  setSSLTrace(bool state)
-  {
-    sslTrace = state;
-  }
-
-  bool computeSSLTrace();
 
   const char *
   getSSLProtocol(void) const
diff --git a/iocore/net/SSLConfig.cc b/iocore/net/SSLConfig.cc
index 9c1a6d9..a6dbed7 100644
--- a/iocore/net/SSLConfig.cc
+++ b/iocore/net/SSLConfig.cc
@@ -58,14 +58,8 @@ size_t SSLConfigParams::session_cache_max_bucket_size       = 100;
 init_ssl_ctx_func SSLConfigParams::init_ssl_ctx_cb          = nullptr;
 load_ssl_file_func SSLConfigParams::load_ssl_file_cb        = nullptr;
 
-// TS-3534 Wiretracing for SSL Connections
-int SSLConfigParams::ssl_wire_trace_enabled       = 0;
-char *SSLConfigParams::ssl_wire_trace_addr        = nullptr;
-IpAddr *SSLConfigParams::ssl_wire_trace_ip        = nullptr;
-int SSLConfigParams::ssl_wire_trace_percentage    = 0;
-char *SSLConfigParams::ssl_wire_trace_server_name = nullptr;
-int SSLConfigParams::async_handshake_enabled      = 0;
-char *SSLConfigParams::engine_conf_file           = nullptr;
+int SSLConfigParams::async_handshake_enabled = 0;
+char *SSLConfigParams::engine_conf_file      = nullptr;
 
 static std::unique_ptr<ConfigUpdateHandler<SSLCertificateConfig>> sslCertUpdate;
 static std::unique_ptr<ConfigUpdateHandler<SSLConfig>> sslConfigUpdate;
@@ -131,7 +125,6 @@ SSLConfigParams::cleanup()
   cipherSuite             = (char *)ats_free_null(cipherSuite);
   client_cipherSuite      = (char *)ats_free_null(client_cipherSuite);
   dhparamsFile            = (char *)ats_free_null(dhparamsFile);
-  ssl_wire_trace_ip       = (IpAddr *)ats_free_null(ssl_wire_trace_ip);
 
   server_tls13_cipher_suites = (char *)ats_free_null(server_tls13_cipher_suites);
   client_tls13_cipher_suites = (char *)ats_free_null(client_tls13_cipher_suites);
@@ -438,26 +431,6 @@ SSLConfigParams::initialize()
 
   REC_ReadConfigInt32(ssl_allow_client_renegotiation, "proxy.config.ssl.allow_client_renegotiation");
 
-  // SSL Wire Trace configurations
-  REC_EstablishStaticConfigInt32(ssl_wire_trace_enabled, "proxy.config.ssl.wire_trace_enabled");
-  if (ssl_wire_trace_enabled) {
-    // wire trace specific source ip
-    REC_EstablishStaticConfigStringAlloc(ssl_wire_trace_addr, "proxy.config.ssl.wire_trace_addr");
-    if (ssl_wire_trace_addr) {
-      ssl_wire_trace_ip = new IpAddr();
-      ssl_wire_trace_ip->load(ssl_wire_trace_addr);
-    } else {
-      ssl_wire_trace_ip = nullptr;
-    }
-    // wire trace percentage of requests
-    REC_EstablishStaticConfigInt32(ssl_wire_trace_percentage, "proxy.config.ssl.wire_trace_percentage");
-    REC_EstablishStaticConfigStringAlloc(ssl_wire_trace_server_name, "proxy.config.ssl.wire_trace_server_name");
-  } else {
-    ssl_wire_trace_addr        = nullptr;
-    ssl_wire_trace_ip          = nullptr;
-    ssl_wire_trace_percentage  = 0;
-    ssl_wire_trace_server_name = nullptr;
-  }
   // Enable client regardless of config file settings as remap file
   // can cause HTTP layer to connect using SSL. But only if SSL
   // initialization hasn't failed already.
diff --git a/iocore/net/SSLNetVConnection.cc b/iocore/net/SSLNetVConnection.cc
index 86e150c..71e1b08 100644
--- a/iocore/net/SSLNetVConnection.cc
+++ b/iocore/net/SSLNetVConnection.cc
@@ -214,7 +214,6 @@ ssl_read_from_net(SSLNetVConnection *sslvc, EThread *lthread, int64_t
&ret)
   int64_t bytes_read     = 0;
   ssl_error_t sslErr     = SSL_ERROR_NONE;
 
-  bool trace     = sslvc->getSSLTrace();
   int64_t toread = buf.writer()->write_avail();
   ink_release_assert(toread > 0);
   if (toread > s->vio.ntodo()) {
@@ -237,15 +236,6 @@ ssl_read_from_net(SSLNetVConnection *sslvc, EThread *lthread, int64_t
&ret)
     sslErr = SSLReadBuffer(sslvc->ssl, current_block, amount_to_read, nread);
 
     Debug("ssl", "[SSL_NetVConnection::ssl_read_from_net] nread=%d", (int)nread);
-    if (!sslvc->origin_trace) {
-      TraceIn((0 < nread && trace), sslvc->get_remote_addr(), sslvc->get_remote_port(),
"WIRE TRACE\tbytes=%d\n%.*s", (int)nread,
-              (int)nread, current_block);
-    } else {
-      char origin_trace_ip[INET6_ADDRSTRLEN];
-      ats_ip_ntop(sslvc->origin_trace_addr, origin_trace_ip, sizeof(origin_trace_ip));
-      TraceIn((0 < nread && trace), sslvc->get_remote_addr(), sslvc->get_remote_port(),
"CLIENT %s:%d\ttbytes=%d\n%.*s",
-              origin_trace_ip, sslvc->origin_trace_port, (int)nread, (int)nread, current_block);
-    }
 
     switch (sslErr) {
     case SSL_ERROR_NONE:
@@ -271,29 +261,24 @@ ssl_read_from_net(SSLNetVConnection *sslvc, EThread *lthread, int64_t
&ret)
       Debug("ssl.error", "[SSL_NetVConnection::ssl_read_from_net] SSL_ERROR_WOULD_BLOCK(read)");
       break;
     case SSL_ERROR_WANT_X509_LOOKUP:
-      TraceIn(trace, sslvc->get_remote_addr(), sslvc->get_remote_port(), "Want X509
lookup");
       event = SSL_READ_WOULD_BLOCK;
       SSL_INCREMENT_DYN_STAT(ssl_error_want_x509_lookup);
       Debug("ssl.error", "[SSL_NetVConnection::ssl_read_from_net] SSL_ERROR_WOULD_BLOCK(read/x509
lookup)");
       break;
     case SSL_ERROR_SYSCALL:
-      TraceIn(trace, sslvc->get_remote_addr(), sslvc->get_remote_port(), "Syscall Error:
%s", strerror(errno));
       SSL_INCREMENT_DYN_STAT(ssl_error_syscall);
       if (nread != 0) {
         // not EOF
         event = SSL_READ_ERROR;
         ret   = errno;
         Debug("ssl.error", "[SSL_NetVConnection::ssl_read_from_net] SSL_ERROR_SYSCALL, underlying
IO error: %s", strerror(errno));
-        TraceIn(trace, sslvc->get_remote_addr(), sslvc->get_remote_port(), "Underlying
IO error: %d", errno);
       } else {
         // then EOF observed, treat it as EOS
         // Error("[SSL_NetVConnection::ssl_read_from_net] SSL_ERROR_SYSCALL, EOF observed
violating SSL protocol");
-        TraceIn(trace, sslvc->get_remote_addr(), sslvc->get_remote_port(), "EOF observed
violating SSL protocol");
         event = SSL_READ_EOS;
       }
       break;
     case SSL_ERROR_ZERO_RETURN:
-      TraceIn(trace, sslvc->get_remote_addr(), sslvc->get_remote_port(), "Connection
closed by peer");
       event = SSL_READ_EOS;
       SSL_INCREMENT_DYN_STAT(ssl_error_zero_return);
       Debug("ssl.error", "[SSL_NetVConnection::ssl_read_from_net] SSL_ERROR_ZERO_RETURN");
@@ -303,8 +288,6 @@ ssl_read_from_net(SSLNetVConnection *sslvc, EThread *lthread, int64_t
&ret)
       char buf[512];
       unsigned long e = ERR_peek_last_error();
       ERR_error_string_n(e, buf, sizeof(buf));
-      TraceIn(trace, sslvc->get_remote_addr(), sslvc->get_remote_port(), "SSL Error:
sslErr=%d, ERR_get_error=%ld (%s) errno=%d",
-              sslErr, e, buf, errno);
       event = SSL_READ_ERROR;
       ret   = errno;
       SSL_CLR_ERR_INCR_DYN_STAT(sslvc, ssl_error_ssl, "[SSL_NetVConnection::ssl_read_from_net]:
errno=%d", errno);
@@ -697,8 +680,6 @@ SSLNetVConnection::load_buffer_and_write(int64_t towrite, MIOBufferAccessor
&buf
     return this->super::load_buffer_and_write(towrite, buf, total_written, needs);
   }
 
-  bool trace = getSSLTrace();
-
   do {
     // What is remaining left in the next block?
     l                   = buf.reader()->block_read_avail();
@@ -747,16 +728,6 @@ SSLNetVConnection::load_buffer_and_write(int64_t towrite, MIOBufferAccessor
&buf
           towrite, current_block);
     err = SSLWriteBuffer(ssl, current_block, l, num_really_written);
 
-    if (!origin_trace) {
-      TraceOut((0 < num_really_written && trace), get_remote_addr(), get_remote_port(),
"WIRE TRACE\tbytes=%d\n%.*s",
-               (int)num_really_written, (int)num_really_written, current_block);
-    } else {
-      char origin_trace_ip[INET6_ADDRSTRLEN];
-      ats_ip_ntop(origin_trace_addr, origin_trace_ip, sizeof(origin_trace_ip));
-      TraceOut((0 < num_really_written && trace), get_remote_addr(), get_remote_port(),
"CLIENT %s:%d\ttbytes=%d\n%.*s",
-               origin_trace_ip, origin_trace_port, (int)num_really_written, (int)num_really_written,
current_block);
-    }
-
     // We wrote all that we thought we should
     if (num_really_written > 0) {
       total_written += num_really_written;
@@ -793,7 +764,6 @@ SSLNetVConnection::load_buffer_and_write(int64_t towrite, MIOBufferAccessor
&buf
         redoWriteSize = l;
       } else if (SSL_ERROR_WANT_X509_LOOKUP == err) {
         SSL_INCREMENT_DYN_STAT(ssl_error_want_x509_lookup);
-        TraceOut(trace, get_remote_addr(), get_remote_port(), "Want X509 lookup");
       }
 
       needs |= EVENTIO_WRITE;
@@ -802,25 +772,18 @@ SSLNetVConnection::load_buffer_and_write(int64_t towrite, MIOBufferAccessor
&buf
       break;
     }
     case SSL_ERROR_SYSCALL:
-      TraceOut(trace, get_remote_addr(), get_remote_port(), "Syscall Error: %s", strerror(errno));
       num_really_written = -errno;
       SSL_INCREMENT_DYN_STAT(ssl_error_syscall);
       Debug("ssl.error", "SSL_write-SSL_ERROR_SYSCALL");
       break;
     // end of stream
     case SSL_ERROR_ZERO_RETURN:
-      TraceOut(trace, get_remote_addr(), get_remote_port(), "SSL Error: zero return");
       num_really_written = -errno;
       SSL_INCREMENT_DYN_STAT(ssl_error_zero_return);
       Debug("ssl.error", "SSL_write-SSL_ERROR_ZERO_RETURN");
       break;
     case SSL_ERROR_SSL:
     default: {
-      char buf[512];
-      unsigned long e = ERR_peek_last_error();
-      ERR_error_string_n(e, buf, sizeof(buf));
-      TraceIn(trace, get_remote_addr(), get_remote_port(), "SSL Error: sslErr=%d, ERR_get_error=%ld
(%s) errno=%d", err, e, buf,
-              errno);
       // Treat SSL_ERROR_SSL as EPIPE error.
       num_really_written = -EPIPE;
       SSL_CLR_ERR_INCR_DYN_STAT(this, ssl_error_ssl, "SSL_write-SSL_ERROR_SSL errno=%d",
errno);
@@ -1164,8 +1127,6 @@ SSLNetVConnection::sslServerHandShakeEvent(int &err)
     }
   }
 #endif
-  bool trace = getSSLTrace();
-
   if (ssl_error != SSL_ERROR_NONE) {
     err = errno;
     SSLVCDebug(this, "SSL handshake error: %s (%d), errno=%d", SSLErrorName(ssl_error), ssl_error,
err);
@@ -1195,9 +1156,6 @@ SSLNetVConnection::sslServerHandShakeEvent(int &err)
 
     sslHandshakeStatus = SSL_HANDSHAKE_DONE;
 
-    TraceIn(trace, get_remote_addr(), get_remote_port(), "SSL server handshake completed
successfully");
-    // do we want to include cert info in trace?
-
     if (sslHandshakeBeginTime) {
       sslHandshakeEndTime                 = Thread::get_hrtime();
       const ink_hrtime ssl_handshake_time = sslHandshakeEndTime - sslHandshakeBeginTime;
@@ -1239,38 +1197,30 @@ SSLNetVConnection::sslServerHandShakeEvent(int &err)
         }
 
         Debug("ssl", "client selected next protocol '%.*s'", len, proto);
-        TraceIn(trace, get_remote_addr(), get_remote_port(), "client selected next protocol'%.*s'",
len, proto);
       } else {
         Debug("ssl", "client did not select a next protocol");
-        TraceIn(trace, get_remote_addr(), get_remote_port(), "client did not select a next
protocol");
       }
     }
 
     return EVENT_DONE;
 
   case SSL_ERROR_WANT_CONNECT:
-    TraceIn(trace, get_remote_addr(), get_remote_port(), "SSL server handshake ERROR_WANT_CONNECT");
     return SSL_HANDSHAKE_WANT_CONNECT;
 
   case SSL_ERROR_WANT_WRITE:
-    TraceIn(trace, get_remote_addr(), get_remote_port(), "SSL server handshake ERROR_WANT_WRITE");
     return SSL_HANDSHAKE_WANT_WRITE;
 
   case SSL_ERROR_WANT_READ:
-    TraceIn(trace, get_remote_addr(), get_remote_port(), "SSL server handshake ERROR_WANT_READ");
     return SSL_HANDSHAKE_WANT_READ;
 
 // This value is only defined in openssl has been patched to
 // enable the sni callback to break out of the SSL_accept processing
 #ifdef SSL_ERROR_WANT_SNI_RESOLVE
   case SSL_ERROR_WANT_X509_LOOKUP:
-    TraceIn(trace, get_remote_addr(), get_remote_port(), "SSL server handshake ERROR_WANT_X509_LOOKUP");
     return EVENT_CONT;
   case SSL_ERROR_WANT_SNI_RESOLVE:
-    TraceIn(trace, get_remote_addr(), get_remote_port(), "SSL server handshake ERROR_WANT_SNI_RESOLVE");
 #elif SSL_ERROR_WANT_X509_LOOKUP
   case SSL_ERROR_WANT_X509_LOOKUP:
-    TraceIn(trace, get_remote_addr(), get_remote_port(), "SSL server handshake ERROR_WANT_X509_LOOKUP");
 #endif
 #if defined(SSL_ERROR_WANT_SNI_RESOLVE) || defined(SSL_ERROR_WANT_X509_LOOKUP)
     if (this->attributes == HttpProxyPort::TRANSPORT_BLIND_TUNNEL || SSL_HOOK_OP_TUNNEL
== hookOpRequested) {
@@ -1285,32 +1235,22 @@ SSLNetVConnection::sslServerHandShakeEvent(int &err)
 
 #if TS_USE_TLS_ASYNC
   case SSL_ERROR_WANT_ASYNC:
-    TraceIn(trace, get_remote_addr(), get_remote_port(), "SSL server handshake ERROR_WANT_ASYNC");
     return SSL_WAIT_FOR_ASYNC;
 #endif
 
   case SSL_ERROR_WANT_ACCEPT:
-    TraceIn(trace, get_remote_addr(), get_remote_port(), "SSL server handshake ERROR_WANT_ACCEPT");
     return EVENT_CONT;
 
   case SSL_ERROR_SSL: {
     SSL_CLR_ERR_INCR_DYN_STAT(this, ssl_error_ssl, "SSLNetVConnection::sslServerHandShakeEvent,
SSL_ERROR_SSL errno=%d", errno);
-    char buf[512];
-    unsigned long e = ERR_peek_last_error();
-    ERR_error_string_n(e, buf, sizeof(buf));
-    TraceIn(trace, get_remote_addr(), get_remote_port(),
-            "SSL server handshake ERROR_SSL: sslErr=%d, ERR_get_error=%ld (%s) errno=%d",
ssl_error, e, buf, errno);
     return EVENT_ERROR;
   }
 
   case SSL_ERROR_ZERO_RETURN:
-    TraceIn(trace, get_remote_addr(), get_remote_port(), "SSL server handshake ERROR_ZERO_RETURN");
     return EVENT_ERROR;
   case SSL_ERROR_SYSCALL:
-    TraceIn(trace, get_remote_addr(), get_remote_port(), "SSL server handshake ERROR_SYSCALL");
     return EVENT_ERROR;
   default:
-    TraceIn(trace, get_remote_addr(), get_remote_port(), "SSL server handshake ERROR_OTHER");
     return EVENT_ERROR;
   }
 }
@@ -1318,7 +1258,6 @@ SSLNetVConnection::sslServerHandShakeEvent(int &err)
 int
 SSLNetVConnection::sslClientHandShakeEvent(int &err)
 {
-  bool trace = getSSLTrace();
   ssl_error_t ssl_error;
 
   ink_assert(SSLNetVCAccess(ssl) == this);
@@ -1372,49 +1311,39 @@ SSLNetVConnection::sslClientHandShakeEvent(int &err)
 
     SSL_INCREMENT_DYN_STAT(ssl_total_success_handshake_count_out_stat);
 
-    TraceIn(trace, get_remote_addr(), get_remote_port(), "SSL client handshake completed
successfully");
-    // do we want to include cert info in trace?
-
     sslHandshakeStatus = SSL_HANDSHAKE_DONE;
     return EVENT_DONE;
 
   case SSL_ERROR_WANT_WRITE:
     Debug("ssl.error", "SSLNetVConnection::sslClientHandShakeEvent, SSL_ERROR_WANT_WRITE");
     SSL_INCREMENT_DYN_STAT(ssl_error_want_write);
-    TraceIn(trace, get_remote_addr(), get_remote_port(), "SSL client handshake ERROR_WANT_WRITE");
     return SSL_HANDSHAKE_WANT_WRITE;
 
   case SSL_ERROR_WANT_READ:
     SSL_INCREMENT_DYN_STAT(ssl_error_want_read);
     Debug("ssl.error", "SSLNetVConnection::sslClientHandShakeEvent, SSL_ERROR_WANT_READ");
-    TraceIn(trace, get_remote_addr(), get_remote_port(), "SSL client handshake ERROR_WANT_READ");
     return SSL_HANDSHAKE_WANT_READ;
 
   case SSL_ERROR_WANT_X509_LOOKUP:
     SSL_INCREMENT_DYN_STAT(ssl_error_want_x509_lookup);
     Debug("ssl.error", "SSLNetVConnection::sslClientHandShakeEvent, SSL_ERROR_WANT_X509_LOOKUP");
-    TraceIn(trace, get_remote_addr(), get_remote_port(), "SSL client handshake ERROR_WANT_X509_LOOKUP");
     break;
 
   case SSL_ERROR_WANT_ACCEPT:
-    TraceIn(trace, get_remote_addr(), get_remote_port(), "SSL client handshake ERROR_WANT_ACCEPT");
     return SSL_HANDSHAKE_WANT_ACCEPT;
 
   case SSL_ERROR_WANT_CONNECT:
-    TraceIn(trace, get_remote_addr(), get_remote_port(), "SSL client handshake ERROR_WANT_CONNECT");
     break;
 
   case SSL_ERROR_ZERO_RETURN:
     SSL_INCREMENT_DYN_STAT(ssl_error_zero_return);
     Debug("ssl.error", "SSLNetVConnection::sslClientHandShakeEvent, EOS");
-    TraceIn(trace, get_remote_addr(), get_remote_port(), "SSL client handshake EOS");
     return EVENT_ERROR;
 
   case SSL_ERROR_SYSCALL:
     err = errno;
     SSL_INCREMENT_DYN_STAT(ssl_error_syscall);
     Debug("ssl.error", "SSLNetVConnection::sslClientHandShakeEvent, syscall");
-    TraceIn(trace, get_remote_addr(), get_remote_port(), "SSL client handshake Syscall Error:
%s", strerror(errno));
     return EVENT_ERROR;
     break;
 
@@ -1427,8 +1356,6 @@ SSLNetVConnection::sslClientHandShakeEvent(int &err)
     // FIXME -- This triggers a retry on cases of cert validation errors....
     SSL_CLR_ERR_INCR_DYN_STAT(this, ssl_error_ssl, "SSLNetVConnection::sslClientHandShakeEvent,
SSL_ERROR_SSL errno=%d", errno);
     Debug("ssl.error", "SSLNetVConnection::sslClientHandShakeEvent, SSL_ERROR_SSL");
-    TraceIn(trace, get_remote_addr(), get_remote_port(),
-            "SSL client handshake ERROR_SSL: sslErr=%d, ERR_get_error=%ld (%s) errno=%d",
ssl_error, e, buf, errno);
     if (e) {
       if (this->options.sni_servername) {
         Debug("ssl.error", "SSL connection failed for '%s': %s", this->options.sni_servername.get(),
buf);
@@ -1729,52 +1656,6 @@ SSLNetVConnection::callHooks(TSEvent eventId)
   return reenabled;
 }
 
-bool
-SSLNetVConnection::computeSSLTrace()
-{
-  // this has to happen before the handshake or else sni_servername will be nullptr
-  bool sni_trace;
-  if (ssl) {
-    const char *ssl_servername   = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name);
-    char *wire_trace_server_name = SSLConfigParams::ssl_wire_trace_server_name;
-    Debug("ssl", "for wiretrace, ssl_servername=%s, wire_trace_server_name=%s", ssl_servername,
wire_trace_server_name);
-    sni_trace = ssl_servername && wire_trace_server_name && (0 == strcmp(wire_trace_server_name,
ssl_servername));
-  } else {
-    sni_trace = false;
-  }
-
-  // count based on ip only if they set an IP value
-  const sockaddr *remote_addr = get_remote_addr();
-  bool ip_trace               = false;
-  if (SSLConfigParams::ssl_wire_trace_ip) {
-    ip_trace = (*SSLConfigParams::ssl_wire_trace_ip == remote_addr);
-  }
-
-  // count based on percentage
-  int percentage = SSLConfigParams::ssl_wire_trace_percentage;
-  int random;
-  bool trace;
-
-  // we only generate random numbers as needed (to maintain correct percentage)
-  if (SSLConfigParams::ssl_wire_trace_server_name && SSLConfigParams::ssl_wire_trace_ip)
{
-    random = this_ethread()->generator.random() % 100; // range [0-99]
-    trace  = sni_trace && ip_trace && (percentage > random);
-  } else if (SSLConfigParams::ssl_wire_trace_server_name) {
-    random = this_ethread()->generator.random() % 100; // range [0-99]
-    trace  = sni_trace && (percentage > random);
-  } else if (SSLConfigParams::ssl_wire_trace_ip) {
-    random = this_ethread()->generator.random() % 100; // range [0-99]
-    trace  = ip_trace && (percentage > random);
-  } else {
-    random = this_ethread()->generator.random() % 100; // range [0-99]
-    trace  = percentage > random;
-  }
-
-  Debug("ssl", "ssl_netvc random=%d, trace=%s", random, trace ? "TRUE" : "FALSE");
-
-  return trace;
-}
-
 int
 SSLNetVConnection::populate(Connection &con, Continuation *c, void *arg)
 {
diff --git a/iocore/net/SSLUtils.cc b/iocore/net/SSLUtils.cc
index 2df2374..9965528 100644
--- a/iocore/net/SSLUtils.cc
+++ b/iocore/net/SSLUtils.cc
@@ -330,11 +330,6 @@ set_context_cert(SSL *ssl)
   int retval               = 1;
 
   Debug("ssl", "set_context_cert ssl=%p server=%s handshake_complete=%d", ssl, servername,
netvc->getSSLHandShakeComplete());
-  if (SSLConfigParams::ssl_wire_trace_enabled) {
-    bool trace = netvc->computeSSLTrace();
-    Debug("ssl", "sslnetvc. setting trace to=%s", trace ? "true" : "false");
-    netvc->setSSLTrace(trace);
-  }
 
   // catch the client renegotiation early on
   if (SSLConfigParams::ssl_allow_client_renegotiation == false && netvc->getSSLHandShakeComplete())
{
diff --git a/iocore/net/UnixNetVConnection.cc b/iocore/net/UnixNetVConnection.cc
index e01fc57..ca5e341 100644
--- a/iocore/net/UnixNetVConnection.cc
+++ b/iocore/net/UnixNetVConnection.cc
@@ -253,24 +253,6 @@ read_from_net(NetHandler *nh, UnixNetVConnection *vc, EThread *thread)
 
       NET_INCREMENT_DYN_STAT(net_calls_to_read_stat);
 
-      if (vc->origin_trace) {
-        char origin_trace_ip[INET6_ADDRSTRLEN];
-
-        ats_ip_ntop(vc->origin_trace_addr, origin_trace_ip, sizeof(origin_trace_ip));
-
-        if (r > 0) {
-          TraceIn((vc->origin_trace), vc->get_remote_addr(), vc->get_remote_port(),
"CLIENT %s:%d\tbytes=%d\n%.*s", origin_trace_ip,
-                  vc->origin_trace_port, (int)r, (int)r, (char *)tiovec[0].iov_base);
-
-        } else if (r == 0) {
-          TraceIn((vc->origin_trace), vc->get_remote_addr(), vc->get_remote_port(),
"CLIENT %s:%d closed connection",
-                  origin_trace_ip, vc->origin_trace_port);
-        } else {
-          TraceIn((vc->origin_trace), vc->get_remote_addr(), vc->get_remote_port(),
"CLIENT %s:%d error=%s", origin_trace_ip,
-                  vc->origin_trace_port, strerror(errno));
-        }
-      }
-
       total_read += rattempted;
     } while (rattempted && r == rattempted && total_read < toread);
 
@@ -896,10 +878,7 @@ UnixNetVConnection::UnixNetVConnection()
     submit_time(0),
     oob_ptr(nullptr),
     from_accept_thread(false),
-    accept_object(nullptr),
-    origin_trace(false),
-    origin_trace_addr(nullptr),
-    origin_trace_port(0)
+    accept_object(nullptr)
 {
   SET_HANDLER((NetVConnHandler)&UnixNetVConnection::startEvent);
 }
@@ -998,22 +977,6 @@ UnixNetVConnection::load_buffer_and_write(int64_t towrite, MIOBufferAccessor
&bu
       r = socketManager.writev(con.fd, &tiovec[0], niov);
     }
 
-    if (origin_trace) {
-      char origin_trace_ip[INET6_ADDRSTRLEN];
-      ats_ip_ntop(origin_trace_addr, origin_trace_ip, sizeof(origin_trace_ip));
-
-      if (r > 0) {
-        TraceOut(origin_trace, get_remote_addr(), get_remote_port(), "CLIENT %s:%d\tbytes=%d\n%.*s",
origin_trace_ip,
-                 origin_trace_port, (int)r, (int)r, (char *)tiovec[0].iov_base);
-
-      } else if (r == 0) {
-        TraceOut(origin_trace, get_remote_addr(), get_remote_port(), "CLIENT %s:%d\tbytes=0",
origin_trace_ip, origin_trace_port);
-      } else {
-        TraceOut(origin_trace, get_remote_addr(), get_remote_port(), "CLIENT %s:%d error=%s",
origin_trace_ip, origin_trace_port,
-                 strerror(errno));
-      }
-    }
-
     if (r > 0) {
       buf.reader()->consume(r);
       total_written += r;
diff --git a/mgmt/RecordsConfig.cc b/mgmt/RecordsConfig.cc
index 5799a01..931c6e3 100644
--- a/mgmt/RecordsConfig.cc
+++ b/mgmt/RecordsConfig.cc
@@ -1178,14 +1178,6 @@ static const RecordElement RecordsConfig[] =
   ,
   {RECT_CONFIG, "proxy.config.ssl.handshake_timeout_in", RECD_INT, "0", RECU_RESTART_TS,
RR_NULL, RECC_INT, "[0-65535]", RECA_NULL}
   ,
-  {RECT_CONFIG, "proxy.config.ssl.wire_trace_enabled", RECD_INT, "0", RECU_DYNAMIC, RR_NULL,
RECC_INT, "[0-2]", RECA_NULL}
-  ,
-  {RECT_CONFIG, "proxy.config.ssl.wire_trace_addr", RECD_STRING, nullptr , RECU_DYNAMIC,
RR_NULL, RECC_IP, R"([0-255]\.[0-255]\.[0-255]\.[0-255])", RECA_NULL}
-  ,
-  {RECT_CONFIG, "proxy.config.ssl.wire_trace_percentage", RECD_INT, "0", RECU_DYNAMIC, RR_NULL,
RECC_INT, "[0-100]", RECA_NULL}
-  ,
-  {RECT_CONFIG, "proxy.config.ssl.wire_trace_server_name", RECD_STRING, nullptr , RECU_DYNAMIC,
RR_NULL, RECC_STR, ".*", RECA_NULL}
-  ,
   {RECT_CONFIG, "proxy.config.ssl.cert.load_elevated", RECD_INT, "0", RECU_RESTART_TS, RR_NULL,
RECC_INT, "[0-1]", RECA_READ_ONLY}
   ,
   {RECT_CONFIG, "proxy.config.ssl.server.groups_list", RECD_STRING, nullptr, RECU_RESTART_TS,
RR_NULL, RECC_NULL, nullptr, RECA_NULL}
diff --git a/proxy/http/HttpSM.cc b/proxy/http/HttpSM.cc
index 52d4dde..3d91e55 100644
--- a/proxy/http/HttpSM.cc
+++ b/proxy/http/HttpSM.cc
@@ -5860,30 +5860,9 @@ HttpSM::attach_server_session(HttpServerSession *s)
   // Get server and client connections
   UnixNetVConnection *server_vc = dynamic_cast<UnixNetVConnection *>(server_session->get_netvc());
   UnixNetVConnection *client_vc = (UnixNetVConnection *)(ua_txn->get_netvc());
-  SSLNetVConnection *ssl_vc     = dynamic_cast<SSLNetVConnection *>(client_vc);
 
   // Verifying that the user agent and server sessions/transactions are operating on the
same thread.
   ink_release_assert(!server_vc || !client_vc || server_vc->thread == client_vc->thread);
-  bool associated_connection = false;
-  if (server_vc) { // if server_vc isn't a PluginVC
-    if (ssl_vc) {  // if incoming connection is SSL
-      bool client_trace = ssl_vc->getSSLTrace();
-      if (client_trace) {
-        // get remote address and port to mark corresponding traces
-        const sockaddr *remote_addr = ssl_vc->get_remote_addr();
-        uint16_t remote_port        = ssl_vc->get_remote_port();
-        server_vc->setOriginTrace(true);
-        server_vc->setOriginTraceAddr(remote_addr);
-        server_vc->setOriginTracePort(remote_port);
-        associated_connection = true;
-      }
-    }
-  }
-  if (!associated_connection && server_vc) {
-    server_vc->setOriginTrace(false);
-    server_vc->setOriginTraceAddr(nullptr);
-    server_vc->setOriginTracePort(0);
-  }
 
   // set flag for server session is SSL
   SSLNetVConnection *server_ssl_vc = dynamic_cast<SSLNetVConnection *>(server_vc);


Mime
View raw message