Add scipts to monitor nginx ssl session ticket keys and session ticket resumptions.

Author: lziest

README.markdown

@@ -48,6 +48,8 @@ Table of Contents
     * [ngx-orig-resp-body-len](#ngx-orig-resp-body-len)
     * [zlib-deflate-chunk-size](#zlib-deflate-chunk-size)
     * [lj-str-tab](#lj-str-tab)
+    * [ngx-ssl-session-ticket-keys](#ngx-ssl-session-ticket-keys)
+    * [ngx-ssl-session-resumption-stats](#ngx-ssl-session-resumption-stats)
 * [Installation](#installation)
 * [Author](#author)
 * [Copyright and License](#copyright-and-license)
@@ -1453,7 +1455,31 @@ value |-------------------------------------------------- count
 lj-str-tab
 ----------
 
-Analayzing the structure and various statistics of the global Lua string hash table in the LuaJIT v2.1 VM.
+Analyzing the structure and various statistics of the global Lua string hash table in the LuaJIT v2.1 VM.
+
+[Back to TOC](#table-of-contents)
+
+ngx-ssl-session-ticket-keys
+----------
+
+Dumping ssl session ticket keys of a nginx worker.
+
+```bash
+# assuming one nginx worker process has the pid 3781.
+$ ./samples/ngx-ssl-session-ticket-keys.sxx -I ./tapset -x 3781
+```
+
+[Back to TOC](#table-of-contents)
+
+ngx-ssl-session-resumption-stats
+----------
+
+Analyzing the statistics of nginx SSL/TLS session ticket resumption.
+
+```bash
+# assuming one nginx worker process has the pid 3781.
+$ ./samples/ngx-ssl-session-resumption-stats.sxx -x 3781
+```
 
 [Back to TOC](#table-of-contents)
 

samples/ngx-ssl-session-resumption-stats.sxx

@@ -0,0 +1,47 @@
+#!/usr/bin/env stap++
+
+# Capture ssl session resumption statistics. 
+
+global total
+global tickets
+global resumed
+global reencrypted
+
+probe begin {
+    printf("Start tracing NGX OPENSSL ticket key callback\n");
+}
+
+probe @pfunc(ngx_ssl_session_ticket_key_callback).return {
+    total++;
+    # record client session ticket decryption calls
+    if ($enc == 0) {
+        tickets++;
+        if ($return > 0) resumed++;
+        if ($return > 1) reencrypted++;
+    }
+}
+
+probe end {
+    printf("Stop tracing NGX OPENSSL ticket key callback\n");
+    printf("Total sessions: %d\n", total);
+    printf("Total session tickets: %d\n", tickets);
+    printf("Total resumed session: %d\n", resumed);
+    printf("Total re-encrypted session ticket: %d\n", reencrypted);
+
+    if (total > 0) {
+        ratio1 = (tickets * 100) / total;
+
+    } else {
+        ratio1 = 0;
+    }
+
+    if (tickets > 0) {
+        ratio2 = (resumed * 100) / tickets;
+
+    } else {
+        ratio2 = 0;   
+    }
+    printf("Session resumption attempts ratio: %d percent\n", ratio1)
+    printf("Session resumption success ratio: %d percent\n", ratio2)
+    exit();
+}

samples/ngx-ssl-session-ticket-keys.sxx

@@ -0,0 +1,79 @@
+#!/usr/bin/env stap++
+
+# Capture ssl session tickets.
+
+@use nginx.array
+@use nginx.openssl
+
+probe begin {
+    printf("Start tracing NGX OPENSSL ticket key callback\n")
+}
+
+// print 16-byte key name
+function print_key_name(name) {
+    printf("key name: ");
+    $*n := @cast(name, "unsigned char", "$^exec_path")
+    for (i=0; i<16; i++) {
+       printf("%02x", $*n[i]) 
+    }
+    printf("\n")
+}
+
+// print 16-byte aes state
+function print_key_aes(state) {
+    printf("key aes state: ");
+    $*s := @cast(state, "unsigned char", "$^exec_path")
+    for (i=0; i<16; i++) {
+       printf("%02x", $*s[i]) 
+    }
+    printf("\n")
+}
+
+// print 16-byte hmac state
+function print_key_hmac(state) {
+    printf("key hmac state: ");
+    $*s := @cast(state, "unsigned char", "$^exec_path")
+    for (i=0; i<16; i++) {
+       printf("%02x", $*s[i]) 
+    }
+    printf("\n")
+}
+
+// print session ticket content
+function print_session_ticket_key(key) {
+    $*k := @cast(key, "ngx_ssl_session_ticket_key_t", "$^exec_path")
+    print_key_name($*k->name)
+    // should disable by default the two calls below to maintain key confidentiality.
+    print_key_aes($*k->aes_key)
+    print_key_hmac($*k->hmac_key)
+}
+
+probe @pfunc(ngx_ssl_session_ticket_key_callback).return {
+    keys_index = @var("ngx_ssl_session_ticket_keys_index@src/event/ngx_event_openssl.c")
+    num = get_ssl_ex_data_len($ssl_conn->ctx)
+    if (keys_index > num) {
+        printf("Error: ticket key list is not supported")
+
+    } else {
+        keys = get_ssl_ex_data_item($ssl_conn->ctx, keys_index)
+        keys_len = get_ngx_array_len(keys)
+        if (keys_len <= 0) {
+            printf("Error: empty key list")
+
+        } else {
+            key_ptr = get_ngx_array_elts(keys)
+            enc_key = key_ptr
+            last_key = &@cast(key_ptr, "ngx_ssl_session_ticket_key_t", "$^exec_path")[keys_len-1] 
+            printf("keys len %d\n", keys_len)
+            printf("enc key:\n")
+            print_session_ticket_key(enc_key)
+            printf("last dec key:\n")
+            print_session_ticket_key(last_key)
+        }
+    }
+}
+
+probe end {
+    printf("Stop tracing NGX OPENSSL ticket key callback\n")
+    exit()
+}

tapset/nginx/array.sxx

@@ -0,0 +1,12 @@
+// module nginx.array
+
+function get_ngx_array_len(ngx_arr) {
+    $*arr := @cast(ngx_arr, "ngx_array_t", "$^exec_path")
+    return $*arr->nelts
+    
+}
+
+function get_ngx_array_elts(ngx_arr) {
+    $*arr := @cast(ngx_arr, "ngx_array_t", "$^exec_path")
+    return $*arr->elts
+}

tapset/nginx/openssl.sxx

@@ -0,0 +1,19 @@
+// module nginx.openssl
+
+// extract ex_data pointer from openssl SSL_CTX
+function get_ssl_ex_data(ssl_ctx) {
+    $*ctx := @cast(ssl_ctx, "SSL_CTX", "$^exec_path")
+    return &$*ctx->ex_data
+}
+
+// extract number of items in SSL_CTX ex_data
+function get_ssl_ex_data_len(ssl_ctx) {
+    ex_data = get_ssl_ex_data(ssl_ctx)
+    return ex_data->sk->stack->num
+}
+
+// extract the item specified by idx in SSL_CTX ex_data
+function get_ssl_ex_data_item(ssl_ctx, idx) {
+    ex_data = get_ssl_ex_data(ssl_ctx)
+    return ex_data->sk->stack->data[idx]
+}