What is the use case for these stats? I can see how the logs might be too noisy, but they don't seem like good candidates for metrics. How would use these for monitoring?
> On Aug 5, 2014, at 11:34 AM, bri...@apache.org wrote: > > Repository: trafficserver > Updated Branches: > refs/heads/master b4343175e -> d9aba01de > > > TS-2986: Adding stats to TLS errors > > > Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo > Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/a8070bbb > Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/a8070bbb > Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/a8070bbb > > Branch: refs/heads/master > Commit: a8070bbb80f2e709f91d4c8b47d9ded4d55bdcdc > Parents: b434317 > Author: Brian Geffon <bri...@apache.org> > Authored: Tue Aug 5 11:34:07 2014 -0700 > Committer: Brian Geffon <bri...@apache.org> > Committed: Tue Aug 5 11:34:07 2014 -0700 > > ---------------------------------------------------------------------- > iocore/net/P_SSLUtils.h | 10 ++++++ > iocore/net/SSLNetVConnection.cc | 60 +++++++++++++++++++++++++----------- > iocore/net/SSLUtils.cc | 28 +++++++++++++++++ > 3 files changed, 80 insertions(+), 18 deletions(-) > ---------------------------------------------------------------------- > > > http://git-wip-us.apache.org/repos/asf/trafficserver/blob/a8070bbb/iocore/net/P_SSLUtils.h > ---------------------------------------------------------------------- > diff --git a/iocore/net/P_SSLUtils.h b/iocore/net/P_SSLUtils.h > index b1bf01c..6e44be3 100644 > --- a/iocore/net/P_SSLUtils.h > +++ b/iocore/net/P_SSLUtils.h > @@ -69,6 +69,16 @@ enum SSL_Stats > ssl_total_tickets_not_found_stat, > ssl_total_tickets_renewed_stat, > > + /* error stats */ > + ssl_error_want_write, > + ssl_error_want_read, > + ssl_error_want_x509_lookup, > + ssl_error_syscall, > + ssl_error_read_eos, > + ssl_error_zero_return, > + ssl_error_ssl, > + ssl_sni_name_set_failure, > + > ssl_cipher_stats_start = 100, > ssl_cipher_stats_end = 300, > > > http://git-wip-us.apache.org/repos/asf/trafficserver/blob/a8070bbb/iocore/net/SSLNetVConnection.cc > ---------------------------------------------------------------------- > diff --git a/iocore/net/SSLNetVConnection.cc b/iocore/net/SSLNetVConnection.cc > index 0f4a6b3..d3aa858 100644 > --- a/iocore/net/SSLNetVConnection.cc > +++ b/iocore/net/SSLNetVConnection.cc > @@ -140,22 +140,26 @@ ssl_read_from_net(SSLNetVConnection * sslvc, EThread * > lthread, int64_t &ret) > > case SSL_ERROR_WANT_WRITE: > event = SSL_WRITE_WOULD_BLOCK; > - Debug("ssl", "[SSL_NetVConnection::ssl_read_from_net] > SSL_ERROR_WOULD_BLOCK(write)"); > + SSL_INCREMENT_DYN_STAT(ssl_error_want_write); > + Debug("ssl.error", "[SSL_NetVConnection::ssl_read_from_net] > SSL_ERROR_WOULD_BLOCK(write)"); > break; > case SSL_ERROR_WANT_READ: > event = SSL_READ_WOULD_BLOCK; > - Debug("ssl", "[SSL_NetVConnection::ssl_read_from_net] > SSL_ERROR_WOULD_BLOCK(read)"); > + SSL_INCREMENT_DYN_STAT(ssl_error_want_read); > + Debug("ssl.error", "[SSL_NetVConnection::ssl_read_from_net] > SSL_ERROR_WOULD_BLOCK(read)"); > break; > case SSL_ERROR_WANT_X509_LOOKUP: > event = SSL_READ_WOULD_BLOCK; > - Debug("ssl", "[SSL_NetVConnection::ssl_read_from_net] > SSL_ERROR_WOULD_BLOCK(read/x509 lookup)"); > + SSL_INCREMENT_DYN_STAT(ssl_error_want_x509_lookup); > + Debug("ssl.error", "[SSL_NetVConnection::ssl_read_from_net] > SSL_ERROR_WOULD_BLOCK(read/x509 lookup)"); > break; > case SSL_ERROR_SYSCALL: > + SSL_INCREMENT_DYN_STAT(ssl_error_syscall); > if (rres != 0) { > // not EOF > event = SSL_READ_ERROR; > ret = errno; > - Debug("ssl", "[SSL_NetVConnection::ssl_read_from_net] > SSL_ERROR_SYSCALL, underlying IO error: %s", strerror(errno)); > + Debug("ssl.error", "[SSL_NetVConnection::ssl_read_from_net] > SSL_ERROR_SYSCALL, underlying IO error: %s", strerror(errno)); > } else { > // then EOF observed, treat it as EOS > event = SSL_READ_EOS; > @@ -164,13 +168,15 @@ ssl_read_from_net(SSLNetVConnection * sslvc, EThread * > lthread, int64_t &ret) > break; > case SSL_ERROR_ZERO_RETURN: > event = SSL_READ_EOS; > - Debug("ssl", "[SSL_NetVConnection::ssl_read_from_net] > SSL_ERROR_ZERO_RETURN"); > + SSL_INCREMENT_DYN_STAT(ssl_error_zero_return); > + Debug("ssl.error", "[SSL_NetVConnection::ssl_read_from_net] > SSL_ERROR_ZERO_RETURN"); > break; > case SSL_ERROR_SSL: > default: > event = SSL_READ_ERROR; > ret = errno; > - SSLErrorVC(sslvc, "[SSL_NetVConnection::ssl_read_from_net]"); > + SSL_INCREMENT_DYN_STAT(ssl_error_ssl); > + Debug("ssl.error", "[SSL_NetVConnection::ssl_read_from_net]"); > break; > } // switch > break; > @@ -432,28 +438,37 @@ SSLNetVConnection::load_buffer_and_write(int64_t > towrite, int64_t &wattempted, i > case SSL_ERROR_WANT_READ: > needs |= EVENTIO_READ; > r = -EAGAIN; > - Debug("ssl", "SSL_write-SSL_ERROR_WANT_READ"); > + SSL_INCREMENT_DYN_STAT(ssl_error_want_read); > + Debug("ssl.error", "SSL_write-SSL_ERROR_WANT_READ"); > break; > case SSL_ERROR_WANT_WRITE: > - case SSL_ERROR_WANT_X509_LOOKUP: > + case SSL_ERROR_WANT_X509_LOOKUP: { > + if (SSL_ERROR_WANT_WRITE == err) > + SSL_INCREMENT_DYN_STAT(ssl_error_want_write); > + else if (SSL_ERROR_WANT_X509_LOOKUP == err) > + SSL_INCREMENT_DYN_STAT(ssl_error_want_x509_lookup); > + > needs |= EVENTIO_WRITE; > r = -EAGAIN; > - Debug("ssl", "SSL_write-SSL_ERROR_WANT_WRITE"); > + Debug("ssl.error", "SSL_write-SSL_ERROR_WANT_WRITE"); > break; > + } > case SSL_ERROR_SYSCALL: > r = -errno; > - Debug("ssl", "SSL_write-SSL_ERROR_SYSCALL"); > + SSL_INCREMENT_DYN_STAT(ssl_error_syscall); > + Debug("ssl.error", "SSL_write-SSL_ERROR_SYSCALL"); > break; > // end of stream > case SSL_ERROR_ZERO_RETURN: > r = -errno; > - Debug("ssl", "SSL_write-SSL_ERROR_ZERO_RETURN"); > + SSL_INCREMENT_DYN_STAT(ssl_error_zero_return); > + Debug("ssl.error", "SSL_write-SSL_ERROR_ZERO_RETURN"); > break; > case SSL_ERROR_SSL: > default: > r = -errno; > - Debug("ssl", "SSL_write-SSL_ERROR_SSL"); > - SSLErrorVC(this, "SSL_write"); > + SSL_INCREMENT_DYN_STAT(ssl_error_ssl); > + Debug("ssl.error", "SSL_write-SSL_ERROR_SSL"); > break; > } > return (r); > @@ -653,7 +668,8 @@ SSLNetVConnection::sslClientHandShakeEvent(int &err) > if (SSL_set_tlsext_host_name(ssl, options.sni_servername)) { > Debug("ssl", "using SNI name '%s' for client handshake", > options.sni_servername); > } else { > - SSLError("failed to set SNI name '%s' for client handshake", > options.sni_servername); > + Debug("ssl.error","failed to set SNI name '%s' for client handshake", > options.sni_servername); > + SSL_INCREMENT_DYN_STAT(ssl_sni_name_set_failure); > } > } > #endif > @@ -679,13 +695,18 @@ SSLNetVConnection::sslClientHandShakeEvent(int &err) > return EVENT_DONE; > > case SSL_ERROR_WANT_WRITE: > + Debug("ssl.error", "SSLNetVConnection::sslClientHandShakeEvent, > SSL_ERROR_WANT_WRITE"); > + SSL_INCREMENT_DYN_STAT(ssl_error_want_write); > return SSL_HANDSHAKE_WANT_WRITE; > > case SSL_ERROR_WANT_READ: > + SSL_INCREMENT_DYN_STAT(ssl_error_want_read); > + Debug("ssl.error", "SSLNetVConnection::sslClientHandShakeEvent, > SSL_ERROR_WANT_READ"); > return SSL_HANDSHAKE_WANT_READ; > > case SSL_ERROR_WANT_X509_LOOKUP: > - Debug("ssl", "SSLNetVConnection::sslClientHandShakeEvent, would block on > read or write"); > + SSL_INCREMENT_DYN_STAT(ssl_error_want_x509_lookup); > + Debug("ssl.error", "SSLNetVConnection::sslClientHandShakeEvent, > SSL_ERROR_WANT_X509_LOOKUP"); > break; > > case SSL_ERROR_WANT_ACCEPT: > @@ -695,12 +716,14 @@ SSLNetVConnection::sslClientHandShakeEvent(int &err) > break; > > case SSL_ERROR_ZERO_RETURN: > - Debug("ssl", "SSLNetVConnection::sslClientHandShakeEvent, EOS"); > + SSL_INCREMENT_DYN_STAT(ssl_error_zero_return); > + Debug("ssl.error", "SSLNetVConnection::sslClientHandShakeEvent, EOS"); > return EVENT_ERROR; > > case SSL_ERROR_SYSCALL: > err = errno; > - Debug("ssl", "SSLNetVConnection::sslClientHandShakeEvent, syscall"); > + SSL_INCREMENT_DYN_STAT(ssl_error_syscall); > + Debug("ssl.error", "SSLNetVConnection::sslClientHandShakeEvent, > syscall"); > return EVENT_ERROR; > break; > > @@ -708,7 +731,8 @@ SSLNetVConnection::sslClientHandShakeEvent(int &err) > case SSL_ERROR_SSL: > default: > err = errno; > - SSLErrorVC(this, "sslClientHandShakeEvent"); > + SSL_INCREMENT_DYN_STAT(ssl_error_ssl); > + Debug("ssl.error", "SSLNetVConnection::sslClientHandShakeEvent, > SSL_ERROR_SSL"); > return EVENT_ERROR; > break; > > > http://git-wip-us.apache.org/repos/asf/trafficserver/blob/a8070bbb/iocore/net/SSLUtils.cc > ---------------------------------------------------------------------- > diff --git a/iocore/net/SSLUtils.cc b/iocore/net/SSLUtils.cc > index 1576c6d..0d85a49 100644 > --- a/iocore/net/SSLUtils.cc > +++ b/iocore/net/SSLUtils.cc > @@ -664,6 +664,34 @@ SSLInitializeStatistics() > RECD_INT, RECP_PERSISTENT, (int) > ssl_total_tickets_renewed_stat, > RecRawStatSyncCount); > > + > + /* error stats */ > + RecRegisterRawStat(ssl_rsb, RECT_PROCESS, > "proxy.process.ssl.ssl_error_want_write", > + RECD_INT, RECP_PERSISTENT, (int) ssl_error_want_write, > + RecRawStatSyncCount); > + RecRegisterRawStat(ssl_rsb, RECT_PROCESS, > "proxy.process.ssl.ssl_error_want_read", > + RECD_INT, RECP_PERSISTENT, (int) ssl_error_want_read, > + RecRawStatSyncCount); > + RecRegisterRawStat(ssl_rsb, RECT_PROCESS, > "proxy.process.ssl.ssl_error_want_x509_lookup", > + RECD_INT, RECP_PERSISTENT, (int) > ssl_error_want_x509_lookup, > + RecRawStatSyncCount); > + RecRegisterRawStat(ssl_rsb, RECT_PROCESS, > "proxy.process.ssl.ssl_error_syscall", > + RECD_INT, RECP_PERSISTENT, (int) ssl_error_syscall, > + RecRawStatSyncCount); > + RecRegisterRawStat(ssl_rsb, RECT_PROCESS, > "proxy.process.ssl.ssl_error_read_eos", > + RECD_INT, RECP_PERSISTENT, (int) ssl_error_read_eos, > + RecRawStatSyncCount); > + RecRegisterRawStat(ssl_rsb, RECT_PROCESS, > "proxy.process.ssl.ssl_error_zero_return", > + RECD_INT, RECP_PERSISTENT, (int) ssl_error_zero_return, > + RecRawStatSyncCount); > + RecRegisterRawStat(ssl_rsb, RECT_PROCESS, > "proxy.process.ssl.ssl_error_ssl", > + RECD_INT, RECP_PERSISTENT, (int) ssl_error_ssl, > + RecRawStatSyncCount); > + RecRegisterRawStat(ssl_rsb, RECT_PROCESS, > "proxy.process.ssl.ssl_sni_name_set_failure", > + RECD_INT, RECP_PERSISTENT, (int) > ssl_sni_name_set_failure, > + RecRawStatSyncCount); > + > + > // Get and register the SSL cipher stats. Note that we are using the > default SSL context to obtain > // the cipher list. This means that the set of ciphers is fixed by the > build configuration and not > // filtered by proxy.config.ssl.server.cipher_suite. This keeps the set of > cipher suites stable across >
