Hi dev@trafficserver.apache.org, We use cqssu to log the elliptic curve value for our client side TLS connections. We noticed that when testing OpenSSL 3.5 and using a post quantum curve from a curl client, namely X25519MLKEM768, that cqssu would log `-` as a value. I was curious about this and noticed that while SSL_get_shared_curve was returning a valid NID, OBJ_nid2sn, from which we get the curve name, did not recognize that nid and thus ATS logged `-`. I posted a question about this to the openssl community: https://github.com/openssl/openssl/discussions/27694
Their suggestion was to use SSL_get0_group_name. I verified that this API does indeed return a valid group name, "X25519MLKEM768", for the KEM group. My first thought was to modify cqssu to use SSL_get0_group_name if the ssl library has it as a definition, but given the description we give for cqssu this is likely not correct: https://docs.trafficserver.apache.org/en/latest/admin-guide/logging/formatting.en.html#ssl-encryption We specifically say that it returns the elliptic curve value, not the group name. I suggest we add log field cqssg to log the group name for TLS connections. Please let me know if you have other suggestions or concerns. Thank you, Brian Neradt -- "Come to Me, all who are weary and heavy-laden, and I will give you rest. Take My yoke upon you and learn from Me, for I am gentle and humble in heart, and you will find rest for your souls. For My yoke is easy and My burden is light." ~ Matthew 11:28-30
