>From my understanding, "elliptic_curves" are used in the past, but TLS 1.3 starts calling it as "group" for both ECDHE and DHE.[*1] If the proposed `cqssg` treats `cqssu` as a subset, that matches this naming change. I'd also suggest making `cqssu` as deprecated.
For implementation, please note that BoringSSL has different APIs in this area: `SSL_get_group_id` and `SSL_get_group_name`.[*2] [*1]: https://datatracker.ietf.org/doc/html/rfc8446#section-4.2.7 [*2]: https://github.com/apache/trafficserver/blob/678d786c86d6e7625f97cc85c447a55aeee065be/src/iocore/net/TLSBasicSupport.cc#L229-L239 ー Masaori On Tue, May 27, 2025 at 7:29 AM Brian Neradt <brian.ner...@gmail.com> wrote: > > Hi dev@trafficserver.apache.org, > > We use cqssu to log the elliptic curve value for our client side TLS > connections. We noticed that when testing OpenSSL 3.5 and using a post > quantum curve from a curl client, namely X25519MLKEM768, that cqssu would > log `-` as a value. I was curious about this and noticed that > while SSL_get_shared_curve was returning a valid NID, OBJ_nid2sn, from > which we get the curve name, did not recognize that nid and thus ATS logged > `-`. I posted a question about this to the openssl community: > https://github.com/openssl/openssl/discussions/27694 > > Their suggestion was to use SSL_get0_group_name. I verified that this API > does indeed return a valid group name, "X25519MLKEM768", for the KEM group. > > My first thought was to modify cqssu to use SSL_get0_group_name if the ssl > library has it as a definition, but given the description we give for cqssu > this is likely not correct: > https://docs.trafficserver.apache.org/en/latest/admin-guide/logging/formatting.en.html#ssl-encryption > > We specifically say that it returns the elliptic curve value, not the group > name. I suggest we add log field cqssg to log the group name for TLS > connections. > > Please let me know if you have other suggestions or concerns. > > Thank you, > Brian Neradt > > -- > "Come to Me, all who are weary and heavy-laden, and I will > give you rest. Take My yoke upon you and learn from Me, for > I am gentle and humble in heart, and you will find rest for > your souls. For My yoke is easy and My burden is light." > > ~ Matthew 11:28-30
