Add support for TLS protocol tracing #2096
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ddelnano
commented
Jan 23, 2025
src/stirling/source_connectors/socket_tracer/testing/containers/ssl/nginx.conf
Outdated
Show resolved
Hide resolved
ddelnano
force-pushed
the
ddelnano/wire-up-tls-protocol-parser-to-stirling
branch
from
7de9384 to
b8ed611
Compare
ddelnano
force-pushed
the
ddelnano/wire-up-tls-protocol-parser-to-stirling
branch
2 times, most recently
from
8c0cffd to
3e556d6
Compare
Signed-off-by: Dom Del Nano <[email protected]>
ddelnano
force-pushed
the
ddelnano/wire-up-tls-protocol-parser-to-stirling
branch
from
3e556d6 to
8ff4143
Compare
Signed-off-by: Dom Del Nano <[email protected]>
ddelnano
commented
Jan 29, 2025
| @@ -195,7 +195,7 @@ struct Frame : public FrameBase { | |||
|
|
|||
| HandshakeType handshake_type; | |||
|
|
|||
| uint24_t handshake_length; | |||
| uint24_t handshake_length = uint24_t(0); | |||
There was a problem hiding this comment.
GCC fails if this isn't initialized (buildbuddy failure)
oazizi000
reviewed
Feb 3, 2025
| @@ -60,6 +60,46 @@ static __inline enum message_type_t infer_http_message(const char* buf, size_t c | |||
| return kUnknown; | |||
| } | |||
|
|
|||
| static __inline enum message_type_t infer_tls_message(const char* buf, size_t count) { | |||
There was a problem hiding this comment.
Have you run the confusion matrix analysis on this? @chengruizhe had done some work there.
You're looking at multiple bytes, so I'm hoping itll be okay', but still wondering if it conflicts with detection of other protocols.
There was a problem hiding this comment.
I have not since I was assuming until #2095 is implemented that this would be always be disabled by default. I'm pretty familiar with the confusion matrix since I ported running it to bazel. I'll add this logic there and see the resulting matrix.
There was a problem hiding this comment.
Unfortunately New Relic wasn't able to share the entire data set used to generate the current matrix, so the matrices below are based on the subset they provided me with packet captures I collected to fill in the gaps.
Before these tls changes:
After these tls changes:
Here were the code changes to generate the "after tls matrix"
Comment on lines
+743
to
+747
| // TODO(ddelnano): TLS tracing should be handled differently in the future as we want to be able | ||
| // to trace the handshake and the application data separately (gh#2095). The current connection | ||
| // tracker model only works with one or the other, meaning if TLS tracing is enabled, tracing the | ||
| // plaintext within an encrypted conn will not work. ENABLE_TLS_TRACING will default to false | ||
| // until this is revisted. |
There was a problem hiding this comment.
It would make sense that we won't infer any of the encrypted traffic, but are you also saying the uprobes on the SSL libraries won't capture the plaintext with this flag on?
There was a problem hiding this comment.
Sort of. The plaintext is never successfully parsed because the connection is labled kProtocolTLS and won't be parsed as the application protocol.
Since the TLS library negotiates the handshake through functions that aren't probed (non SSL_write, SSL_read functions), the TLS handshake data will "win" and consist of the first bytes in the data stream buffer. I verified that the openssl_trace_bpf_test tests fail if --stirling_enable_tls_tracing is enabled and have the conn trace pid logs below (via FLAGS_stirling_conn_trace_pid):
openssl_trace_bpf_test conn trace output
I20250203 21:25:33.521659 3980289 container_runner.cc:175] Container curl_2541072018464015 process PID: 3980567
I20250203 21:25:33.521713 3980289 container_runner.cc:177] Container curl_2541072018464015 waiting for log message:
I20250203 21:25:33.530438 3980526 conn_tracker.cc:466] conn_id=[upid=3980459:254101528 fd=3 gen=2541072183195408] state=kCollecting remote_addr=-:-1 role=kRoleUnknown protocol=kProtocolUnknown ssl=false New connection tracker
I20250203 21:25:33.530519 3980526 conn_tracker.cc:476] conn_id=[upid=3980459:254101528 fd=3 gen=2541072183195408] state=kCollecting remote_addr=127.0.0.1:59456 role=kRoleUnknown protocol=kProtocolUnknown ssl=false RemoteAddr updated 127.0.0.1, reason=[Inferred from conn_open.]
I20250203 21:25:33.530540 3980526 conn_tracker.cc:487] conn_id=[upid=3980459:254101528 fd=3 gen=2541072183195408] state=kCollecting remote_addr=127.0.0.1:59456 role=kRoleUnknown protocol=kProtocolUnknown ssl=false LocalAddr updated 127.0.0.1, reason=[Inferred from conn_open.]
I20250203 21:25:33.530556 3980526 conn_tracker.cc:507] conn_id=[upid=3980459:254101528 fd=3 gen=2541072183195408] state=kCollecting remote_addr=127.0.0.1:59456 role=kRoleUnknown protocol=kProtocolUnknown ssl=false Role updated kRoleUnknown -> kRoleServer, reason=[Inferred from conn_open.]]
I20250203 21:25:33.530581 3980526 conn_tracker.cc:110] conn_id=[upid=3980459:254101528 fd=3 gen=2541072183195408] state=kCollecting remote_addr=127.0.0.1:59456 role=kRoleServer protocol=kProtocolUnknown ssl=false conn_open: [type=kConnOpen ts=2541072183196759 conn_id=[upid=3980459:254101528 fd=3 gen=2541072183195408] source_fn=kSyscallAccept [addr=[family=2 addr=127.0.0.1 port=16616]]]
I20250203 21:25:33.558220 3980597 uprobe_manager.cc:1014] Number of uprobes deployed = 9
I20250203 21:25:33.567265 3980289 container_runner.cc:189] Container curl_2541072018464015 status: running
I20250203 21:25:33.567304 3980289 container_runner.cc:225] Container curl_2541072018464015 is ready.
I20250203 21:25:33.790971 3980526 conn_tracker.cc:535] conn_id=[upid=3980459:254101528 fd=3 gen=2541072183195408] state=kCollecting remote_addr=127.0.0.1:59456 role=kRoleServer protocol=kProtocolTLS ssl=false Protocol changed: kProtocolUnknown->kProtocolTLS, reason=[inferred from data_event]
I20250203 21:25:33.791034 3980526 conn_tracker.cc:153] conn_id=[upid=3980459:254101528 fd=3 gen=2541072183195408] state=kCollecting remote_addr=127.0.0.1:59456 role=kRoleServer protocol=kProtocolTLS ssl=false Data event: attr:[[ts=2541072383389940 conn_id=[upid=3980459:254101528 fd=3 gen=2541072183195408] protocol=kProtocolTLS role=kRoleServer dir=kIngress ssl=false source_fn=kSyscallRead pos=1 size=517 buf_size=517]] msg_size:517 msg:[\x16\x03\x01\x02\x00\x01\x00\x01\xFC\x03\x03\x08w\xCD\xA7)\xAB\x9B\xEA\x04\xD0\x81\xA0\xDC\x1E\xD7\x053\x0EN!;\x8D\xD5\xB8?\x89:\x0BS\x8C\xC6f \x8CU\xA5\x1A\xA9\xCA\xFAl-P2\xCE\xBB\xA9L\x00G|Q\xD1!\x14>\x18\xF7e\xAA\x8C\x84\x83\x03r\x00>\x13\x02\x13\x03\x13\x01\xC0,\xC00\x00\x9F\xCC\xA9\xCC\xA8\xCC\xAA\xC0+\xC0/\x00\x9E\xC0$\xC0(\x00k\xC0#\xC0'\x00g\xC0\x0A\xC0\x14\x009\xC0\x09\xC0\x13\x003\x00\x9D\x00\x9C\x00=\x00<\x005\x00/\x00\xFF\x01\x00\x01u\x00\x0B\x00\x04\x03\x00\x01\x02\x00\x0A\x00\x0C\x00\x0A\x00\x1D\x00\x17\x00\x1E\x00\x19\x00\x18\x00\x10\x00\x0E\x00\x0C\x02h2\x08http/1.1\x00\x16\x00\x00\x00\x17\x00\x00\x001\x00\x00\x00\x0D\x000\x00.\x04\x03\x05\x03\x06\x03\x08\x07\x08\x08\x08\x09\x08\x0A\x08\x0B\x08\x04\x08\x05\x08\x06\x04\x01\x05\x01\x06\x01\x03\x03\x02\x03\x03\x01\x02\x01\x03\x02\x02\x02\x04\x02\x05\x02\x06\x02\x00+\x00\x09\x08\x03\x04\x03\x03\x03\x02\x03\x01\x00-\x00\x02\x01\x01\x003\x00&\x00$\x00\x1D\x00 \x1C\xF5\xEA\xE9\xF6\xB0\x13\x07.\xD0\x0E \xAC\x13\xD4@f!\x8A^\xC7\xF2/qX\x84\x9A\xFA\x11\xAC\x1E~\x00\x15\x00\xCA\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00]
I20250203 21:25:33.791465 3980526 conn_tracker.cc:153] conn_id=[upid=3980459:254101528 fd=3 gen=2541072183195408] state=kCollecting remote_addr=127.0.0.1:59456 role=kRoleServer protocol=kProtocolTLS ssl=false Data event: attr:[[ts=2541072385860240 conn_id=[upid=3980459:254101528 fd=3 gen=2541072183195408] protocol=kProtocolTLS role=kRoleServer dir=kEgress ssl=false source_fn=kSyscallWrite pos=0 size=1592 buf_size=1592]] msg_size:1592 msg:[\x16\x03\x03\x00l\x02\x00\x00h\x03\x03\xCC\xE4\x19\xBD\xCC\x8E\xF3\xC4W:;Y\xEDY\xCB\xCE\xD6\x18\x1A\x91\xC7\x91\xA5H\xE9\x10\x15- \xEB:\x85 \xB8\x8B\x1A\xD7"\x18\xD0O\xC7\x08\x90\xA4\xB5\xFD4Q\xC0\xAAb(vT\xF8TO-|a\xBC)fy\xC00\x00\x00 \xFF\x01\x00\x01\x00\x00\x0B\x00\x04\x03\x00\x01\x02\x00\x10\x00\x0B\x00\x09\x08http/1.1\x00\x17\x00\x00\x16\x03\x03\x04\x88\x0B\x00\x04\x84\x00\x04\x81\x00\x04~0\x82\x04z0\x82\x02b\xA0\x03\x02\x01\x02\x02\x03\x09\xFB\xF10\x0D\x06\x09*\x86H\x86\xF7\x0D\x01\x01\x0B\x05\x000T1\x0B0\x09\x06\x03U\x04\x06\x13\x02US1\x130\x11\x06\x03U\x04\x08\x13\x0ACalifornia1\x160\x14\x06\x03U\x04\x07\x13\x0DSan Francisco1\x180\x16\x06\x03U\x04\x0A\x13\x0FPixie Labs Inc.0\x1E\x17\x0D250203192322Z\x17\x0D260203192322Z0T1\x0B0\x09\x06\x03U\x04\x06\x13\x02US1\x130\x11\x06\x03U\x04\x08\x13\x0ACalifornia1\x160\x14\x06\x03U\x04\x07\x13\x0DSan Francisco1\x180\x16\x06\x03U\x04\x0A\x13\x0FPixie Labs Inc.0\x82\x01"0\x0D\x06\x09*\x86H\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x000\x82\x01\x0A\x02\x82\x01\x01\x00\xCA\xDE\xDB-?\x01\xD3\xEC\x13\x08\xCF\xC1\xE4L\xAE\xFApfH\x82n\x83\x0A\x8F\xF9Y\xB3\xFC\xB7g\,jf'\x15w\xA1 \xC1\xA6ZN\xE3\xA8\x99\xD9z)\xD0\xF4F\xE5\xABo\xCD\xAF,\x16\x0A\xB7*K\xCF\xB5E9l\x07p\xA34\xA4\xD73\x13\xD0.\x85\x07\xA8\xDBd\x03\x94R8\xE0\x12M\xB3O\xD2\xC2\x14$9-\xE2\xF4\xA9\x0A=\xD2;\x87e\x8B\x19\xB13\x1B6\xDB*\x9A(C\x03\x9C\xD99\xC4\x06\xF8Wf\x83}x\x11\x00g\xB9\xD1.q\x8ET\xB9\xD9t\x03\xDA\x14\x17\x95L\xA5g[e\xB5\xCF\xE9Y?\xEEf\x19\x14\x83\xC4\x07\x02\x80\xF2SH\x1C\x1D\xC3@a%L\xF5\xE4\xFB\xB2\xC4\x7FI#\x8D\xAB\x09P#}?\\xDD\xDF\xB7\xF9N\x85\xDB\xE0@\xBF\x92$?\xF0\x00\xC8\xAB|5g\xD7\xBF\x04S3\xE7\xB8(\xEB\x8CJo\x1FQ\xA9\xA2`IF\xDF\x0F\x83\x8B\xD8\x95\\xD8\x8B\xEB\x05\x7Fvh\x08\xBA.\xB1P~\xBE\xC3\x1Bh\xD3\x02\x03\x01\x00\x01\xA3U0S0\x0E\x06\x03U\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x05\xA00\x1D\x06\x03U\x1D%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x02\x06\x08+\x06\x01\x05\x05\x07\x03\x010\x0C\x06\x03U\x1D\x13\x01\x01\xFF\x04\x020\x000\x14\x06\x03U\x1D\x11\x04\x0D0\x0B\x82\x09localhost0\x0D\x06\x09*\x86H\x86\xF7\x0D\x01\x01\x0B\x05\x00\x03\x82\x02\x01\x00\xB5\x83\x80Y\xCD\xAB\x11\xAA \x0C\xA2\x9F,\xC6\xDEs\xF4\x82A\xA6\\xBD\x02$\xE3R3U\x01\xFCI\xFB\xA9vr\x99V\x84D\x91s\x0E\xE7\xBA\xE4Y~\x19\xCE\x86\xC1\x07\xA5I\x1B\xB5H=\xC0\x9Fd\xB0\xA0\x11\x89z\xC1}Z\xF0\xBEn\xF4\x93\xEA\xE2\xA2\xC5\x98e\xA6{\xC0c\xC4\xD7-\x18\x08E\xF7\xEA\x11\x01\xB0\x1A\x91\xBD7\xF50\x8A\xC2\xA3\xAD_/\xFB\xD8>\xA6\xD4\xFFc!\xC4\x92\xBC\xE1\xBA&\x07n\xB9\x82\x8E \xD4\xD6\xF9;9d4\xB2kS\xD0\xB1\xF3{Qf\xE9z\xCA\x9D\xCB\x13\x0A\x9F\x10t\xF2S\xED\xA2&\x91*\xC6\x02\xEDpV\xD3zw\xFB%Xo\xDA\xE8\xA6\xCA\xD2\xF6wMp\xCB\xAE\x14\x1Dw\x98;\x1F\x8F^_Yf\x81\x96}\xB9\x82r\xB5\x1Bb\xA8H\x9B\x98\xF7\x09\x150n\x81\xA3j\xAB\xFD\xA53\xCC\xEF\x8B;SB\x9C\xAA%TV\x1F\xB3\x9B\x88\xED\xFE\xEF\x96\xD71\x98l\xDC\xCE\x91\S\xA1\xB2\x8E\xF1\xB5\xDCt\xE8\xE1\xDD\xA0\xC1.[\xB8kL9\x89\x07+\xE9S\xCE\xD6\xDD\x8F\xB69H\xF6\xFE\x1D:\xC8\x88k[]\x8Fm\x0A4B|\x82S\xC3\x81\x10\xEA\xE3\x1A\xA8\x02\xAD\x18\xCA"\xDC&Jz\xE24X2\xAEl\xEBy\xD3>Tw\xB5\xCB\x14\xECR\x9A!\xD8@\x9DEm\x86\xFFPv+\xFFO\x01\x85\xECy\xAAt\xE9\xE1p\xF7\xB0\xB1\x98\xADm\x08 \x0B\x99\xDBA\x9C[A\x90\x8BAJ\xE0}\x10"\xA10\x8B*\xD5\xB0\xF6F#\xC7\xFE?\xE6\xE8\x95,\x82\xDCp\xAD\xC2HZ\xCA\xBF\x04\x9BI\xA1L\xF2\xDC\x0EQ\x08\xF3P\x93\x03+\xCB\xF9\xBA=\x1A\xA3,\x85Tv\x05\x8DS\x1D\xC7\xB9N}\x87\x06#\xC3\x03\xB4W\xCDK~\xB3O\x8D\x1E\xD0\xD4\x95\xD2\xA7\xFB\xA5\xB5V\xB6\x1A#\x99\x8D\x06&w\xC6<\xE2\xAB\xFB\xD7{\xDC\xF9w\xA0\xA6\xA5\x05ft\x8D\xC9\x84\xFB\xA0@B\xD9\x13\xED\x8A)\x06\x0E^1H\x08Lo\x85\x12\xF0Y\xBB\x869\xF1:\xF9\xCFz\x09?\x16\x03\x03\x01,\x0C\x00\x01(\x03\x00\x1D \x15\xE4\x02\x06\xAB\xC0Q\x16\x13F\xF2Z\xBA\xB1S\xA8T]\x83\xFE\xB51!k%"\xAE\xBE\xF6\x97\xA4G\x08\x04\x01\x00o,\xCA\x06\x12\x87P\x1C\xA9qIe]J8N.1J\xC8\xFE%\x1E\xB0J\x8A\xF7\x96\xA3\xB7\x04~\xA0\xD7]\x1EU\xABQ\xC1C\xC9r\xAA!?\xFD\xD1W\x07\xA6\xF9j \x17>`Zfv\x88\xC3#\x9D\xC9w\xA0\x85o\x85I\x08\xCA\xF0Wu7a'\xAB\xDE\x06\xE3\x86\x881\x04}\xC0\xCF\xB8\xA67\xDB \xDA\xEF\xED\xF1\xCF\x09\x07\x16\xB3]a'#\xCC~\xE3\x08aJ\xC1i*\xBB]\x16\x8Dk\x00\x89!`5\xE5\xD4\x89\x19\x01s\x92Gu\x05\x96kN\xAC\xD5\xBA\xC4\xED\xF4\xAA\x02Kp\xC1\xCD\x99\xBA\xC8\x05+_\xA8\xBE\x9Cf\xCDT\xEF\xCBJD$\xAEX\x17\xD1wI\x97W\x93J\xF0`Yr\xAB\xC1}\xD0\xE4\xC78\x83B[~\x09b\xA2\x0Ec{s\x83c\x98\xBC\xCE\xD3X\xD6\xA4\xC0x7"<k\xAA\xD8\x8C\xA3\xA7w\xDCZ\xC5\x83!\xE88\xC0r\xF1\x88\x93\x85\xC9y\x87h\x9F\xDE\xB1\xC1\x8A\xA2A\x1BT\x9Cy{`\xBD\x07\xAC\xB7\x16\x03\x03\x00\x04\x0E\x00\x00\x00]
I20250203 21:25:33.792270 3980526 conn_tracker.cc:153] conn_id=[upid=3980459:254101528 fd=3 gen=2541072183195408] state=kCollecting remote_addr=127.0.0.1:59456 role=kRoleServer protocol=kProtocolTLS ssl=false Data event: attr:[[ts=2541072387023788 conn_id=[upid=3980459:254101528 fd=3 gen=2541072183195408] protocol=kProtocolTLS role=kRoleServer dir=kIngress ssl=false source_fn=kSyscallRead pos=518 size=93 buf_size=93]] msg_size:93 msg:[\x16\x03\x03\x00%\x10\x00\x00! \xB3\x81E7\xFC\xA8z\xF0p\x07\xFBZ\xDBE\xEF\x10\xC1\xA4\xA1\xA8bl\xD2\xF3\x1F\x1C\xF6s\xD0U\xBF)\x14\x03\x03\x00\x01\x01\x16\x03\x03\x00(\x16\xCA\xE6\x02\b\xB95\x038\x81@\xA84\x09\xB7\xE9rBk\xCF\xBD3[\x15H\xA7h\x1AvQc\xDE\xE0\xA8\xA6\xF5\xE4s\xF5]
I20250203 21:25:33.792384 3980526 conn_tracker.cc:153] conn_id=[upid=3980459:254101528 fd=3 gen=2541072183195408] state=kCollecting remote_addr=127.0.0.1:59456 role=kRoleServer protocol=kProtocolTLS ssl=false Data event: attr:[[ts=2541072387662841 conn_id=[upid=3980459:254101528 fd=3 gen=2541072183195408] protocol=kProtocolTLS role=kRoleServer dir=kEgress ssl=false source_fn=kSyscallWrite pos=1592 size=51 buf_size=51]] msg_size:51 msg:[\x14\x03\x03\x00\x01\x01\x16\x03\x03\x00(\x99\x88q*\x95.6Q\xF6T\x1F`N,\x88\x0D\xD0\xCC'\x9E8\xB6i\x097\xC5\xD2\x02\xCF\xE9\xA1\xC8\x19\x89m(\xA3\xB9\x10\x04]
I20250203 21:25:33.792479 3980526 conn_tracker.cc:564] conn_id=[upid=3980459:254101528 fd=3 gen=2541072183195408] state=kCollecting remote_addr=127.0.0.1:59456 role=kRoleServer protocol=kProtocolTLS ssl=true SSL state changed: false->true, reason=[inferred from data_event]
I20250203 21:25:33.792501 3980526 conn_tracker.cc:153] conn_id=[upid=3980459:254101528 fd=3 gen=2541072183195408] state=kCollecting remote_addr=127.0.0.1:59456 role=kRoleServer protocol=kProtocolTLS ssl=true Data event: attr:[[ts=2541072388262641 conn_id=[upid=3980459:254101528 fd=3 gen=2541072183195408] protocol=kProtocolTLS role=kRoleServer dir=kIngress ssl=true source_fn=kSSLRead pos=611 size=87 buf_size=87]] msg_size:87 msg:[GET /index.html HTTP/1.1\x0D\x0AHost: 127.0.0.1\x0D\x0AUser-Agent: curl/7.87.0-DEV\x0D\x0AAccept: */*\x0D\x0A\x0D\x0A]
I20250203 21:25:33.792572 3980526 conn_tracker.cc:153] conn_id=[upid=3980459:254101528 fd=3 gen=2541072183195408] state=kCollecting remote_addr=127.0.0.1:59456 role=kRoleServer protocol=kProtocolTLS ssl=true Data event: attr:[[ts=2541072388551573 conn_id=[upid=3980459:254101528 fd=3 gen=2541072183195408] protocol=kProtocolTLS role=kRoleServer dir=kEgress ssl=true source_fn=kSSLWrite pos=1643 size=843 buf_size=843]] msg_size:843 msg:[HTTP/1.1 200 OK\x0D\x0AServer: nginx/1.23.3\x0D\x0ADate: Mon, 03 Feb 2025 21:25:33 GMT\x0D\x0AContent-Type: text/html\x0D\x0AContent-Length: 612\x0D\x0ALast-Modified: Thu, 01 Jan 1970 00:00:00 GMT\x0D\x0AConnection: keep-alive\x0D\x0AETag: "0-264"\x0D\x0AAccept-Ranges: bytes\x0D\x0A\x0D\x0A<!DOCTYPE html>\x0A<html>\x0A<head>\x0A<title>Welcome to nginx!</title>\x0A<style>\x0A body {\x0A width: 35em;\x0A margin: 0 auto;\x0A font-family: Tahoma, Verdana, Arial, sans-serif;\x0A }\x0A</style>\x0A</head>\x0A<body>\x0A<h1>Welcome to nginx!</h1>\x0A<p>If you see this page, the nginx web server is successfully installed and\x0Aworking. Further configuration is required.</p>\x0A\x0A<p>For online documentation and support please refer to\x0A<a href="http://nginx.org/">nginx.org</a>.<br/>\x0ACommercial support is available at\x0A<a href="http://nginx.com/">nginx.com</a>.</p>\x0A\x0A<p><em>Thank you for using nginx.</em></p>\x0A</body>\x0A</html>\x0A]
I20250203 21:25:33.792704 3980526 conn_tracker.cc:139] conn_id=[upid=3980459:254101528 fd=3 gen=2541072183195408] state=kCollecting remote_addr=127.0.0.1:59456 role=kRoleServer protocol=kProtocolTLS ssl=true conn_close: [type=kConnClose ts=2541072389220805 conn_id=[upid=3980459:254101528 fd=3 gen=2541072183195408] source_fn=kSyscallClose [wr_bytes=2486 rd_bytes=698]]
I20250203 21:25:33.792743 3980526 conn_tracker.cc:614] conn_id=[upid=3980459:254101528 fd=3 gen=2541072183195408] state=kCollecting remote_addr=127.0.0.1:59456 role=kRoleServer protocol=kProtocolTLS ssl=true Marked for death, countdown=3
I20250203 21:25:33.792831 3980526 conn_tracker.cc:200] conn_id=[upid=3980459:254101528 fd=3 gen=2541072183195408] state=kCollecting remote_addr=127.0.0.1:59456 role=kRoleServer protocol=kProtocolTLS ssl=true ConnStats timestamp=2541072389224740 wr=2486 rd=698 close=2
I20250203 21:25:33.794690 3980526 conn_tracker.h:274] conn_id=[upid=3980459:254101528 fd=3 gen=2541072183195408] state=kTransferring remote_addr=127.0.0.1:59456 role=kRoleServer protocol=kProtocolTLS ssl=true req_frames=1 resp_frames=1
I20250203 21:25:33.794739 3980526 conn_tracker.h:291] conn_id=[upid=3980459:254101528 fd=3 gen=2541072183195408] state=kTransferring remote_addr=127.0.0.1:59456 role=kRoleServer protocol=kProtocolTLS ssl=true records=1
I20250203 21:25:33.794878 3980526 conn_tracker.cc:818] conn_id=[upid=3980459:254101528 fd=3 gen=2541072183195408] state=kTransferring remote_addr=127.0.0.1:59456 role=kRoleServer protocol=kProtocolTLS ssl=true Death countdown=2
I20250203 21:25:33.924036 3980526 conn_tracker.h:274] conn_id=[upid=3980459:254101528 fd=3 gen=2541072183195408] state=kTransferring remote_addr=127.0.0.1:59456 role=kRoleServer protocol=kProtocolTLS ssl=true req_frames=1 resp_frames=1
I20250203 21:25:33.924098 3980526 conn_tracker.h:291] conn_id=[upid=3980459:254101528 fd=3 gen=2541072183195408] state=kTransferring remote_addr=127.0.0.1:59456 role=kRoleServer protocol=kProtocolTLS ssl=true records=0
I20250203 21:25:33.924150 3980526 conn_tracker.cc:818] conn_id=[upid=3980459:254101528 fd=3 gen=2541072183195408] state=kTransferring remote_addr=127.0.0.1:59456 role=kRoleServer protocol=kProtocolTLS ssl=true Death countdown=1
I20250203 21:25:34.051276 3980289 nginx_worker_pid.h:37] Worker thread PID: 3980459
src/stirling/source_connectors/socket_tracer/socket_trace_connector.cc
Outdated
Show resolved
Hide resolved
src/stirling/source_connectors/socket_tracer/tls_trace_bpf_test.cc
Outdated
Show resolved
Hide resolved
Comment on lines
+40
to
+51
| {"req_type", "The type of request from the TLS record (Client/ServerHello, etc.)", | ||
| types::DataType::INT64, | ||
| types::SemanticType::ST_NONE, | ||
| types::PatternType::GENERAL_ENUM}, | ||
| {"version", "Version of TLS record", | ||
| types::DataType::INT64, | ||
| types::SemanticType::ST_NONE, | ||
| types::PatternType::GENERAL_ENUM}, | ||
| {"extensions", "Extensions in the TLS record", | ||
| types::DataType::STRING, | ||
| types::SemanticType::ST_NONE, | ||
| types::PatternType::GENERAL}, |
There was a problem hiding this comment.
Do you have examples of the records we would see? Is version and extensions valid on all those records?
There was a problem hiding this comment.
This gist shows the output from stirling_wrapper (also copied below). Note: that the content type and version fields will have carnot function support that turn their integer representations into human readable strings. I already have that completed, but wanted to make that its own PR.
record=[
req=[TLS Frame [len=216 content_type=22 legacy_version=769 handshake_version=771 handshake_type=1 extensions={"server_name":"[\"google.com\"]"}]
resp=[TLS Frame [len=100 content_type=22 legacy_version=771 handshake_version=771 handshake_type=2 extensions={}]
]
As of now, the tls_events table inserts one record for each TLS handshake. Thus, the version and extensions columns will always have a value. I think it could be useful to support alert, heartbeat, or change cipher messages in the future. These messages don't contain extensions, and while they do have a "version" field, it is the legacy version used in TLS 1.2 and earlier.
Signed-off-by: Dom Del Nano <[email protected]>
Signed-off-by: Dom Del Nano <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary: Add support for TLS protocol tracing
This is the final change to wire up the tls protocol parser and stitcher into stirling. I've also filed #2095 to track supporting tracing TLS handshakes and the application data.
Relevant Issues: N/A
Type of change: /kind feature
Test Plan: New tests verify functionality works end to end
Changelog Message: Added support for tracing TLS handshakes. This can be enabled with
--stirling_enable_tls_tracing=1or through thePX_STIRLING_ENABLE_TLS_TRACINGenvironment variable. Until #2095 is addressed, this will disable tracing the plaintext within encrypted connections.