MINOR: ssl: Add traces about sigalg extension parsing in clientHello callback

We had to parse the sigAlg extension by hand in order to properly select the certificate used by the SSL frontends. These traces allow to dump the allowed sigAlg list sent by the client in its clientHello.
2025-04-18 17:26:57 +02:00 · 2025-04-18 17:26:57 +02:00 · 6519cec2ed
commit 6519cec2ed
parent 105c1ca139
3 changed files with 33 additions and 0 deletions
--- a/include/haproxy/ssl_trace-t.h
+++ b/include/haproxy/ssl_trace-t.h
@ -32,6 +32,7 @@ extern struct trace_source trace_ssl;
 #define SSL_EV_CONN_STAPLING       (1ULL << 11)
 #define SSL_EV_CONN_SWITCHCTX_CB   (1ULL << 12)
 #define SSL_EV_CONN_CHOOSE_SNI_CTX (1ULL << 13)
+#define SSL_EV_CONN_SIGALG_EXT     (1ULL << 14)

 #define TRACE_SOURCE &trace_ssl

--- a/src/ssl_clienthello.c
+++ b/src/ssl_clienthello.c
@ -306,6 +306,7 @@ int ssl_sock_switchctx_cbk(SSL *ssl, int *al, void *arg)
 			TRACE_ERROR("Sigalg parsing error (not even)", SSL_EV_CONN_SWITCHCTX_CB|SSL_EV_CONN_ERR, conn);
 			goto abort;
 		}
+		TRACE_DATA("Sigalg extension value", SSL_EV_CONN_SIGALG_EXT, conn, extension_data, &len);
 		for (; len > 0; len -= 2) {
 			hash = *extension_data++; /* hash */
 			sign = *extension_data++;
--- a/src/ssl_trace.c
+++ b/src/ssl_trace.c
@ -40,6 +40,7 @@ static const struct trace_event ssl_trace_events[] = {
 	{ .mask = SSL_EV_CONN_STAPLING,       .name = "sslc_stapling",       .desc = "SSL OCSP stapling callback"},
 	{ .mask = SSL_EV_CONN_SWITCHCTX_CB,   .name = "sslc_switchctx_cb",   .desc = "SSL switchctx callback"},
 	{ .mask = SSL_EV_CONN_CHOOSE_SNI_CTX, .name = "sslc_choose_sni_ctx", .desc = "SSL choose sni context"},
+	{ .mask = SSL_EV_CONN_SIGALG_EXT,     .name = "sslc_sigalg_ext",     .desc = "SSL sigalg extension parsing"},
 	{ }
 };

@ -216,5 +217,35 @@ static void ssl_trace(enum trace_level level, uint64_t mask, const struct trace_
 			chunk_appendf(&trace_buf, " crt=\"%s\"", sni_ctx->ckch_inst->ckch_store->path);
 		}
 	}
+
+	if (mask & SSL_EV_CONN_SIGALG_EXT && src->verbosity > SSL_VERB_ADVANCED) {
+		if (a2 && a3) {
+			const uint16_t *extension_data = a2;
+			size_t extension_len = *((size_t*)a3);
+			int first = 1;
+
+			chunk_appendf(&trace_buf, " value=");
+
+			while (extension_len > 1) {
+				const char *sigalg_name = sigalg2str(ntohs(*extension_data));
+
+				if (sigalg_name) {
+					chunk_appendf(&trace_buf, "%s%s(0x%02X%02X)", first ? "" : ":", sigalg_name,
+						      ((uint8_t*)extension_data)[0],
+						      ((uint8_t*)extension_data)[1]);
+				} else {
+					chunk_appendf(&trace_buf, "%s0x%02X%02X",
+						      first ? "" : ":",
+						      ((uint8_t*)extension_data)[0],
+						      ((uint8_t*)extension_data)[1]);
+				}
+
+				first = 0;
+
+				extension_len-=sizeof(*extension_data);
+				++extension_data;
+			}
+		}
+	}
 }