Add support for TLS protocol tracing #2096
Conversation
src/stirling/source_connectors/socket_tracer/testing/containers/ssl/nginx.conf
Outdated
Show resolved
Hide resolved
ddelnano
force-pushed
the
ddelnano/wire-up-tls-protocol-parser-to-stirling
branch
from
7de9384 to
b8ed611
Compare
ddelnano
force-pushed
the
ddelnano/wire-up-tls-protocol-parser-to-stirling
branch
2 times, most recently
from
8c0cffd to
3e556d6
Compare
Signed-off-by: Dom Del Nano <[email protected]>
ddelnano
force-pushed
the
ddelnano/wire-up-tls-protocol-parser-to-stirling
branch
from
3e556d6 to
8ff4143
Compare
Signed-off-by: Dom Del Nano <[email protected]>
| @@ -195,7 +195,7 @@ struct Frame : public FrameBase { | |||
|
|
|||
| HandshakeType handshake_type; | |||
|
|
|||
| uint24_t handshake_length; | |||
| uint24_t handshake_length = uint24_t(0); | |||
There was a problem hiding this comment.
GCC fails if this isn't initialized (buildbuddy failure)
src/stirling/source_connectors/socket_tracer/bcc_bpf/protocol_inference.h
Show resolved
Hide resolved
src/stirling/source_connectors/socket_tracer/bcc_bpf/protocol_inference.h
Show resolved
Hide resolved
src/stirling/source_connectors/socket_tracer/socket_trace_connector.cc
Outdated
Show resolved
Hide resolved
src/stirling/source_connectors/socket_tracer/tls_trace_bpf_test.cc
Outdated
Show resolved
Hide resolved
| {"req_type", "The type of request from the TLS record (Client/ServerHello, etc.)", | ||
| types::DataType::INT64, | ||
| types::SemanticType::ST_NONE, | ||
| types::PatternType::GENERAL_ENUM}, | ||
| {"version", "Version of TLS record", | ||
| types::DataType::INT64, | ||
| types::SemanticType::ST_NONE, | ||
| types::PatternType::GENERAL_ENUM}, | ||
| {"extensions", "Extensions in the TLS record", | ||
| types::DataType::STRING, | ||
| types::SemanticType::ST_NONE, | ||
| types::PatternType::GENERAL}, |
There was a problem hiding this comment.
Do you have examples of the records we would see? Is version and extensions valid on all those records?
There was a problem hiding this comment.
This gist shows the output from stirling_wrapper (also copied below). Note: that the content type and version fields will have carnot function support that turn their integer representations into human readable strings. I already have that completed, but wanted to make that its own PR.
record=[
req=[TLS Frame [len=216 content_type=22 legacy_version=769 handshake_version=771 handshake_type=1 extensions={"server_name":"[\"google.com\"]"}]
resp=[TLS Frame [len=100 content_type=22 legacy_version=771 handshake_version=771 handshake_type=2 extensions={}]
]
As of now, the tls_events table inserts one record for each TLS handshake. Thus, the version and extensions columns will always have a value. I think it could be useful to support alert, heartbeat, or change cipher messages in the future. These messages don't contain extensions, and while they do have a "version" field, it is the legacy version used in TLS 1.2 and earlier.
There was a problem hiding this comment.
@oazizi000 after our discussion on the tls_events table schema, I made the following changes in 3f80935:
- Renamed
req_typetocontent_type: this better matches what was already inserted into the table (handshakes) and will map nicely to alerts, heartbeats, etc. - Removed the
extensionscolumn in favor ofreq_bodyandresp_body: this allows for storing extensions that exist on both the client and server side and means that the field is no longer specific to handshake records.
Signed-off-by: Dom Del Nano <[email protected]>
Signed-off-by: Dom Del Nano <[email protected]>
…TLS records. Update JSON parsing to better match new structure Signed-off-by: Dom Del Nano <[email protected]>
ddelnano
force-pushed
the
ddelnano/wire-up-tls-protocol-parser-to-stirling
branch
from
f48ebb6 to
3f80935
Compare
Summary: Add support for TLS protocol tracing
This is the final change to wire up the tls protocol parser and stitcher into stirling. I've also filed #2095 to track supporting tracing TLS handshakes and the application data.
Relevant Issues: N/A
Type of change: /kind feature
Test Plan: New tests verify functionality works end to end
Changelog Message: Added support for tracing TLS handshakes. This can be enabled with
--stirling_enable_tls_tracing=1or through thePX_STIRLING_ENABLE_TLS_TRACINGenvironment variable. Until #2095 is addressed, this will disable tracing the plaintext within encrypted connections.