access logging: pass downstream TLS information to access logs (#6144)

Passes along the Ssl::ConnectionInfo (renamed from Ssl::Connection) to StreamInfo, allowing it to be read in access loggers. Updates both the formatter and gRPC access logger with uri san/subject details, and adds the SNI to the gRPC access log. Risk Level: Low Testing: Unit tests Docs Changes: Added description for new access log formats Release Notes: n/a #4926 Signed-off-by: Snow Pettersen <snowp@squareup.com> Mirrored from https://github.com/envoyproxy/envoy @ 65c05cad96db7f7874e1e5a2b70829dcfad10e88
6 years ago · 1367dbee48
parent 796f817052
commit 1367dbee48
1 changed files with 25 additions and 2 deletions
--- a/envoy/data/accesslog/v2/accesslog.proto
+++ b/envoy/data/accesslog/v2/accesslog.proto
@ -69,7 +69,6 @@ message AccessLogCommon {
  // This field is the local/destination address on which the request from the user was received.
  envoy.api.v2.core.Address downstream_local_address = 3;

-  // [#not-implemented-hide:]
  // If the connection is secure,S this field will contain TLS properties.
  TLSProperties tls_properties = 4;

@ -210,9 +209,9 @@ message ResponseFlags {
  bool stream_idle_timeout = 17;
 }

-// [#not-implemented-hide:]
 // Properties of a negotiated TLS connection.
 message TLSProperties {
+  // [#not-implemented-hide:]
  enum TLSVersion {
    VERSION_UNSPECIFIED = 0;
    TLSv1 = 1;
@ -220,9 +219,11 @@ message TLSProperties {
    TLSv1_2 = 3;
    TLSv1_3 = 4;
  }
+  // [#not-implemented-hide:]
  // Version of TLS that was negotiated.
  TLSVersion tls_version = 1;

+  // [#not-implemented-hide:]
  // TLS cipher suite negotiated during handshake. The value is a
  // four-digit hex code defined by the IANA TLS Cipher Suite Registry
  // (e.g. ``009C`` for ``TLS_RSA_WITH_AES_128_GCM_SHA256``).
@ -232,6 +233,28 @@ message TLSProperties {

  // SNI hostname from handshake.
  string tls_sni_hostname = 3;
+
+  message CertificateProperties {
+    message SubjectAltName {
+      oneof san {
+        string uri = 1;
+        // [#not-implemented-hide:]
+        string dns = 2;
+      }
+    }
+
+    // SANs present in the certificate.
+    repeated SubjectAltName subject_alt_name = 1;
+
+    // The subject field of the certificate.
+    string subject = 2;
+  }
+
+  // Properties of the local certificate used to negotiate TLS.
+  CertificateProperties local_certificate_properties = 4;
+
+  // Properties of the peer certificate used to negotiate TLS.
+  CertificateProperties peer_certificate_properties = 5;
 }

 message HTTPRequestProperties {