From 66f3a96de5939493324fc5f778457465d39862ad Mon Sep 17 00:00:00 2001 From: Raphael 'kena' Poss Date: Mon, 31 Aug 2020 18:39:56 +0200 Subject: [PATCH] security: add telemetry for OCSP server checks This commit adds two telemetry counters: - `server.ocsp.conn-verifications` counts the number of connections for which the OCSP feature is enabled - `server.ocsp.cert-verifications` counts the number of times a certificate actually underwent OCSP verification. Release justification: low risk, high benefit changes to existing functionality Release note: None --- pkg/security/ocsp.go | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/pkg/security/ocsp.go b/pkg/security/ocsp.go index afd7173b7ddc..334116f150a1 100644 --- a/pkg/security/ocsp.go +++ b/pkg/security/ocsp.go @@ -18,6 +18,7 @@ import ( "io/ioutil" "net/http" + "github.com/cockroachdb/cockroach/pkg/server/telemetry" "github.com/cockroachdb/cockroach/pkg/util/contextutil" "github.com/cockroachdb/cockroach/pkg/util/log" "github.com/cockroachdb/errors" @@ -39,6 +40,9 @@ func makeOCSPVerifier(settings TLSSettings) func([][]byte, [][]*x509.Certificate return contextutil.RunWithTimeout(context.Background(), "OCSP verification", settings.ocspTimeout(), func(ctx context.Context) error { + // Per-conn telemetry counter. + telemetry.Inc(ocspChecksCounter) + errG, gCtx := errgroup.WithContext(ctx) for _, chain := range verifiedChains { // Ignore the last cert in the chain; it's the root and if it @@ -60,10 +64,26 @@ func makeOCSPVerifier(settings TLSSettings) func([][]byte, [][]*x509.Certificate } } +// ocspChecksCounter counts the number of connections that are +// undergoing OCSP validations. This counter exists so that the value +// of ocspCheckWithOCSPServerInCertCounter can be interpreted as a +// percentage. +var ocspChecksCounter = telemetry.GetCounterOnce("server.ocsp.conn-verifications") + +// ocspCheckWithOCSPServerInCert counts the number of certificate +// verifications performed with a populated OCSPServer field in one of +// the certs in the validation chain. +var ocspCheckWithOCSPServerInCertCounter = telemetry.GetCounterOnce("server.ocsp.cert-verifications") + func verifyOCSP(ctx context.Context, settings TLSSettings, cert, issuer *x509.Certificate) error { if len(cert.OCSPServer) == 0 { return nil } + + // Per-cert telemetry counter. We only count requests when there is + // an OCSP server to check in the first place. + telemetry.Inc(ocspCheckWithOCSPServerInCertCounter) + var errs []error for _, url := range cert.OCSPServer { ok, err := queryOCSP(ctx, url, cert, issuer)