Ssl status per thread #63

Closed
wants to merge 1 commit into
from

Projects

None yet

2 participants

@dveeden
Contributor
dveeden commented Jun 7, 2015

Inspired by http://www.depesz.com/2015/05/11/waiting-for-9-5-add-system-view-pg_stat_ssl/

It is missing information:

  • if and which client certificate was used.
  • validity for the client certificate

Related: http://bugs.mysql.com/bug.php?id=77271

@MarkLeith
Member

This needs an update to the README to include the details in there as well.

I also wonder why you chose just these variables? You mentioned in your bug about "What are the start and end date for the client certificate?", these could be added to the table with the Ssl_server_not_after and Ssl_server_not_before variables.

I think it's not beyond reason that we would perhaps want statistics vs config tables here, like ssl_config_per_thread and ssl_stats_per_thread, and wonder if you would be interested in doing that instead?

Finally, note that in 5.7.8 there has been a new CONNECTION_TYPE column added to performance_schema.threads:

http://dev.mysql.com/doc/refman/5.7/en/threads-table.html

"CONNECTION_TYPE

The protocol used to establish the connection, or NULL for background threads. Permitted values are TCP/IP (TCP/IP connection established without SSL), SSL/TLS (TCP/IP connection established with SSL), Socket (Unix socket file connection), Named Pipe (Windows named pipe connection), and Shared Memory (Windows shared memory connection).

This column was added in MySQL 5.7.8."

You may want to join against THREADS, where the connection_type is SSL/TLS too? Of course, that's hard to test for you at the moment without that build available yet so understand if you skip that (and maybe I can do it instead after merge).

@dveeden
Contributor
dveeden commented Jun 30, 2015

Don't the Ssl_server_not_after and Ssl_server_not_before variables indicate the validity of the server certificate and not of the client certificate?

Thanks for pointing the CONNECTION_TYPE feature out to me. It looks nice, however it still doesn't give information about if and which client certificate was used.

@MarkLeith
Member

Ah, yea, you're right it is just server not client (clue is in the name huh). I wonder why that is also a session variable.. Anyway, forget that bit. :)

I wasn't meaning to replace this with the CONNECTION_TYPE, I just wonder if we should JOIN and use that info in the WHERE to filter for only threads that are connected via SSL.

@MarkLeith MarkLeith added a commit that referenced this pull request Aug 13, 2015
@MarkLeith MarkLeith Manually merge PR #63, contribution by Daniël van Eeden for a new vie…
…w for session SSL status.

Made a few changes from the original, such as a rename of the sessions view to session, and the contributed view to session_ssl_status.
72794f1
@MarkLeith
Member

Thanks for the contribution, I manually merged this with a few changes (to rename to session_ssl_status, and rename the sessions view to session), see the related commit.

@MarkLeith MarkLeith closed this Aug 13, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment